1 Introduction and motivation

The algebraic degree is an important parameter of Boolean functions used in cryptography. A Boolean function f in n variables can be uniquely represented in ANF (algebraic normal form), i.e. as a polynomial in n variables over \(\mathbb {F}_2\) (the binary field) of degree at most one in each variable. The degree of this polynomial is called the algebraic degree of f. Ciphers which can be represented (or approximated) as functions of low degree are vulnerable to attacks such as higher order differential attacks.

When the ANF of f is not given explicitly (e.g. f is a composition of functions, or is given as a “black box”) and depends on a large number of variables, it may not be feasible to compute its degree exactly. Instead, we aim to estimate the degree using probabilistic tests.

The coefficient of a particular monomial \(x_{i_1}\cdots x_{i_k}\) of degree k in the ANF of f can be computed by summing the values of f over the vector space generated by the k vectors \(\textbf{e}_{i_1}, \ldots , \textbf{e}_{i_k}\) in the canonical basis. This method, sometimes called the Moebius transform, has many applications in cryptography and coding theory; in cryptanalysis it was used to detect and exploit non-randomness features of the number of monomials of a given degree (see [3, 5, 10, 12]).

One could use the Moebius transform to estimate the degree of a function as follows: pick a monomial of degree k, compute its coefficient in f and test whether it is zero. If it is not, then we know that \(\deg (f) \ge k\). If we run this test for several monomials of degree k and all the computed coefficients are zero, then we conclude that f probably has degree strictly less than k. The probability of finding a monomial of degree k (and correctly concluding \(\deg (f) \ge k\)) in one run of the test is equal to the proportion of monomials of degree k that have non-zero coefficients in f. Therefore, this method has the shortcoming that if f has degree at least k but only has a very small number of monomials of degree k, then one might incorrectly classify f as having degree less than k, as illustrated in the following example:

Example 1

The function \(f(x_1,\ldots , x_9) =x_1x_2x_3 + x_4x_5x_6 \oplus x_7x_8x_9\) has only 3 out of the \(\left( {\begin{array}{c}9\\ 3\end{array}}\right) = 84\) possible monomials of degree 3 in 9 variables. Assume we run the test based on the Moebious transform, to search for monomials of degree 3. Each run of the test has a probability of only \(\frac{3}{84}\approx 0.0357\) to detect a monomial. After running the test 9 times, for example, we have still a rather high probability of \((1-\frac{3}{84})^9 \approx 0.72\) that no monomial of degree 3 has been detected yet by the test, and therefore we might wrongly conclude that \(\deg (f) < 3\). It is only after running the test 82 times that the probability of wrongly concluding that \(\deg (f) < 3\) decreases to 0.05.

In this paper we generalise this idea. The intuition behind our proposed method to test whether \(\deg (f) < k\) is that even if a function f has a very small number of monomials of degree k, after applying a random affine invertible change of variables to f (the degree of f being invariant to such changes of variables), the number of monomials of degree k is likely to be high and therefore it will be easier to probabilistically detect their existence. The aim is that the test should perform reasonably well for all functions.

We will call our proposed test the \(\deg (f)<k\) test and define it as follows. Pick \(u_0, u_1,\ldots , u_k \in \mathbb {F}_2^n\) and check whether the sum of the values of f over the affine space \(u_0 \oplus \langle u_1, \ldots , u_k \rangle \) is zero. Again, given a function f we run the test several times. If it passes all these tests we conclude that \(\deg (f)<k\), otherwise we conclude \(\deg (f)\ge k\). A function f of degree less than k will always pass this test (there are no false negatives). A function of degree k or more will sometimes fail and sometimes pass the test, depending on the chosen vectors. We denote by \(\textrm{dt}_k(f)\) the probability of failing this test, taken over all values \(u_0, u_1,\ldots , u_k \in \mathbb {F}_2^n\). This probability determines the probability \((1-\textrm{dt}_k(f))^t\) of wrongly concluding, after t tests, that \(\deg (f)<k\) when in fact \(\deg (f)\ge k\) (false positive). Ideally, \(\textrm{dt}_k(f)\) should not be very low. A very small value of \(\textrm{dt}_k(f)\) would mean that we would need to run the test a very large number of times to obtain a reasonable accuracy.

