# Measured Boolean Function Nonlinearity in Feistel Cipher Constructions

## Terry Ritter

Nonlinearity is the number of bits which must change in the truth table of a Boolean function to reach the closest affine function, and thus is a measure of one kind of cipher strength. By measuring the nonlinearity of Feistel constructions with various numbers of rounds and tables, we hope to gain insight into how Feistel mixing compares to other alternatives.

```From: ritter@io.com (Terry Ritter)
Newsgroups: sci.crypt
Subject: Measured Nonlinearity in Feistel Constructions (LONG!)
Date: Thu, 26 Feb 1998 06:39:28 GMT
Lines: 846
Message-ID: <34f50e19.599891@news.io.com>

MEASURED NONLINEARITY IN FEISTEL CONSTRUCTIONS

Terry Ritter
Ritter Software Engineering
http://www.io.com/~ritter/

1998-02-25

Abstract

Nonlinearity is the number of bits which must change in the truth
table of a Boolean function to reach the closest affine function,
and thus is a measure of one kind of cipher strength.  By measuring
the nonlinearity of Feistel constructions with various numbers of
rounds and tables, we hope to gain insight into how Feistel mixing
compares to other alternatives.

Introduction

The ideal block cipher is a keyed simple substitution table of
sufficient size.  Unfortunately, with 128-bit blocks, there would
be 2**128 entries in that table, which is completely out of the
question.  So the modern block cipher is a *construction* intended
to *simulate* a keyed substitution of the desired size.  At issue
is the effectiveness of the construction technology.  One way to
investigate this is by using Boolean function theory, since a
substitution table -- or cipher -- can be considered a set of
independent Boolean functions, one for each output bit.

A Boolean function produces a single-bit result for each possible
combination of values from perhaps many Boolean variables.  The
*nonlinearity* of a Boolean function is the Hamming distance to
the closest affine function [e.g., PIE88, PIE89, PIE89B].  (Also
see:

http://www.io.com/~ritter/ARTS/MEASNONL.HTM

).  That is, nonlinearity is the number of bits which must change
in the truth table of a Boolean function to reach the closest affine
function.  If "linearity" is considered a significant cryptographic
weakness, nonlinearity is an explicit measure of the *lack* of that
weakness.  So nonlinearity measures one form of cipher "strength."

For cryptographic purposes, it is desired to take the nonlinearity
of a substitution table to be the *minimum* of the nonlinearity
values for each output bit in that table.  Nonlinearity is measured
by forming the (one-bit-wide) truth table for a particular output
bit, then performing a Fast Walsh-Hadamard Transform (FWT) on that
array.  Each result value is essentially a correlation count to a
particular affine function, and the minimum distance (the maximum
correlation) is found by scanning the transform results.

In measuring nonlinearity, it is generally necessary to record the
function result for each possible combination of input variables.
If we have an "8-bit" table, we must record and then transform
256 elements, and if we have a "16-bit" table, we must record and
transform 64K elements.  Thus, measuring large functions rapidly
becomes impossible.  So, although we cannot hope to measure the
nonlinearity of a real 64-bit or 128-bit block cipher, we *can*
measure nonlinearity in substitution tables and small block
constructions.  Here we deal with 5-bit tables and the resulting
10-bit blocks.

Ideal Nonlinearity Distributions

By properly shuffling tables using a large-state cryptographic RNG
(in particular:

http://www.io.com/~ritter/KEYSHUF.HTM

) we can sample or construct a presumably uniform distribution of
different table arrangements.  We can measure the nonlinearity of
each table, and accumulate the results.  For 5-bit tables, we get
a nonlinearity distribution something like that shown in Figure 1.

Nonlinearity Distribution in 5-Bit Tables   Fig. 1

0.7 |              *
0.6 |              *
0.5 |              *
0.4 |              *
0.3 |              *
0.2 |           *  *
0.1 |           *  *  *
0.0 |           *  *  *
Prob +--+--+--+--+--+--+--
0  2  4  6  8 10   Nonlinearity

Our block cipher construction problem essentially involves using
small random tables (here 5-bit tables with 32 entries and a mean
nonlinearity of 7.8) to somehow emulate a table which is twice as
wide (here a 10-bit table with 1024 entries and a mean nonlinearity
of 447.7).

For 10-bit tables, we get a nonlinearity distribution
something like that in Figure 2.

