On degree-d zero-sum sets of full rank

Abstract

A set \(S \subseteq {{\mathbb {F}}_{2}^{n}}\) is called degree-d zero-sum if the sum \({\sum }_{s \in S} f(s)\) vanishes for all n-bit Boolean functions of algebraic degree at most d. Those sets correspond to the supports of the n-bit Boolean functions of degree at most n − d − 1. We prove some results on the existence of degree-d zero-sum sets of full rank, i.e., those that contain n linearly independent elements, and show relations to degree-1 annihilator spaces of Boolean functions and semi-orthogonal matrices. We are particularly interested in the smallest of such sets and prove bounds on the minimum number of elements in a degree-d zero-sum set of rank n. The motivation for studying those objects comes from the fact that degree-d zero-sum sets of full rank can be used to build linear mappings that preserve special kinds of nonlinear invariants, similar to those obtained from orthogonal matrices and exploited by Todo, Leander and Sasaki for breaking the block ciphers Midori, Scream and iScream.

Appendix: Values and bounds for F(n,d)

In the following table we describe known exact values or known bounds of F(n,d) for \(n \in \{2,\dots ,30\}\) and \(d \in \{1,\dots ,10\}\). The exact values come from Propositions 7, 8 and 12. The lower bounds come from Propositions 11 and 9. The upper bounds come from Proposition 10. We remark that for F(2d + 5,d) the upper bound is obtained by using a slightly different construction. We use the same diagonal construction but fill the free space with 1s. Consider the matrix \({\widehat {\mathbb {M}_{S}}}\) given by

$$ {\mathbb{M}}_{S} = \left[\begin{array}{c|c} {\mathbb{M}}_{S_{1}} & \begin{array}{c}1~\ldots~1 \\ {\vdots} \\ 1~\ldots~1 \end{array} \\ \begin{array}{c}1~\ldots~1 \\ {\vdots} \\ 1~\ldots~1 \end{array} & {\mathbb{M}}_{S_{2}} \end{array} \right], $$

where \(S_{1} \in {\text {ZS}}_{{(d+1)}\times {F(d+1,d)}}^{d}, S_{2} \in {\text {ZS}}_{{(d+4)}\times {F(d+4,d)}}^{d}\) and both \(\widehat {\mathbb {M}_{S_{1}}},\widehat {\mathbb {M}_{S_{2}}}\) contain a column (1,…, 1) so that two columns repeat in \({\widehat {\mathbb {M}_{S}}}\). Note that the row span of S₁ does not contain a row (1,…, 1) and thus \(\text {rank}({\widehat {\mathbb {M}_{S}}})=\text {rank}(\widehat {\mathbb {M}_{S_{1}}})+\text {rank}(\widehat {\mathbb {M}_{S_{2}}})=2d+5\). The columns of \({\widehat {\mathbb {M}_{S}}}\) form a zero-sum set from \({\text {ZS}}_{{(2d+5)}\times {(5\cdot 2^{d}-2)}}^{d}\).