We initiate the study of the probability \(\textrm{dt}_k(f)\) of failing the \(\deg (f)<k\) test. We consider the case when the degree of f is in fact equal to k (although we would not know the degree beforehand; if we knew it, we would not need to do any test). We prove in Theorem 14 and Corollary 16 that the probability \(\textrm{dt}_k(f)\) satisfies an upper bound of 0.5 and a lower bound of 0.288788... (q-Pochhammer symbol at \((0.5, 0.5, \infty )\)). This means there are no functions with very low probability \(\textrm{dt}_k(f)\), and therefore a small number of runs of the test is sufficient to give, with very high probability, the correct answer. For example, for any polynomial f of degree k we would need to run the test only 9 times to obtain a probability of less than 0.05 that f has been incorrectly classified as being of degree less than k. This is a significant improvement compared to the situation illustrated in Example 1.

We compute and analyse the values of the probability of failing the \(\deg (f)<k\) test for all functions in 8 variables of degree k, using the representatives listed by Hou [6] and by Langevin and Leander [8] (see Section 5).

The study of the probability of failing the \(\deg (f)<k\) test for polynomials of degree strictly higher than k will be the subject of future work.

The probability \(\textrm{dt}_k(f)\) is connected to other existing notions as follows. For \(k=2\), i.e. the \(\deg (f)<2\) test, if we restrict to linear rather than affine spaces, we obtain the usual textbook linearity test \(f(u_1 \oplus u_2) = f(u_1) \oplus f(u_2)\), often called the BLR test. The probability of failing the BLR test was studied in several papers, see for example [1]. In [13], in the context of the cube/AIDA attack, we proposed a linearity test similar to the \(\deg (f)<k\) test above, but fixing a linear space of dimension k and running the \(\deg (f)<m\) test on all its subspaces of dimension m, for all \(2\le m \le k\).

We show in Theorem 8 that the probability of failing the \(\deg (f)<k\) test, when restricted to affine spaces of dimension exactly k, is equal to the average number of monomials of degree k over all the polynomials in the affine equivalence class of f. We propose this average density of monomials of degree k as a new parameter of Boolean functions (see Definition 4). It is somewhat similar to, but distinct from the notion of algebraic thickness defined in [2], see Remark 6.

2 Definitions

We denote by \(\mathbb {F}_2\) the finite field with 2 elements, and by \(\mathbb {F}_2^n\) the n-dimensional vector space over \(\mathbb {F}_2\). Addition in \(\mathbb {F}_2\) and in \(\mathbb {F}_2^n\) will be denoted by \(\oplus \), to distinguish it from \(+\) and \(\sum \) used for addition in \(\mathbb {R}\).

Any function \(f:\mathbb {F}_2^n \rightarrow \mathbb {F}_2\) can be represented in its algebraic normal form (ANF), i.e. as a polynomial function given by a polynomial of degree at most 1 in each variable:

$$\begin{aligned} f(x_1, \ldots , x_n) = \displaystyle \bigoplus _{a_1, \ldots , a_n \in \mathbb {F}_2} b_{(a_1, \ldots , a_n)} x_1^{a_1}\cdots x_n^{a_n}, \end{aligned}$$

with \(b_{(a_1, \ldots , a_n)} \in \mathbb {F}_2\). The degree of this polynomial is called the algebraic degree of f, and here we will call it simply the degree of f and denote it by \(\deg (f)\).

The coefficients of the ANF of f can be computed by the following formula (see, for example, [9, Chapter 13, Theorem 1]), which is sometimes called the Moebius transform:

$$\begin{aligned} b_{(a_1, \ldots , a_n)} = \displaystyle \bigoplus _{x_1 \le a_1, \ldots , x_n \le a_n}f(x_1, \ldots , x_n). \end{aligned}$$
(1)