Nonlinearity Distribution in 10-Bit Tables   Fig. 2

0.2   |
0.175 |                    *  *
0.15  |                    *  *  *
0.125 |                 *  *  *  *
0.1   |              *  *  *  *  *
0.075 |              *  *  *  *  *  *
0.05  |        *  *  *  *  *  *  *  *
0.025 |     *  *  *  *  *  *  *  *  *  *
0.00  |  *  *  *  *  *  *  *  *  *  *  *
Prob  +--+--+--+--+--+--+--+--+--+--+--+--+--
436   440   444   448   452   456   Nonlinearity

Feistel Mixing

The classic Feistel construction of Figure 3 is a way of mixing
two small blocks into a large block.  Here, + is the exclusive-OR
function.  As used in the U.S. Data Encryption Standard (DES),
L and R are each 32 bits; here we have only 5 bits in each.

Feistel Construction   Fig. 3

L          R
|          |
|--> F --> +    round 1
|          |
+ <-- F <--|    round 2
|          |
v          v
L'         R'

In DES, ideal properties for F are much-discussed topics.  The
Feistel construction itself supports the ability to encipher and
decipher using a random function F, not necessarily a permutation.
But the 8 different "S-boxes" used in DES *are* permutations, if
we see each as a set of 4 permutations per box, so using random
permutations in Feistel mixing is not at all unreasonable.  And by
using permutation tables as components we have a single compatible
measure both for the component tables and the simulated larger table,
and thus can draw conclusions about the construction.  Invertible
tables also support a direct comparison to earlier work on
nonlinearity with respect to Mixing and VSBC constructions.

Unlike the earlier work, the decision to use random invertible
substitutions for function F still leaves us with a couple of
remaining parameters:  The number of rounds, and the number of
tables.  Here we investigate the mixing obtained from the Feistel
construction with two variations:  The use of a single table for
various numbers of rounds, and the use of a new random table on
every other round, for various numbers of rounds.

Feistel Mixing and DES

Unfortunately, the Feistel construction is *not* the only form
of mixing found in DES.  Indeed, the practicality of the Feistel
construction depends upon having (that is, *constructing*) a wide
function F.  And while F *might* be realized as a recursive
sequence of smaller Feistel constructions, any such structure
would be impractically slow.  So the very existence of practical
Feistel ciphers depends upon the construction of a random function
F which itself mixes and diffuses information across its width.

In each DES "S-box," the outside input bits (b0 and b5) -- which
are set by expansion "E" -- just select which of the 4 boxes to use.
This is a data-dependent dynamic table selection which is, in itself,
a form of mixing.  Of course, the simple combination of expansion "E"
and the array of "S-boxes" by themselves probably would not produce
good mixing:  A single bit-change at one end of the input block
could propagate no faster than one table per round, *if* all data
were kept aligned.  But this is not the case, since "Permutation P"
transposes the data bits.  So, other than the dynamic table selection
(the two extra inputs for each S-box), function F is itself a classic
substitution-permutation design.

This means that the overall mixing in DES is a complex combination
of the Feistel construction *plus* the expansion, table-selection,
table lookup and permutation in each round.  This complexity makes
it difficult to independently extract the importance and consequences
of each feature, as we surely must if we are to deeply understand
the design.  This confluence of multiple features also makes it
impossible to scale DES to a tiny testable size.  Thus, we seem
to be limited to testing a tiny Feistel construction -- which *is*
scalable -- instead of a tiny DES.

Feistel Mixing with Random Tables

A common assumption about Feistel mixing is that some fixed small
set of optimized tables will be used repeatedly.  This concept
presumably comes from DES.  But in the special context of DES:

1.  DES S-boxes each contain 4 separate *permutations*,
and are *not* random constructions; and

2.  The DES permutations are only 4 bits wide, and 4-bit-wide
permutations are just about the weakest possible tables
that have any nonlinear strength at all.

Accordingly, it should come as no surprise that replacing DES
S-boxes with random tables is not a good idea.  And random 4-bit
permutations are often weak, so this is *also* not a good idea.

In marked contrast, random 8-permutations are almost *never* that
weak (the chance of finding even one linear output is 1 in 2**239).
It thus appears that the assumption that random tables are
necessarily bad is based on the special context of DES, and is not
valid in general.

