Keywords

1 Introduction

Boolean functions are basic combinatorial objects that map a set of fixed size bitstrings to a single output bit. Notwithstanding their simplicity, such functions find countless applications in many diverse fields of computer science and mathematics [5]. In cryptography, Boolean functions have long been used to design low-level primitives in symmetric ciphers, such as combiners and filters for linear feedback shift registers [2]. The rationale is that the resilience of these ciphers against different cryptanalytic attacks can be reduced to the cryptographic properties of the underlying Boolean functions. For example, a Boolean function used in the combiner model for Vernam stream ciphers should be at a high Hamming distance from the set of affine functions to resist fast-correlation attacks, or equivalently it should possess a high nonlinearity [21]. At the same time, the output of the function should be statistically independent from any subset of t or fewer variables, to resist correlation attacks of order t: in other words, the Boolean functions should be correlation immune of high order t [24].

The literature related to the cryptographic applications of cellular automata (CA) features a solid body of works investigating the properties of the involved Boolean functions. For example, it has been shown that Wolfram’s pseudorandom number generator (PRNG) based on a simple one-dimensional CA is unsuitable for cryptographic purposes, as the underlying local rule 30 is not first-order correlation immune and does not have a high enough nonlinearity [20]. This allows to apply respectively Meier and Staffelbach’s correlation attack [22] and Koc and Apohan’s inversion attack [12] to efficiently recover the initial configuration of Wolfram’s PRNG. Following this research thread, a few subsequent works [6, 14] focused on the search of local rules with a larger diameter and a better trade-off of nonlinearity and correlation immunity. Some of these rules with better properties have then been adopted in the design of CA-based stream ciphers such as CARPENTER and PENTAVIUM [8, 13].

The correlation immunity criterion also gained relevance in recent years concerning a different type of attacks, namely side-channel analysis (SCA). Instead of focusing on the mathematical design of a cipher as classical cryptanalysis does, SCA targets the implementation of a cipher on a device. In particular, the aim of SCA is to exploit leakages on side-channel sources such as electromagnetic emanations, timings, and variations of voltages to infer the secret key used to encrypt a message on the device. One of the options to counteract these attacks is Boolean masking, where noise is added to the intermediate values computed by the cipher during the encryption process, changing them from one execution to the other. In this respect, correlation immune functions of high order t and low Hamming weight (i.e., with as few 1s as possible in the output of their truth tables) can be used to implement masking countermeasures, such as leakage squeezing and rotation S-box masking [3, 23], which have minimal implementation overhead and optimal resistance towards SCA attacks of order t.

Contrasting with the large number of works related to the study of the cryptographic properties of CA—be it at the local rule level as mentioned above, or by considering them as S-boxes as in [17, 19]—there seems to be comparatively a smaller literature dedicated to the exploration of CA as a means to construct side-channel countermeasures. To the best of our knowledge, the works by Karmarkar and Roy Chowdury [9,10,11] are the only ones addressing the design of leakage squeezing countermeasures through hybrid CA. There, the authors remark that there exist several methods to design linear codes with hybrid CA by leveraging the techniques in [4], which can be readily used to implement a leakage squeezing countermeasure. However, they also argue that the linearity of such codes introduces other weaknesses, and thereby set out to study the cryptographic properties of nonlinear hybrid CA for leakage squeezing.

The goal of this paper is to investigate how cellular automata may be used to design correlation immune functions of low weight. To this end, we use a construction of mutually orthogonal CA (MOCA), i.e., a family of CA giving rise to a set of mutually orthogonal Latin squares (MOLS), recently introduced in [16]. In particular, we exploit the well-known fact that any set of MOLS is equivalent to an orthogonal array (OA) of strength 2. Then, taking any set of MOCA, we prove that the corresponding binary expansion is a binary OA of strength at least 2, leveraging on the MOCA characterization as orthogonal labelings on de Bruijn graphs. This result allows us to use the expanded binary OA of a MOCA family as the support of a Boolean function with correlation immunity order at least 2. We then perform a computational search experiment to generate all families of 3 MOCA defined by local rules of diameter \(d=4,5\), and construct the corresponding Boolean functions. Interestingly, all generated functions turn out to have correlation immunity order at least 3, indicating that our theoretical result is not a tight lower bound. Although the Hamming weight reached by our correlation immune functions is far from optimal, we discuss how it could be improved by solving an associated optimization problem. The objective in this case is to remove a subset of rows from the binary expansion of a MOCA family while retaining the correlation immunity order of the resulting function.