An equivalent form of this formula can be obtained as follows: let \(\{i_1,i_2,\ldots ,i_k \}\) be the support of a, i.e. \(a_i=1\) if and only if \(i \in \{i_1,i_2,\ldots ,i_k \}\). In other words \(b_{(a_1, \ldots , a_n)}\) is the coefficient of \(x_{i_1}x_{i_2}\cdots x_{i_k}\). Denote by \(\textbf{e}_1, \ldots , \textbf{e}_n\) the canonical basis of \(\mathbb {F}_2^n\), i.e. \(\textbf{e}_i\) has a 1 in position i and zeroes elsewhere. Then

$$\begin{aligned} b_{(a_1, \ldots , a_n)}= & {} \displaystyle \bigoplus _{c_1, \ldots , c_k \in \mathbb {F}_2} f(\displaystyle \bigoplus _{j=1}^{k} c_j \textbf{e}_{i_j})\end{aligned}$$
(2)
$$\begin{aligned}= & {} \displaystyle \bigoplus _{v \in V} f(v) \end{aligned}$$
(3)

where \(V = \langle \textbf{e}_{i_1}, \ldots , \textbf{e}_{i_k}\rangle \) is the \(\mathbb {F}_2\)-vector space generated by \(\textbf{e}_{i_1}, \ldots , \textbf{e}_{i_k}\).

Recall that the number of subspaces of dimension k of \(\mathbb {F}_2^n\) equals the Gaussian binomial coefficient, defined as

$$\begin{aligned} \left( {\begin{array}{c}n\\ k\end{array}}\right) _2 = \frac{(2^n-1)(2^{n-1}-1)\cdots (2^{n-k+1}-1)}{(2^k-1)(2^{k-1}-1)\cdots (2-1)}. \end{aligned}$$

Consider the general linear group \(GL(n,\mathbb {F}_2)\), consisting of the invertible \(n\times n\) matrices over \(\mathbb {F}_2\). For any matrix \(M\in GL(n,\mathbb {F}_2)\) and any \(v\in \mathbb {F}_2^n\) we will denote by \(\varphi _{M}\) and \(\varphi _{M,v}\) the invertible linear, respectively affine transformation of \(\mathbb {F}_2^n\) defined as \(\varphi _{M}(x) = Mx\) and \(\varphi _{M,v}(x) = Mx\oplus v\) respectively. There are \((2^n-1)(2^n-2)\cdots (2^n-2^{n-1})\) invertible linear transformations and \(2^n(2^n-1)(2^n-2)\cdots (2^n-2^{n-1})\) affine ones.

Two functions \(f,g:\mathbb {F}_2^n \rightarrow \mathbb {F}_2\) are called affine equivalent, denoted \(f\sim g\), if \(g = f \circ \varphi _{M,v}\) for some invertible affine transformation \(\varphi _{M,v}\). Recall that the degree is an affine invariant, i.e. if \(f\sim g\) then \(\deg (f) = \deg (g)\).

Later in the paper there will be situations where only the monomials of degree k or more of a polynomial are relevant, and any monomials of lower degree can be ignored. Combining that with affine equivalence, we also define the equivalence relation \(f\sim _{k-1} g\) by saying that \(f\sim _{k-1} g\) if there is a function h such that \(f\sim h\) and \(\deg (g-h)\le k-1\) (i.e. g and h coincide if we ignore any monomials of degree less than k).

3 Degree testing and the degree density

We will define two notions: the “degree less than k” probabilistic test and the “average degree-k monomial density” of a function. We will then examine the relations between them.

Definition 2

Let \(1\le k\le n\) be integers and let \(f:\mathbb {F}_2^n \rightarrow \mathbb {F}_2\) be a function. Given \(u_0, u_1, \ldots , u_k\in \mathbb {F}_2^n\), we will call the test

$$\begin{aligned} \displaystyle \bigoplus _{c_1,\ldots ,c_k \in \mathbb {F}_2} f\left( \left( \displaystyle \bigoplus _{i=1}^{k} c_iu_i\right) \oplus u_0 \right) =0 \end{aligned}$$

the degree less than k test, or \(\deg (f)<k\) test. The probability of f failing this test, taken over all \(u_0, u_1, \ldots , u_k\in \mathbb {F}_2^n\) will be denoted \(\textrm{dt}_k(f)\). In other words

$$\begin{aligned} \textrm{dt}_k(f) = \frac{\mid \{ (u_0, u_1, u_2, \ldots , u_k) \in (\mathbb {F}_2^n)^{k+1} : \displaystyle \bigoplus _{c_1,\ldots ,c_k \in \mathbb {F}_2} f\left( \left( \displaystyle \bigoplus _{i=1}^{k} c_iu_i\right) \oplus u_0 \right) \ne 0\}\mid }{2^{(k+1)n}}. \end{aligned}$$
(4)