Comparisons to Mixing and VSBC Constructions

Earlier nonlinearity measurement experiments on tiny Mixing (

http://www.io.com/~ritter/ARTS/MIXNONLI.HTM

) and VSBC (

http://www.io.com/~ritter/ARTS/VSBCNONL.HTM

) constructions also used random tables, thus potentially making
it possible to see how Feistel mixing compares.

Unfortunately, the comparison is not exact, because both the Mixing
and VSBC constructions do in some sense mix multiple tables in a
single mixing level.  With Feistel mixing, we would normally think
of multiple "rounds" of mixing, rather than having several tables
in each round.  DES does of course manage this, but does not give
us a scalable rule which we could use to build a tiny version with
multiple tables.  And even in the best possible situation we would
be looking at the experimental measurement of a 16-bit simulated
table, for which it would be very difficult to collect an accurate
ideal distribution.

So, given the limitations of reality, the first thing we might want
to look at is the nonlinearity measure from Feistel mixing with a
single table, under a varying the number of rounds.  Then we might
look at using multiple tables, again for a varying number of rounds.

The Experiments

We construct 10,000 random 5-bit tables, which are then used in
10-bit Feistel constructions.  Each of these constructions is
measured for nonlinearity, and the result accumulated.

While Figure 2 gives a general idea of the desired distribution, we
eventually want to use a chi-square comparison, for which we need
an ideal reference distribution.  The ideal model in Figure 4 is
thus constructed from three different 15-hour trials of 1,000,000
random 10-bit tables each, with the counts reduced by a factor of
100 and rounded to an integer.

The Ideal 10-Bit Nonlinearity Distribution   Fig. 4

NL     Trial 1   Trial 2   Trial 3     Ideal

462           0         1         0         0
460          55        75        55         1
458        2145      2269      2234        22
456       20537     20938     20882       208
454       76259     76344     75980       763
452      148847    148135    148510      1485
450      188329    187802    187585      1878
448      177775    178208    178616      1782
446      140283    140219    140407      1403
444       97415     97317     97465       974
442       61999     62282     62213       622
440       37829     37685     37382       376
438       21675     21789     21753       218
436       12417     12320     12408       124
434        6826      6818      6912        68
432        3740      3693      3584        37
430        1912      2050      1884        19
428         979      1043      1073        10
426         490       537       526         5
424         249       241       265         2
422         119       133       143         1
420          64        55        69         0
418          26        25        30         0
416          12        14        12         0
414           9         5         6         0
412           3         2         4         0
410           0         0         1         0

In each experimental trial, we first initialize the substitutions
from a random key.  This produces a particular 10-bit cipher -- a
simulated 10-bit simple substitution.  We then traverse the complete
transformation -- all 1024 possible data values -- and collect all
1024 10-bit ciphertext results.  We then traverse all 10 ciphertext
bit-columns, one-by-one, and perform a nonlinearity computation on
each.  The minimum nonlinearity value found across all columns is
accumulated into the growing distribution.

We see the results for 2 rounds of Feistel mixing in Figure 5.

Feistel Nonlinearity Distribution
One Table, Two Rounds   Fig. 5

NL     Expect     Found

64         0         2
128         0        78
192         0      1494
256         0      7387
320         0      1039

Clearly, 2 Feistel mixing rounds do not approximate the nonlinearity
distribution from random substitutions, so we move on to 4 rounds
as in Figure 6.