The rest of this paper is organized as follows. Section 2 collects all necessary background definitions and results related to Boolean functions, cellular automata, Latin squares and orthogonal arrays used in this work. Section 3 proves the main theoretical result of the paper, i.e., that the binary expansion of a set of MOCA is the support of a Boolean function with correlation immunity order at least 2. Section 4 presents the results of the computational search experiment for families of \(k=3\) MOCA, giving rise to Boolean functions of up to \(n=12\) variables. Finally, Sect. 5 recaps the main contributions of this paper, and discusses some directions for future research.

2 Preliminary Definitions

In this section, we recall all relevant definitions to describe our results in the remainder of the paper. We start with basic concepts and results of Boolean functions, and how correlation immune functions can be characterized by orthogonal arrays. Then, we give a formal definition of the CA model used in our work, and describe the CA-based construction of mutually orthogonal Latin squares of [16].

2.1 Boolean Functions and Orthogonal Arrays

As a general reference, we follow Carlet’s recent book on Boolean functions [2].

Let \(\mathbb {F}_2 = \{0,1\}\) be the finite field with two elements, with sum and multiplication defined respectively as the XOR (denoted by \(\oplus \)) and logical AND (denoted by concatenation). For any \(n \in \mathbb {N}\), the set \(\mathbb {F}_2^n\) of all n-bit bitstrings is endowed with the structure of a vector space, with vector sum defined as bitwise XOR, and multiplication by a scalar \(a \in \mathbb {F}_2\) being the field multiplication of a with each coordinate of a vector \(x \in \mathbb {F}_2^n\). Given two vectors \(x, y \in \mathbb {F}_2^n\), their Hamming distance \(d_H(x,y)\) is the number of coordinates where x and y disagree, while their scalar product is defined as \(x \cdot y = \bigoplus _{i=1}^n x_iy_i\). The support of a vector \(x \in \mathbb {F}_2^n\) is the set \(supp(x) = \{i: x_i \ne 0\}\), and its Hamming weight \(w_H(x)\) is the cardinality of supp(x). Equivalently, \(w_H(x)\) corresponds to the Hamming distance \(d_H(x,\underline{0})\) between x and the null vector \(\underline{0} \in \mathbb {F}_2^n\). In practice, the Hamming weight is the number of nonzero coordinates in x.

For all \(n \in \mathbb {N}\), a Boolean function of n variables is a mapping \(f: \mathbb {F}_2^n \rightarrow \mathbb {F}_2\). The most straightforward way to represent f is by means of its truth table. Suppose that a total order is fixed on the vectors of \(\mathbb {F}_2^n\) (e.g., the lexicographic order). Then, the truth table of f is the vector \(\varOmega _f \in \mathbb {F}_2^{2^n}\) defined as:

$$\begin{aligned} \varOmega _f = ( f(0,\ldots ,0), f(0,\ldots ,1), \ldots , f(1,\ldots ,1)) . \end{aligned}$$
(1)

In other words, the truth table is the \(2^n\)-bit vector that specifies for each input vector \(x \in \mathbb {F}_2^n\) in lexicographic order the corresponding output value f(x). Similarly to what we defined above for binary vectors, the support of f is the set \(supp(f) = \{x \in \mathbb {F}_2^n: f(x) \ne 0\}\), while its Hamming weight is \(w_H(f) = |supp(f)|\). Equivalently, support and weight of f are defined respectively as the set of nonzero coordinates and the size of such set in the truth table \(\varOmega _f\).

Another method to represent a Boolean function usually adopted in cryptography is the Walsh transform. Given \(f: \mathbb {F}_2^n \rightarrow \mathbb {F}_2\), the Walsh transform of f is the function \(W_f: \mathbb {F}_2^n \rightarrow \mathbb {Z}\) defined for all \(a \in \mathbb {F}_2^n\) as:

$$\begin{aligned} W_f(a) = \sum _{x \in \mathbb {F}_2^n} (-1)^{f(x) \oplus a\cdot x} . \end{aligned}$$
(2)

Intuitively, \(W_f(a)\) measures the correlation between f and the linear function defined by the scalar product \(a \cdot x\). The Walsh transform is useful to assess several cryptographic properties of f, among which correlation immunity is of special interest for this paper. A Boolean function \(f: \mathbb {F}_2^n \rightarrow \mathbb {F}_2\) is correlation immune of order \(1 \le t \le n\) if any subset of \(1 \le k \le t\) input variables is statistically independent from the output of f. This property has an equivalent characterization through the Walsh transform (originally due to Xiao and Massey [27]): f is t-th order correlation immune if and only if \(W_f(a) = 0\) for all coefficients \(a \in \mathbb {F}_2^n\) of Hamming weight k, with \(1 \le k \le t\).

