On degree-d zero-sum sets of full rank

  • Christof BeierleEmail author
  • Alex Biryukov
  • Aleksei Udovenko


A set \(S \subseteq {{\mathbb {F}}_{2}^{n}}\) is called degree-d zero-sum if the sum \({\sum }_{s \in S} f(s)\) vanishes for all n-bit Boolean functions of algebraic degree at most d. Those sets correspond to the supports of the n-bit Boolean functions of degree at most nd − 1. We prove some results on the existence of degree-d zero-sum sets of full rank, i.e., those that contain n linearly independent elements, and show relations to degree-1 annihilator spaces of Boolean functions and semi-orthogonal matrices. We are particularly interested in the smallest of such sets and prove bounds on the minimum number of elements in a degree-d zero-sum set of rank n. The motivation for studying those objects comes from the fact that degree-d zero-sum sets of full rank can be used to build linear mappings that preserve special kinds of nonlinear invariants, similar to those obtained from orthogonal matrices and exploited by Todo, Leander and Sasaki for breaking the block ciphers Midori, Scream and iScream.


Boolean function Annihilator Orthogonal matrix Nonlinear invariant Trapdoor cipher Symmetric cryptography 

Mathematics Subject Classification (2010)

05B20 06E30 94A60 



We thank Claude Carlet and the anonymous reviewers for their helpful comments. The work of Christof Beierle was done while he was affiliated with the University of Luxembourg and was funded by the SnT Cryptolux RG budget. The work of Aleksei Udovenko was funded by the Fonds National de la Recherche Luxembourg (project reference 9037104).