Feistel Nonlinearity Distribution
One Table, Four Rounds   Fig. 6

NL     Expect     Found

224         0         1
312         0        56
320         0         1
344         0         1
352         0        35
364         0         1
368         0         8
384         0       696
388         0         3
392         0       187
396         0         2
400         0        11
404         0        15
406         0         3
408         0        13
410         0         2
412         0        38
414         0         2
416         0      1709
418         0         4
420         0        66
422         1        11
424         2       126
426         5        13
428        10       256
430        19        20
432        37       780
434        68        51
436       124       660
438       218       109
440       376      3566
442       622        70
444       974       589
446      1403        91
448      1782       639
450      1878        43
452      1485       107
454       763        12
456       208         2
458        22         1
460         1         0
462         0         0

Again, the is pretty brutal: So even four Feistel mixing rounds do
not approximate random substitutions.  And neither do six (Figure 7),
eight (Figure 8), ten (Figure 9) or twelve (Figure 10):

Feistel Nonlinearity Distribution
One Table, Six Rounds   Fig. 7

NL     Expect     Found

296         0         1
316         0         1
324         0         1
332         0         1
336         0         2
352         0         1
372         0         1
384         0         2
388         0         3
392         0         1
394         0         1
396         0         2
398         0         1
400         0         3
402         0         1
404         0        10
406         0         0
408         0        23
410         0         2
412         0        22
414         0         6
416         0        22
418         0        14
420         0        46
422         1        25
424         2        85
426         5        21
428        10       114
430        19        70
432        37       192
434        68       138
436       124       386
438       218       269
440       376       641
442       622       662
444       974      1197
446      1403      1238
448      1782      1612
450      1878      1394
452      1485      1151
454       763       492
456       208       133
458        22        13
460         1         0
462         0         0

Feistel Nonlinearity Distribution
One Table, Eight Rounds   Fig. 8

NL     Expect     Found

346         0         1
370         0         1
372         0         1
402         0         2
404         0         3
406         0         3
408         0         6
410         0         1
412         0         6
414         0        10
416         0        17
418         0        18
420         0        30
422         1        36
424         2        38
426         5        53
428        10        74
430        19        95
432        37       137
434        68       194
436       124       261
438       218       406
440       376       519
442       622       808
444       974      1080
446      1403      1365
448      1782      1569
450      1878      1527
452      1485      1063
454       763       519
456       208       136
458        22        21
460         1         0
462         0         0

Feistel Nonlinearity Distribution
One Table, Ten Rounds   Fig. 9

NL     Expect     Found

362         0         1
396         0         1
398         0         2
400         0         1
402         0         1
404         0         0
406         0         4
408         0         3
410         0        10
412         0        10
414         0        11
416         0        28
418         0        16
420         0        25
422         1        39
424         2        63
426         5        63
428        10        78
430        19       116
432        37       155
434        68       247
436       124       314
438       218       380
440       376       584
442       622       811
444       974      1034
446      1403      1353
448      1782      1556
450      1878      1428
452      1485      1046
454       763       480
456       208       126
458        22        14
460         1         0
462         0         0

Feistel Nonlinearity Distribution
One Table, Twelve Rounds   Fig. 10

NL     Expect     Found

398         0         1
400         0         3
402         0         2
404         0         2
406         0         6
408         0         4
410         0         8
412         0        12
414         0        13
416         0        12
418         0        30
420         0        23
422         1        34
424         2        64
426         5        62
428        10        96
430        19       113
432        37       179
434        68       234
436       124       327
438       218       462
440       376       597
442       622       797
444       974      1054
446      1403      1347
448      1782      1467
450      1878      1450
452      1485      1011
454       763       450
456       208       128
458        22        12
460         1         0
462         0         0

The twelve rounds with a fixed table of Figure 10 is about as good
as it gets.  The distribution from a single table never gets close
enough to the ideal distribution to make a chi-square computation
reasonable.

Feistel Mixing with Random Multiple Tables

On the other hand, things improve if we have a new table every couple
of rounds (Figure 11).  (There would seem to be little advantage in
having a unique table for each round, since only half of the block
would be affected by that table.)

Feistel Nonlinearity Distribution
Two Tables, Four Rounds   Fig. 11

NL     Expect     Found

320         0         3
352         0        39
360         0         2
364         0         1
368         0         6
382         0         1
384         0       156
386         0         1
388         0         3
390         0         0
392         0       225
394         0         1
396         0         4
398         0         1
400         0         6
402         0         1
404         0        13
406         0         3
408         0        22
410         0         4
412         0        42
414         0         2
416         0      1951
418         0         3
420         0        81
422         1         5
424         2       143
426         5        13
428        10       276
430        19        29
432        37       853
434        68        47
436       124       788
438       218        90
440       376      3175
442       622        98
444       974       805
446      1403       130
448      1782       833
450      1878        33
452      1485        95
454       763        10
456       208         5
458        22         1
460         1         0
462         0         0

While hardly ideal, we can see that the results in Figure 11
are somewhat better than the same number of rounds with a single
table (Figure 6).  But things perk up rather nicely with three
tables and six rounds as shown in Figure 12.