Correlation immunity plays an important role in the context of correlation attacks on stream ciphers based on the combiner model [24]. More recently, this criterion also gained relevance for designing masking countermeasures to withstand side-channel analysis. In this case, the goal is to find a t-th order correlation immune function to resist SCA attacks of order t. At the same time, it is desirable that this function has the lowest Hamming weight possible, to have an efficient implementation of the masking countermeasure.

Beside the Walsh transform, correlation immune functions have also a nice combinatorial characterization in terms of orthogonal arrays. Formally, an orthogonal array of N runs, k factors, s levels and strength t (denoted as an OA(Nkst)) is a \(N\times k\) array with entries from a set S with s elements such that, for any \(N\times t\) subarray, each t-uple of \(S^t\) occurs exactly \(\lambda = N/s^t\) times [7]. The value \(\lambda \) is also called the index of the OA, and is completely determined by the other parameters. The link between binary OA (i.e., with \(s=2\) levels) and correlation immune functions is given by the following result proved in [1]:

Lemma 1

A Boolean function \(f: \mathbb {F}_2^n \rightarrow \mathbb {F}_2\) is correlation immune of order t if and only if its support \(supp(f) = \{x \in \mathbb {F}_2^n: f(x) \ne 0\}\) is an OA(Nn, 2, t).

In other words, one can reduce the design of n-variable, t-th order correlation immune Boolean functions for SCA masking countermeasures to the search of binary OA of n factors and strength t. The requirement of minimizing the Hamming weight of the function corresponds to the minimization of the number of runs N in the OA. Once such an OA has been found, one can define the corresponding correlation immune function f by taking the runs of the OA as the vectors in the support of f.

2.2 Cellular Automata and Latin Squares

In this work, we use cellular automata (CA) as a particular kind of vectorial Boolean functions, which we formally define below:

Definition 1

Let \(n,d \in \mathbb {N}\) with \(d \le n\), and let \(f: \mathbb {F}_2^d \rightarrow \mathbb {F}_2\) be a d-variable Boolean function. A cellular automaton of length n, diameter d and local rule f is a mapping \(F: \mathbb {F}_2^n \rightarrow \mathbb {F}_2^{n-d+1}\) defined for all \(x \in \mathbb {F}_2^n\) as:

$$\begin{aligned} F(x_1,\ldots ,x_n) = (f(x_1,\ldots , x_d),f(x_2,\ldots , x_{d+1}),\ldots ,f(x_{n-d+1},\ldots ,x_n)) . \end{aligned}$$
(3)

Intuitively, each output coordinate \(i \in \{1,\ldots ,n-d+1\}\) of the CA F is determined by evaluating f on the local neighborhood \((x_i,\ldots ,x_{i+d-1})\). Remark that the output is smaller than the input: indeed, we can apply f as long as there are enough neighboring coordinates to the right of the current output cell i. Therefore, we do not enforce any boundary conditions on the CA state, as it is commonly done in the CA literature. This means that the CA cannot be iterated for multiple time steps, but this issue does not concern us since we are interested only in the single-step application of F. This model is also called no-boundary CA in related works [16, 19].

We now introduce the basic concepts related to Latin squares to recall the main results of [16]. For all \(n \in \mathbb {N}\), let us denote by \([n] = \{1,\ldots , n\}\) the set of the first n natural numbers. A Latin square of order n is a \(n \times n\) matrix L such that each row and each column of L is a permutation of [n]. Equivalently, this means that each number from 1 to n occurs exactly once in each row and in each column of L. Then, two Latin squares \(L_1,L_2\) of order n are called orthogonal if their superposition yields all pairs in the Cartesian product \([n] \times [n]\). Formally, for any distinct pairs of coordinates \((i_1,j_1), (i_2,j_2) \in [n] \times [n]\), one has:

$$\begin{aligned} (L_1(i_1,j_1),L_2(i_1,j_1)) \ne (L_1(i_2,j_2),L_2(i_2,j_2)) . \end{aligned}$$
(4)