  1. 1.
    Banik, S., Bogdanov, A., Isobe, T., Shibutani, K., Hiwatari, H., Akishita, T., Regazzoni, F.: Midori: a block cipher for low energy. In: Iwata, T., Cheon, J.H. (eds.) Advances in Cryptology – ASIACRYPT 2015, volume 9453 of Lecture Notes in Computer Science, pp 411–436. Springer, Berlin (2015)Google Scholar
  2. 2.
    Bannier, A., Filiol, E.: Partition-based trapdoor ciphers. In: Partition-Based Trapdoor Ciphers. InTech (2017)Google Scholar
  3. 3.
    Boura, C., Canteaut, A.: Another view of the division property. In: Robshaw, M., Katz, J. (eds.) Advances in Cryptology - CRYPTO 2016, volume 9814 of Lecture Notes in Computer Science, pp 654–682. Springer, Berlin (2016)Google Scholar
  4. 4.
    Camion, P., Carlet, C., Charpin, P., Sendrier. N.: On correlation-immune functions. In: Feigenbaum, J. (ed.) Advances in Cryptology - CRYPTO ’91, volume 576 of Lecture Notes in Computer Science, pp 86–100. Springer, Berlin (1991)Google Scholar
  5. 5.
    Carlet, C.: Boolean functions for cryptography and error correcting codes. In: Crama, Y., Hammer, P. (eds.) Boolean Methods and Models. Cambridge University Press, Cambridge (2007)Google Scholar
  6. 6.
    Courtois, N.: Feistel schemes and bi-linear cryptanalysis. In: Franklin, M. (ed.) Advances in Cryptology – CRYPTO 2004, volume 3152 of Lecture Notes in Computer Science, pp 23–40. Springer, Berlin (2004)Google Scholar
  7. 7.
    Grosso, V., Leurent, G., Standaert, F.-X., Varici, K.: LS-designs: bitslice encryption for efficient masked software implementations. In: Cid, C., Rechberger, C. (eds.) Fast Software Encryption, volume 8540 of Lecture Notes in Computer Science, pp 18–37. Springer, Berlin (2015)Google Scholar
  8. 8.
    Harpes, C., Kramer, G.G., Massey, J.L.: A generalization of linear cryptanalysis and the applicability of Matsui’s piling-up lemma. In: Guillou, L.C., Quisquater, J.-J. (eds.) Advances in Cryptology – EUROCRYPT’95, volume 921 of Lecture Notes in Computer Science, pp 24–38. Springer, Berlin (1995)Google Scholar
  9. 9.
    Hedayat, A., Sloane, N., Stufken, J.: Orthogonal Arrays. Springer Series in Statistics. Springer, New York (1999)CrossRefGoogle Scholar
  10. 10.
    Hedayat, A., Wallis, W.: Hadamard matrices and their applications. Ann. Stat. 6(6), 1184–1238 (1978)MathSciNetCrossRefGoogle Scholar
  11. 11.
    Kasami, T., Tokura, N.: On the weight structure of Reed-Muller codes. IEEE Trans. Inf. Theory 16(6), 752–759 (1970)MathSciNetCrossRefGoogle Scholar
  12. 12.
    Kasami, T., Tokura, N., Azumi, S.: On the weight enumeration of weights less than 2.5d of Reed-Muller codes. Inf. Control. 30(4), 380–395 (1976)MathSciNetCrossRefGoogle Scholar
  13. 13.
    Knudsen, L.R., Robshaw, M.J.B.: Non-linear approximations in linear cryptanalysis. In: Maurer, U. (ed.) Advances in Cryptology – EUROCRYPT’96, volume 1070 of Lecture Notes in Computer Science, pp 224–236. Springer, Berlin (1996)Google Scholar
  14. 14.
    Lai, X.: Higher order derivatives and differential cryptanalysis. In: Blahut, R.E., Costello, D.J., Maurer, U., Mittelholzer, T. (eds.) Communications and Cryptography. The Springer International Series in Engineering and Computer Science (Communications and Information Theory), volume 276, pp 227–233. Springer, Boston (1994)Google Scholar
  15. 15.
    MacWilliams, F. J., Sloane, N.J.A.: The Theory of Error-Correcting Codes, vol. 16. Elsevier, North-Holland (1977)zbMATHGoogle Scholar
  16. 16.
    Matsui, M.: Linear cryptanalysis method for DES cipher. In: Helleseth, T. (ed.) Advances in Cryptology – EUROCRYPT’93, volume 765 of Lecture Notes in Computer Science, pp 386–397. Springer, Berlin (1994)Google Scholar
  17. 17.
    Meier, W., Pasalic, E., Carlet, C.: Algebraic attacks and decomposition of boolean functions. In: Cachin, C., Camenisch, J. (eds.) Advances in Cryptology – EUROCRYPT 2004, volume 3027 of Lecture Notes in Computer Science, pp 474–491. Springer, Berlin (2004)Google Scholar
  18. 18.
    Patarin, J., Goubin, L.: Asymmetric cryptography with s-boxes. In: Han, Y., Okamoto, T., Qing, S. (eds.) Information and Communication Security, volume 1334 of Lecture Notes in Computer Science, pp 369–380. Springer, Berlin (1997)Google Scholar
  19. 19.
    Phelps, K.T., Rifà, J., Villanueva, M.: Hadamard codes of length 2ts (s odd). Rank and kernel. In: Fossorier, M.P.C., Imai, H., Lin, S., Poli, A. (eds.) Applied Algebra, Algebraic Algorithms and Error-Correcting Codes, volume 3857 of Lecture Notes in Computer Science, pp 328–337. Springer, Berlin (2006)Google Scholar
  20. 20.
    Rijmen, V., Preneel, B.: A family of trapdoor ciphers. In: Biham, E. (ed.) Fast Software Encryption, volume 1267 of Lecture Notes in Computer Science, pp 139–148. Springer, Berlin (1997)Google Scholar
  21. 21.
    Siegenthaler, T.: Correlation-immunity of nonlinear combining functions for cryptographic applications. IEEE Trans. Inf. Theory 30(5), 776–780 (1984)MathSciNetCrossRefGoogle Scholar
  22. 22.
    Todo, Y.: Structural evaluation by generalized integral property. In: Oswald, E., Fischlin, M. (eds.) Advances in Cryptology - EUROCRYPT 2015, volume 9056 of Lecture Notes in Computer Science, pp 287–314. Springer, Berlin (2015)Google Scholar
  23. 23.
    Todo, Y., Leander, G., Sasaki, Y.: Nonlinear invariant attack. In: Cheon, J., Takagi, T. (eds.) Advances in Cryptology – ASIACRYPT 2016, volume 10032 of Lecture Notes in Computer Science, pp 3–33. Springer, Berlin (2016)Google Scholar
  24. 24.
    Todo, Y., Leander, G., Sasaki, Y.: Nonlinear invariant attack: practical attack on full SCREAM, iSCREAM, and Midori64. J. Cryptol. 32(4), 1383–1422 (2019)MathSciNetCrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2019

Authors and Affiliations

  1. 1.Ruhr-Universität BochumBochumGermany
  2. 2.SnT and CSCUniversité du Luxembourg, Maison du NombreEsch-sur-AlzetteLuxembourg
  3. 3.SnTUniversité du Luxembourg, Maison du NombreEsch-sur-AlzetteLuxembourg

Personalised recommendations