Feistel Nonlinearity Distribution
Three Tables, Six Rounds   Fig. 12

NL     Expect     Found       Chi-Sq   DF

420         0         0      }
422         1         3      }
424         2         3      }
426         5         3      }
428        10        10      }  0.056   0
430        19        13         1.950   1
432        37        40         2.194   2
434        68        59         3.385   3
436       124       123         3.393   4
438       218       200         4.879   5
440       376       381         4.946   6
442       622       633         5.140   7
444       974       990         5.403   8
446      1403      1390         5.523   9
448      1782      1780         5.526  10
450      1878      1952         8.441  11
452      1485      1441         9.745  12
454       763       754         9.851  13
456       208       208         9.851  14
458        22        17      }
460         1         0      }
462         0         0      } 11.417  15

With 15 "degrees of freedom," the chi-square value of 11.417 in
Figure 11 is very believable.  The critical chi-square values for
DF = 15 are given in Figure 13.

Chi-Square Critical Values, for DF = 15   Fig. 13

1%        5%       25%       50%       75%       95%       99%
5.2293    7.2609   11.0365   14.3389   18.2451   24.9958   30.5779

And another couple of rounds with yet another table continues the
success story in Figure 14.

Feistel Nonlinearity Distribution
Four Tables, Eight Rounds   Fig. 14

NL     Expect     Found       Chi-Sq   DF

410         0         1      }
412         0         0      }
414         0         0      }
416         0         0      }
418         0         1      }
420         0         2      }
422         1         2      }
424         2         1      }
426         5         4      }
428        10        10      }  0.500   0
430        19        19         0.500   1
432        37        30         1.824   2
434        68        65         1.957   3
436       124       119         2.158   4
438       218       222         2.232   5
440       376       375         2.234   6
442       622       634         2.466   7
444       974       982         2.532   8
446      1403      1365         3.561   9
448      1782      1750         4.135  10
450      1878      1928         5.467  11
452      1485      1504         5.710  12
454       763       750         5.931  13
456       208       212         6.008  14
458        22        23      }
460         1         1      }
462         0         0      }  6.052  15

While the chi-square value of 6.052 may seem small, this means the
distribution is close to the ideal.  When comparing distributions,
we are rarely worried about a chi-square value that seems "too
good," for the alternative is far *less* believable:  Either we
have had the good luck of sampling a close distribution so it looks
better than it should, or we have had the absolutely unbelievable
luck of sampling a fundamentally different distribution so it looks
not just good, but actually *too* good.  Thus, these tests are
basically "one-tail" statistical tests.

Conclusions

Feistel mixing seeks to produce a block cipher which is double
the size of a smaller "block cipher" component; in this respect,
it is similar to the Mixing constructions measured earlier.  When
using a single fixed table, it appears that Feistel mixing is
never good enough, no matter how many rounds are applied.  But
even 6 rounds of Feistel mixing with 3 *different* tables
apparently does approximate the nonlinearity of a larger
substitution table.

These experiments show an ultimately successful result using random
invertible tables.  Thus, the experiments give no indication that
Feistel mixing requires the ideal tables that so much of the
literature seems directed at producing.  In contrast to the unending
search for the qualities of an ideal table, it appears that we can
produce an effective Feistel cipher by choosing tables "at random"
(that is, we can construct tables based on the cipher key).  Note
that Differential and Linear Cryptanalysis style attacks generally
depend upon knowledge of the contents of the tables, knowledge
which is unavailable when keyed tables are used.

When compared to the Mixing and VSBC constructions investigated
previously, the problem with Feistel mixing is that, by itself, it
only doubles the size of the nonlinear component, and we assume
that repeated doubling requires exponential effort:  That is, if
6 Feistel rounds are required to take random 8-bit tables to a
16-bit emulated table, 6 rounds of the emulation (36 total
rounds) should be required to get a 32-bit table, and 216 total
rounds should be required for a 64-bit cipher.  (It would be
interesting to check these assumptions on modern fast equipment.)

Now, we know that DES (an emulated 64-bit table) does *not* require
exponential effort.  But Feistel mixing is *not* the only form of
mixing in DES.  We avoid addressing the other structures, because
they do not scale well, and because we wish to examine each
contribution as independently as possible.

Here we have measured the Feistel mixing alone, which we assume
requires effort exponential with the block size.  In contrast,
Mixing constructions require only effort proportional to n log n,
and VSBC constructions require only effort linear with block size.
Thus, these alternative constructions offer the possibility of
far more efficient cryptographic mixing.