A set of k Latin squares \(L_1,\ldots ,L_k\) of order n that are pairwise orthogonal is also called a set of k-MOLS (mutually orthogonal Latin squares). The construction of MOLS is a rich research line in the combinatorial designs literature, and finds several applications in cryptography, coding theory and statistics [25]. Interestingly, k-MOLS of order n are also equivalent to orthogonal arrays with \(N = n^2\) runs, k factors, n levels and strength 2. Indeed, one can construct an OA(Nkn, 2) from a set of k-MOLS by “linearizing” each Latin square as a column of the OA: for each \(i \in [k]\), the i-th column of the OA corresponds to the Latin square \(L_i\) in the MOLS set, with its entries listed in lexicographic order.

The authors of [16] proposed a method to construct sets of k-MOLS from cellular automata, by focusing on the subclass of bipermutive rules. Formally, a local rule \(f: \mathbb {F}_2^d \rightarrow \mathbb {F}_2\) is called bipermutive if it is defined as \(f(x_1,\ldots , x_d) = x_1 \oplus \varphi (x_2,\ldots ,x_{d-1}) \oplus x_d\) for all \(x \in \mathbb {F}_2^d\), where \(\varphi : \mathbb {F}_2^{d-2} \rightarrow \mathbb {F}_2\) is any function of the \(d-2\) central variables. Then, one can construct a Latin square \(L_F\) of order \(n = 2^{d-1}\) from a CA \(F: \mathbb {F}_2^{2(d-1)} \rightarrow \mathbb {F}_2^{d-1}\) as follows:

  1. 1.

    The left half of the CA input \((x_1,\ldots ,x_{d-1})\) is used to index the rows of \(L_F\).

  2. 2.

    The right half \((x_d,\ldots ,x_{2(d-1)})\) is used to index the columns of \(L_F\).

  3. 3.

    The output \(F(x_1,\ldots ,x_{2(d-1)})\) of the CA is used as the entry indexed respectively by the coordinates \((x_1,\ldots ,x_{d-1})\) and \((x_d,\ldots ,x_{2(d-1)})\).

Clearly, the procedure above assumes that a bijective mapping \(\phi : \mathbb {F}_2^{d-1} \rightarrow [n]\) is used to convert the binary vectors of \(\mathbb {F}_2^{d-1}\) in numbers from 1 to \(2^{d-1}\), and vice versa. The authors of [16] focused on the construction of MOLS from bipermutive CA by further focusing on the class of linear rules. Here, however, we will consider the general setting of MOLS defined by generic bipermutive CA. In particular, we define two bipermutive CA \(F_1,F_2: \mathbb {F}_2^{2(d-1)} \rightarrow \mathbb {F}_2^{d-1}\) to be orthogonal (or equivalently they are OCA) if the corresponding Latin squares are orthogonal. Accordingly, a family of k pairwise orthogonal bipermutive CA \(F_1,\ldots , F_k\) will be called a set of k-MOCA (mutually orthogonal cellular automata).

3 Construction of Correlation Immune Functions

We now prove our main result, namely that a set of k-MOCA can be used to define a binary OA of strength at least 2. This will allow us, in turn, to construct correlation immune functions of order at least 2. To this end, let us first review the concept of coupled de Bruijn graph introduced in [18], which will be useful in our proof.

Recall that a de Bruijn graph of order b over a set S of m symbols is defined as \(G_{m,b} = (V,E)\), where \(V = S^b\), while two vertices \(u,v \in V\) are connected by a directed edge if and only if they overlap respectively on the rightmost and leftmost \(b-1\) coordinates. Assume now that \(S = \mathbb {F}_2\), and let \(b = d-1\). A local rule \(f: \mathbb {F}_2^d \rightarrow \mathbb {F}_2\) of diameter d can be represented as a labeling function \(l_f: E \rightarrow \mathbb {F}_2\) on the edges of \(G_{2,b}\). In particular, for each pair \((u,v) \in E\), we set \(l(u,v) = f(u \odot v)\), where \(u \odot v \in \mathbb {F}_2^d\) represents the fusion of u and v as defined in [26]. In other words, \(u \odot v\) is the d-variable vector formed by adding the last coordinate of v to u. Then, it can be seen that the output of a CA equipped with rule f corresponds to a path on the edges of the associated de Bruijn graph, following the overlapping vertices that form a particular input. Remark that if f is bipermutive, then the labels of the outgoing (respectively, ingoing) edges of any vertex \(v \in V\) form a permutation of \(\mathbb {F}_2\). This implies that one can traverse the edges in both directions, and that the CA is surjective.

