Abstract
A set \(S \subseteq {{\mathbb {F}}_{2}^{n}}\) is called degree-d zero-sum if the sum \({\sum }_{s \in S} f(s)\) vanishes for all n-bit Boolean functions of algebraic degree at most d. Those sets correspond to the supports of the n-bit Boolean functions of degree at most n − d − 1. We prove some results on the existence of degree-d zero-sum sets of full rank, i.e., those that contain n linearly independent elements, and show relations to degree-1 annihilator spaces of Boolean functions and semi-orthogonal matrices. We are particularly interested in the smallest of such sets and prove bounds on the minimum number of elements in a degree-d zero-sum set of rank n. The motivation for studying those objects comes from the fact that degree-d zero-sum sets of full rank can be used to build linear mappings that preserve special kinds of nonlinear invariants, similar to those obtained from orthogonal matrices and exploited by Todo, Leander and Sasaki for breaking the block ciphers Midori, Scream and iScream.
Similar content being viewed by others
Notes
By non-trivial we mean that the matrix L is not a permutation matrix.
We only consider matrices with n ≤ m. If \(L \in {\mathbb {F}}_{2}^{n\times m}\) with n > m, L would be defined to be semi-orthogonal if L⊤L = Im. Then, L is semi-orthogonal if and only if L⊤ is degree-2 sum-invariant.
References
Banik, S., Bogdanov, A., Isobe, T., Shibutani, K., Hiwatari, H., Akishita, T., Regazzoni, F.: Midori: a block cipher for low energy. In: Iwata, T., Cheon, J.H. (eds.) Advances in Cryptology – ASIACRYPT 2015, volume 9453 of Lecture Notes in Computer Science, pp 411–436. Springer, Berlin (2015)
Bannier, A., Filiol, E.: Partition-based trapdoor ciphers. In: Partition-Based Trapdoor Ciphers. InTech (2017)
Boura, C., Canteaut, A.: Another view of the division property. In: Robshaw, M., Katz, J. (eds.) Advances in Cryptology - CRYPTO 2016, volume 9814 of Lecture Notes in Computer Science, pp 654–682. Springer, Berlin (2016)
Camion, P., Carlet, C., Charpin, P., Sendrier. N.: On correlation-immune functions. In: Feigenbaum, J. (ed.) Advances in Cryptology - CRYPTO ’91, volume 576 of Lecture Notes in Computer Science, pp 86–100. Springer, Berlin (1991)
Carlet, C.: Boolean functions for cryptography and error correcting codes. In: Crama, Y., Hammer, P. (eds.) Boolean Methods and Models. Cambridge University Press, Cambridge (2007)
Courtois, N.: Feistel schemes and bi-linear cryptanalysis. In: Franklin, M. (ed.) Advances in Cryptology – CRYPTO 2004, volume 3152 of Lecture Notes in Computer Science, pp 23–40. Springer, Berlin (2004)
Grosso, V., Leurent, G., Standaert, F.-X., Varici, K.: LS-designs: bitslice encryption for efficient masked software implementations. In: Cid, C., Rechberger, C. (eds.) Fast Software Encryption, volume 8540 of Lecture Notes in Computer Science, pp 18–37. Springer, Berlin (2015)
Harpes, C., Kramer, G.G., Massey, J.L.: A generalization of linear cryptanalysis and the applicability of Matsui’s piling-up lemma. In: Guillou, L.C., Quisquater, J.-J. (eds.) Advances in Cryptology – EUROCRYPT’95, volume 921 of Lecture Notes in Computer Science, pp 24–38. Springer, Berlin (1995)
Hedayat, A., Sloane, N., Stufken, J.: Orthogonal Arrays. Springer Series in Statistics. Springer, New York (1999)
Hedayat, A., Wallis, W.: Hadamard matrices and their applications. Ann. Stat. 6(6), 1184–1238 (1978)
Kasami, T., Tokura, N.: On the weight structure of Reed-Muller codes. IEEE Trans. Inf. Theory 16(6), 752–759 (1970)
Kasami, T., Tokura, N., Azumi, S.: On the weight enumeration of weights less than 2.5d of Reed-Muller codes. Inf. Control. 30(4), 380–395 (1976)
Knudsen, L.R., Robshaw, M.J.B.: Non-linear approximations in linear cryptanalysis. In: Maurer, U. (ed.) Advances in Cryptology – EUROCRYPT’96, volume 1070 of Lecture Notes in Computer Science, pp 224–236. Springer, Berlin (1996)
Lai, X.: Higher order derivatives and differential cryptanalysis. In: Blahut, R.E., Costello, D.J., Maurer, U., Mittelholzer, T. (eds.) Communications and Cryptography. The Springer International Series in Engineering and Computer Science (Communications and Information Theory), volume 276, pp 227–233. Springer, Boston (1994)