Remark 3

It is not hard to verify that if \(u_1, u_2, \ldots , u_k\) are linearly dependent then any function f passes that particular \(\deg (f) < k\) test. Therefore, in practice there is no need to run the test when they are linearly dependent. We could therefore define the test either with, or without the requirement that \(u_1, u_2, \ldots , u_k\) are linearly independent. We decided that both probabilities of failure, with or without the requirement are of interest. There are at least two reasons why the probability of failure without the requirement that \(u_1, u_2, \ldots , u_k\) are linearly independent, which we denoted \(\textrm{dt}_k(f)\), is of interest. Firstly, the case \(k=2\) and \(u_0=0\) corresponds to what is usually called the BLR test; the probability of failing the BLR test is defined without the requirement that \(u_1,u_2\) should be linearly independent (see for example [1]). Secondly, as we shall see in Proposition 10(i), the value of \(\textrm{dt}_k(f)\) does not change if the function f in n variables is viewed as a function in more than n variables. By contrast, this value would change if the definition required linearly independent vectors. The probability of failing the test when we require that \(u_1, u_2, \ldots , u_k\) are linearly independent, equals the quantity \(\textrm{add}_k(f)\) in Definition 4, see Theorem 8.

Definition 4

Let \(0\le k\le n\) be integers and let \(f:\mathbb {F}_2^n \rightarrow \mathbb {F}_2\) be a function. The degree-k monomial density of f, denoted \(\textrm{dd}_k(f)\), is defined as the number of monomials of degree k in the ANF of f, divided by \(\left( {\begin{array}{c}n\\ k\end{array}}\right) \) (the total number of monomials of degree k in n variables) i.e. if the ANF of f is \(f(x) = \displaystyle \bigoplus _{t} b_t t\), with t ranging over all monomials in n variables and \(b_t \in \mathbb {F}_2\) then

$$\begin{aligned} \textrm{dd}_k(f) = \frac{\mid \{t: t \text{ monomial } \text{ of } \text{ degree } k \text{ and } b_t\ne 0\}\mid }{\left( {\begin{array}{c}n\\ k\end{array}}\right) }. \end{aligned}$$
(5)

The average degree-k monomial density of f, denoted \(\textrm{add}_k(f)\), is the average (arithmetic mean) of \(\textrm{dd}_k(g)\) over all the functions g such that \(f \sim g\), i.e.

$$\begin{aligned} \textrm{add}_k(f) = \frac{\displaystyle \sum _{g \sim f}\textrm{dd}_k(g)}{\mid \{g: g \sim f \}\mid } = \frac{\displaystyle \sum _{M \in GL(n, \mathbb {F}_2), v\in \mathbb {F}_2^n} \textrm{dd}_k(f\circ \varphi _{M,v})}{2^n(2^n-1)(2^n-2)\cdots (2^n-2^{n-1})}. \end{aligned}$$
(6)

Remark 5

The two ways of defining \(\textrm{add}_k(f)\) in equation (6) are indeed equal. Namely, denote by A the cardinality of the stabilizer of f under the action of invertible affine transformations of \(\mathbb {F}_2^n\), i.e. \(A = \mid \{\varphi _{M,v}: f\circ \varphi _{M,v} = f\}\mid \). Each element g such that \(g\sim f\) is obtained as \(f\circ \varphi _{M,v}\) for A distinct transformations \(\varphi _{M,v}\). Therefore the cardinality of \(\{g: g \sim f \}\) equals \(2^n(2^n-1)(2^n-2)\cdots (2^n-2^{n-1})/ A\) and \( \displaystyle \sum _{M \in GL(n, \mathbb {F}_2), v\in \mathbb {F}_2^n} \textrm{dd}_k(f\circ \varphi _{M,v}) = A \displaystyle \sum _{g \sim f}\textrm{dd}_k(g)\).

Remark 6

The notion of average degree-k monomial density has some similarity to, but is different from the algebraic thickness of a function f, defined in [2]. The algebraic thickness is defined as the minimum number of monomials among all the functions g such that \(f \sim g\). Both notions look at the number of monomials, but the average degree density looks at monomials of a given degree while the algebraic thickness looks at monomials of all degrees. Also, while both notions look at the whole equivalence class of f, the average degree density computes the average while the algebraic thickness computes the minimum.