Suppose now that we have two labelings \(l_f,l_g: E \rightarrow \mathbb {F}_2\) defined by bipermutive rules \(f,g: \mathbb {F}_2^d \rightarrow \mathbb {F}_2\). We call the corresponding graph as the coupled de Bruijn graph associated to f and g, since each label is now a pair of bits \((f(u \odot v), g(u \odot v))\) for each edge \((u,v) \in E\). We call two bipermutive labelings \(l_f,l_g\) orthogonal if for each pair of vectors \((x,y) \in \mathbb {F}_2^{b}\) there exists exactly one path on the edges of the coupled de Bruijn graph that is labelled by (xy). It is not difficult to see that this is an equivalent characterization of orthogonal CA. We formally state this fact below, since it will become useful later in our proof:

Lemma 2

Let \(d \in \mathbb {N}\) with \(b = d-1\), and \(f,g: \mathbb {F}_2^d \rightarrow \mathbb {F}_2\) be two bipermutive rules of diameter d. Then, the CA \(F,G: \mathbb {F}_2^{2b} \rightarrow \mathbb {F}_2^b\) respectively equipped with rule f and g are orthogonal if and only if the labelings on the coupled de Bruijn graph of f and g are orthogonal.

To fix ideas, let \(d=3\), and assume that the two bipermutive local rules are \(f(x_1,x_2,x_3) = x_1 \oplus x_3\) and \(g(x_1,x_2,x_3) = x_1 \oplus x_2 \oplus x_3\) (respectively rules 90 and 150 in Wolfram’s notation). The two rules induce orthogonal CA with Latin squares of order \(2^2 = 4\), and the corresponding coupled de Bruijn graph is depicted in Fig. 1. One can see that the two labelings \(l_f,l_g\) defined in the table are indeed bipermutive and orthogonal. In particular, for each of the 16 pairs \((x,y) \in (\mathbb {F}_2^2)^2\) there is exactly one path of length 2 in \(G_{2,2}\) labeled by (xy).

Fig. 1.
figure 1

Example of orthogonal labelings for the de Bruijn graph \(G_{2,2}\) induced by the CA local rules 90 and 150 of diameter \(d=3\).

Full size image

Let \(F_1, F_2, \ldots , F_k: \mathbb {F}_2^{2b} \rightarrow \mathbb {F}_2^{b}\) be a set of k-MOCA respectively defined by local rules \(f_1,\ldots , f_k: \mathbb {F}_2^d \rightarrow \mathbb {F}_2\) of diameter d, with \(b=d-1\). We define the \(N \times n\) array A where \(N = 2^{2b}\) and \(n = kb\) as follows: for each \((x,y) \in \mathbb {F}_2^{2b}\), the row of A indexed by (xy) is equal to:

$$\begin{aligned} A(x,y) = (F_1(x,y), F_2(x,y), \ldots , F_k(x,y)) . \end{aligned}$$
(5)

In other words, A is formed by simply juxtaposing the output of the k MOCA for each possible combination of input \((x,y) \in \mathbb {F}_2^{2b}\). We now prove that this array is an OA of strength 2.

Lemma 3

The array A defined in Eq. (5) is an OA(Nn, 2, 2), where the number of runs is \(N = 2^{2b}\) and the number of factors is \(n=kb\).

Proof

We need to show that in any subset of \(t=2\) columns ij of A each pair of bits \((x_i,x_j) \in \mathbb {F}_2^2\) occurs exactly \(\lambda = N/2^t = 2^{2b-2}\) times. Without loss of generality, we can assume that \(k=2\), since \(F_1, \ldots F_k\) is a family of k-MOCA. Hence, we have two main cases to check for two columns \(i\ne j\):

  1. 1.

    ij belong to the output of the same CA \(F_l\).

  2. 2.

    ij belong to the output of two different CA \(F_l,F_m\) (which are orthogonal).