MacWilliams, F. J., Sloane, N.J.A.: The Theory of Error-Correcting Codes, vol. 16. Elsevier, North-Holland (1977)
Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) Advances in Cryptology – EUROCRYPT’93, volume 765 of Lecture Notes in Computer Science, pp 386–397. Springer, Berlin (1994)
Meier, W., Pasalic, E., Carlet, C.: Algebraic attacks and decomposition of boolean functions. In: Cachin, C., Camenisch, J. (eds.) Advances in Cryptology – EUROCRYPT 2004, volume 3027 of Lecture Notes in Computer Science, pp 474–491. Springer, Berlin (2004)
Patarin, J., Goubin, L.: Asymmetric cryptography with s-boxes. In: Han, Y., Okamoto, T., Qing, S. (eds.) Information and Communication Security, volume 1334 of Lecture Notes in Computer Science, pp 369–380. Springer, Berlin (1997)
Phelps, K.T., Rifà, J., Villanueva, M.: Hadamard codes of length 2ts (s odd). Rank and kernel. In: Fossorier, M.P.C., Imai, H., Lin, S., Poli, A. (eds.) Applied Algebra, Algebraic Algorithms and Error-Correcting Codes, volume 3857 of Lecture Notes in Computer Science, pp 328–337. Springer, Berlin (2006)
Rijmen, V., Preneel, B.: A family of trapdoor ciphers. In: Biham, E. (ed.) Fast Software Encryption, volume 1267 of Lecture Notes in Computer Science, pp 139–148. Springer, Berlin (1997)
Siegenthaler, T.: Correlation-immunity of nonlinear combining functions for cryptographic applications. IEEE Trans. Inf. Theory 30(5), 776–780 (1984)
Todo, Y.: Structural evaluation by generalized integral property. In: Oswald, E., Fischlin, M. (eds.) Advances in Cryptology - EUROCRYPT 2015, volume 9056 of Lecture Notes in Computer Science, pp 287–314. Springer, Berlin (2015)
Todo, Y., Leander, G., Sasaki, Y.: Nonlinear invariant attack. In: Cheon, J., Takagi, T. (eds.) Advances in Cryptology – ASIACRYPT 2016, volume 10032 of Lecture Notes in Computer Science, pp 3–33. Springer, Berlin (2016)
Todo, Y., Leander, G., Sasaki, Y.: Nonlinear invariant attack: practical attack on full SCREAM, iSCREAM, and Midori64. J. Cryptol. 32(4), 1383–1422 (2019)
Acknowledgements
We thank Claude Carlet and the anonymous reviewers for their helpful comments. The work of Christof Beierle was done while he was affiliated with the University of Luxembourg and was funded by the SnT Cryptolux RG budget. The work of Aleksei Udovenko was funded by the Fonds National de la Recherche Luxembourg (project reference 9037104).
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendix: Values and bounds for F(n,d)
Appendix: Values and bounds for F(n,d)
In the following table we describe known exact values or known bounds of F(n,d) for \(n \in \{2,\dots ,30\}\) and \(d \in \{1,\dots ,10\}\). The exact values come from Propositions 7, 8 and 12. The lower bounds come from Propositions 11 and 9. The upper bounds come from Proposition 10. We remark that for F(2d + 5,d) the upper bound is obtained by using a slightly different construction. We use the same diagonal construction but fill the free space with 1s. Consider the matrix \({\widehat {\mathbb {M}_{S}}}\) given by
where \(S_{1} \in {\text {ZS}}_{{(d+1)}\times {F(d+1,d)}}^{d}, S_{2} \in {\text {ZS}}_{{(d+4)}\times {F(d+4,d)}}^{d}\) and both \(\widehat {\mathbb {M}_{S_{1}}},\widehat {\mathbb {M}_{S_{2}}}\) contain a column (1,…, 1) so that two columns repeat in \({\widehat {\mathbb {M}_{S}}}\). Note that the row span of S1 does not contain a row (1,…, 1) and thus \(\text {rank}({\widehat {\mathbb {M}_{S}}})=\text {rank}(\widehat {\mathbb {M}_{S_{1}}})+\text {rank}(\widehat {\mathbb {M}_{S_{2}}})=2d+5\). The columns of \({\widehat {\mathbb {M}_{S}}}\) form a zero-sum set from \({\text {ZS}}_{{(2d+5)}\times {(5\cdot 2^{d}-2)}}^{d}\).
Rights and permissions
About this article
Cite this article
Beierle, C., Biryukov, A. & Udovenko, A. On degree-d zero-sum sets of full rank. Cryptogr. Commun. 12, 685–710 (2020). https://doi.org/10.1007/s12095-019-00415-0
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12095-019-00415-0
Keywords
- Boolean function
- Annihilator
- Orthogonal matrix
- Nonlinear invariant
- Trapdoor cipher
- Symmetric cryptography