References and Bibliography

[AY82]  Ayoub, F.  1982.  Probabilistic completeness of
substitution-permutation encryption networks.  IEE Proceedings,
Part E.  129(5): 195-199.

[DAE94]  Daemen, J., R. Govaerts and J. Vandewalle.  1994.
Correlation Matrices.  Fast Software Encryption.  275-285.

[FOR88]  Forre, R.  1988.  The Strict Avalanche Criterion:
Spectral Properties of Boolean Functions and an Extended
Definition.  Advances in Cryptology -- CRYPTO '88.  450-468.

[GOR82]  Gordon, J. and H. Retkin.  1982.  Are Big S-Boxes Best?
Cryptography.  Proceedings of the Workshop on Cryptography,
Burg Feuerstein, Germany, March 29-April 2, 1982.  257-262.

[HEY94]  Heys, H. and S. Tavares.  1994.  On the security of the
CAST encryption algorithm.  Canadian Conference on Electrical and
Computer Engineering.  Halifax, Nova Scotia, Canada, Sept. 1994.
332-335.

[HEY95]  Heys, H. and S. Tavares.  1995.  Known plaintext
cryptanalysis of tree-structured block ciphers.  Electronics
Letters.  31(10): 784-785.

[MEI89]  Meier, W. and O. Staffelbach.  1989.  Nonlinearity Criteria
for Cryptographic Functions.  Advances in Cryptology --
Eurocrypt '89.  549-562.

[MIR97]  Mirza, F.  1997.  Linear and S-Box Pairs Cryptanalysis
of the Data Encryption Standard.

[OC91]  O'Connor, L.  1991.  Enumerating nondegenerate permutations.
Advances in Cryptology -- Eurocrypt '91.  368-377.

[OC93]  O'Connor, L.  1993.  On the Distribution Characteristics in
Bijective Mappings.  Advances in Cryptology -- EUROCRYPT '93.
360-370.

[PIE88]  Pieprzyk, J. and G. Finkelstein. 1988.  Towards effective
nonlinear cryptosystem design.  IEE Proceedings, Part E.
135(6): 325-335.

[PIE89]  Pieprzyk, J. and G. Finkelstein.  1989.  Permutations
that Maximize Non-Linearity and Their Cryptographic Significance.
Computer Security in the Age of Information.  63-74.

[PIE89B]  Pieprzyk, J.  1989.  Non-linearity of Exponent Permutations.
Advances in Cryptology -- EUROCRYPT '89. 80-92.

[PIE93]  Pieprzyk, J., C. Charnes and J. Seberry.  1993.  Linear
Approximation Versus Nonlinearity.  Proceedings of the Workshop on
Selected Areas in Cryptography (SAC '94).  82-89.

[PRE90]  Preneel, B., W. Van Leekwijck, L. Van Linden, R. Govaerts
and J. Vandewalle.  1990.  Propagation Characteristics of Boolean
Functions.  Advances in Cryptology -- Eurocrypt '90.  161-173.

[RUE86]  Rueppel, R.  1986.  Analysis and Design of Stream Ciphers.
Springer-Verlag.

[XIO88]  Xiao, G-Z. and J. Massey.  1988.  A Spectral Characterization
of Correlation-Immune Combining Functions.  IEEE Transactions on
Information Theory.  34(3): 569-571.

[YOU95]  Youssef, A. and S. Tavares.  1995.  Resistance of Balanced
S-boxes to Linear and Differential Cryptanalysis.  Information
Processing Letters.  56: 249-252.

[YOU95B]  Youssef, A. and S. Tavares.  1995.  Number of Nonlinear
Regular S-boxes.  Electronics Letters.  31(19): 1643-1644.

[ZHA95]  Zhang, X. and Y. Zheng.  1995.  GAC -- the Criterion for
Global Avalanche Characteristics of Cryptographic Functions.
Journal for Universal Computer Science.  1(5): 316-333.

---
Terry Ritter   ritter@io.com   http://www.io.com/~ritter/
The Crypto Glossary:  http://www.io.com/~ritter/GLOSSARY.HTM

```

Also see: Measured Nonlinearity in Variable Size Block Ciphers (1998) (29K),
Measuring Nonlinearity by Walsh Transform (1998) (20K), and
Measured Nonlinearity in Mixing Constructions (1997) (25K).

Terry Ritter, his current address, and his top page.

Last updated: 1998-02-26