Let us start from the first case, i.e., i and j are chosen among the columns of the same CA \(F_l\). Let \((\tilde{x}_i, \tilde{x}_j) \in \mathbb {F}_2^2\) be the value of the two bits of which we want to compute the multiplicity of occurrence in columns i and j. Since the two CA \(F_l\) and \(F_m\) are orthogonal, it means that by fixing the output of \(F_m\) to a specific vector \((y_1,\ldots ,y_b) \in \mathbb {F}_2^b\), each possible vector \((x_1,\ldots , x_b) \in \mathbb {F}_2^b\) occurs exactly once as an output of \(F_l\). Suppose now that we fix the i-th and j-th coordinates respectively to \(\tilde{x}_i\) and \(\tilde{x}_j\) in the output of \(F_l\). Since we have \(2^{b-2}\) free coordinates, it follows that the pair \((\tilde{x}_i, \tilde{x}_j)\) occurs \(2^{b-2}\) times if we keep the output of \(F_m\) fixed to \((y_1,\ldots ,y_b)\). If we consider the occurrences of \((\tilde{x}_i, \tilde{x}_j)\) in \(F_l\) across all possible outputs of \(F_m\) we need to multiply \(2^{b-2}\) by \(2^b\), i.e., the number of possible ways to fix the output of \(F_m\). Therefore the total number of occurrences is \(2^{b-2} \cdot 2^b = 2^{2b-2}\).

Suppose now that i and j are columns respectively of \(F_l\) and \(F_m\). If all output coordinates of \(F_l\) and \(F_m\) are fixed respectively to x and \(y \in \mathbb {F}_2^b\), then there exists a single row of A labeled by x and y, since \(F_l\) and \(F_m\) are orthogonal, and by Lemma 2 there is a unique path on the coupled de Bruijn graph labelled by (xy). We proceed by induction on the number of free coordinates in (xy) to show that if we only have two of them fixed, i.e., \(\tilde{x}_i\) and \(\tilde{y}_j\), then there are exactly \(2^{2b-2}\) paths on the de Bruijn graph that feature \(\tilde{x}_i\) and \(\tilde{y}_j\) in those coordinates. As a base case, suppose that we have only one free coordinate in the pair of paths, i.e., all other \(2b-1\) are fixed. Then, since each of the two labelings is bipermutive, it follows that there are exactly 2 paths labelled by the \(2b-1\) fixed coordinates. For the induction step, suppose that there are \( 1 \le p < 2b\) free coordinates, and thus \(2^{p}\) paths labelled by the remaining \(2b-p\) fixed coordinates by induction hypothesis. If we free an additional coordinate, we need to multiply the number of paths with p free coordinates by 2, since each of them can be completed in 2 different ways in the additional free coordinate, due to the bipermutivity of the two rules. Hence, the number of partially labelled paths with \(p+1\) free coordinates is \(2^{p+1}\). If we take the particular case where only 2 coordinates i and j are fixed respectively to \(\tilde{x}_i\) and \(\tilde{y}_j\) (or equivalently, \(2b-2\) are free), it follows that there are \(2^{2b-2}\) paths partially labeled by \(\tilde{x}_i\) and \(\tilde{y_j}\).   \(\square \)

Remark 1

One of the anonymous reviewers correctly remarked that there is a more compact proof for Lemma 3: for the first case, it suffices to observe that the coordinate functions \(f_i\) are all balanced (because of bipermutivity). For the second case, each pair of b-tuples \((x_1,\ldots ,x_b), (y_1,\ldots ,y_b)\) occurs exactly once in each pair of column for two different CA \(F_l, F_m\), because of their orthogonality. Hence, in each pair ij in these tuples the same pair of bits occurs the same number times, since the remaining positions are set freely. We decided however to keep the proof above since it further demonstrates a property of the coupled de Bruijn graph associated to a pair of orthogonal CA: namely, that it is strongly balanced in the sense that any partially labelled path on it occurs the same number of times.

Putting together Lemma 1 and 3, we have thus obtained the following result to construct a second-order correlation immune function from a set of k-MOCA:

Theorem 1

Let \(F_1,\ldots , F_k: \mathbb {F}_2^{2b} \rightarrow \mathbb {F}_2^b\) be a set of k-MOCA of diameter \(d = b+1\), and let \(n = kb\). Then, the n-variable function \(f: \mathbb {F}_2^n \rightarrow \mathbb {F}_2\) whose support is defined by the array A in Eq. (5) is correlation immune of order at least 2. In particular, the Hamming weight of f is \(N=2^{2b}\).

Remark that the case where \(k=2\) trivially gives the constant function \(f(x) = 1\) for all \(x \in \mathbb {F}_2^n\). As a matter of fact, the number of input variables is \(n=kb = 2b\), which means that the truth table of f is composed of \(2^{2b}\) values. At the same time, the number of runs of the OA corresponding to \(k=2\) MOCA is also \(N=2^{2b}\). Therefore, the support of f coincides with its whole truth table. For this reason, in what follows we will address mainly the case where \(k=3\).

4 Computational Search Results

To investigate the construction described in the previous section, we performed an exhaustive search of all k-MOCA for \(k=3\) and \(d=4,5\). In particular, we discarded \(d=3\) since there are no families of 3-MOCA in that case. On the other hand, going for higher values of k and d makes the search space too huge to be exhaustively visited in a limited time. Following Theorem 1, this means that we addressed the construction of correlation immune functions of \(n=9,12\) variables.

We first generated all pairs of OCA (i.e., 2-MOCA) of diameters \(d=4,5\) by using the combinatorial algorithm described in [15]. Then, we incrementally constructed the families of 3-MOCA by exhaustively visiting each of the \(2^{2^{d-2}}\) bipermutive rules of diameter d, and checking that the corresponding Latin squares were orthogonal with each of those in the previously generated lists of OCA. Next, we defined the corresponding Boolean functions of \(n=3b\) variables using Theorem 1, and computed their Walsh transform to verify their order of correlation immunity. Table 1 reports the main results of this computational search experiment. In particular, for each considered diameter (d) the table gives the number of 3-MOCA generated (#3-MOCA), the number of variables (n), the Hamming weight (\(w_H\)), the correlation immunity order (CI) and the number of functions achieving that order (#CI), and the best known lower bound on the Hamming weight for the corresponding order of correlation immunity (Min(\(w_H\))), taken from [2].

Table 1. Classification of correlation immune functions generated by 3-MOCA of diameter \(d \in \{4,5\}\).
Full size table

From the table, one can see that all generated functions actually have a correlation immunity order higher than 2. Indeed, both functions of \(n=9\) variables generated from the 3-MOCA of diameter \(d=4\) have correlation immunity order 3, as well as the majority of functions of \(n=12\) functions obtained from 3-MOCA of diameter \(d=5\). Further, a few functions of \(n=12\) variables obtained from this latter case are even 4-th order correlation immune. This empirical observation suggests that the correlation immunity order proved in Theorem 1 may not be a tight lower bound. Further experiments on larger diameters should be performed to see if this hypothesis holds, or if there exist functions constructed through our methods that are effectively second-order correlation immune. Additionally, one can remark that the Hamming weight of the functions generated through our method are far from the known best lower bounds, reported in the last column of Table 1. Indeed, for \(n=9\) variables we obtain functions of weight 64, while the best lower bound is 20. For \(n=12\) variables the gap is even greater, since the weight of our functions is 256, while the lower bound is 24.

5 Conclusions

In this work, we proposed a method to construct correlation immune Boolean functions from sets of mutually orthogonal cellular automata. Our main theoretical result shows that the binary array formed by juxtaposing the output tables of a set of k MOCA is an orthogonal array of strength 2. Hence, on account of Lemma 1 such an array can be used as the support of a Boolean function with correlation immunity order at least 2. Our exhaustive search experiments on the sets of 3-MOCA defined by rules of diameters \(d=4,5\) show an interesting fact, namely that the resulting Boolean functions always have a higher order of correlation immunity, namely at least 3.

There are several directions along which this work can be extended in future research. The most natural open question remains whether our Theorem 1 is really a tight lower bound on the correlation immunity of the Boolean functions constructed through k-MOCA. If further experiments show that the lowest correlation immunity order is always at least 3, then it would be interesting to try refining Lemma 3, and prove that the binary OA obtained from a set of k-MOCA has always at least strength 3.

A second direction concerns the non-optimal weights of the correlation immune functions generated by our method. Indeed, one possible approach to improve on this aspect would be to adopt the so-called expurgation procedure used in the field of error-correcting codes. In the context of orthogonal arrays, this basically amounts to the removal of a subset of rows, such that the resulting array is still an OA of the same strength (but clearly with a smaller index \(\lambda \)). The choice of the rows to be removed can be conceived as a combinatorial optimization problem, which could be addressed with different optimization algorithms.