The average degree-k monomial density is closely connected to the probability of failing the \(\deg (f)<k\) test. After a preliminary lemma, we will give the exact relationship in the next theorem.

Lemma 7

Let \(M\in GL(n,\mathbb {F}_2)\) be an invertible matrix and let \(1\le i_1<\ldots < i_k \le n\). Denote by \(u_1, \ldots , u_k\in \mathbb {F}_2^n\) the linearly independent vectors which appear in M as columns \(i_1, \ldots , i_k\), respectively. Also, let \(u_0\in \mathbb {F}_2^n\). Then the coefficient of \(x_{i_1}\cdots x_{i_k}\) in \(f\circ \varphi _{M,u_0}\) equals \(\displaystyle \bigoplus _{c_1,\ldots ,c_k \in \mathbb {F}_2} f\left( \left( \displaystyle \bigoplus _{i=1}^{k} c_iu_i\right) \oplus u_0\right) \).

Proof

Using (23) and the fact that \(M\textbf{e}_{i_j} = u_j\), we see that the coefficient b of \(x_{i_1}\cdots x_{i_k}\) in the ANF of \(f\circ \varphi _{M,u_0}\) equals

$$\begin{aligned} b= & {} \displaystyle \bigoplus _{c_1,\ldots ,c_k \in \mathbb {F}_2} f\left( \varphi _{M,u_0}\left( \displaystyle \bigoplus _{j=1}^{k} c_j \textbf{e}_{i_j}\right) \right) \\= & {} \displaystyle \bigoplus _{c_1,\ldots ,c_k \in \mathbb {F}_2} f\left( M\left( \displaystyle \bigoplus _{j=1}^{k} c_j \textbf{e}_{i_j}\right) \oplus u_0\right) \\= & {} \displaystyle \bigoplus _{c_1,\ldots ,c_k \in \mathbb {F}_2} f\left( \left( \displaystyle \bigoplus _{j=1}^{k} c_j u_j\right) \oplus u_0\right) . \end{aligned}$$

\(\square \)

Theorem 8

The average degree-k monomial density of a function f equals the probability of failing the test \(\displaystyle \bigoplus _{c_1,\ldots ,c_k \in \mathbb {F}_2} f\left( \left( \displaystyle \bigoplus _{i=1}^{k} c_iu_i\right) \oplus u_0\right) =0\) over all those \((u_0,u_1, u_2, \ldots , u_k) \in (\mathbb {F}_2^n)^{k+1}\) for which the vectors \((u_1, u_2, \ldots , u_k)\) are linearly independent. In other words, \(\textrm{dt}_k(f)\) equals \(\textrm{add}_k(f)\) multiplied by the probability that k vectors chosen uniformly from \(\mathbb {F}_2^n\) are linearly independent, i.e.

$$\begin{aligned} \textrm{dt}_k(f)= & {} \textrm{add}_k(f) \displaystyle \prod _{i=n-k+1}^n\left( 1 - \frac{1}{2^{i}}\right) . \end{aligned}$$
(7)

Proof

We aim to count all the monomials of degree k in \(f \circ \varphi _{M,v}\) for all \(M\in GL(n, \mathbb {F}_2)\) and \(v \in \mathbb {F}_2^n\), let us call this number \(N_1\). In other words, using (5) and (6), \(N_1\) is such that

$$\begin{aligned} \textrm{add}_k(f) = \frac{N_1}{\left( {\begin{array}{c}n\\ k\end{array}}\right) 2^n(2^n-1)(2^n-2)\cdots (2^n-2^{n-1})}. \end{aligned}$$
(8)

Then we compare this number with the number of tuples of \(k+1\) vectors \((u_0, u_1, u_2, \ldots , u_k) \in (\mathbb {F}_2^n)^{k+1}\) for which the test fails, let us call this number \(N_2\). Using (4) we have

$$\begin{aligned} \textrm{dt}_k(f) = \frac{N_2}{2^{(k+1)n}} \end{aligned}$$
(9)

Note that the fact that the test for \((u_0, u_1, u_2, \ldots , u_k)\) fails implies that \(u_1, u_2, \ldots , u_k\) are linearly independent (see Remark 3).

For each fixed \((u_0, u_1, u_2, \ldots , u_k) \in (\mathbb {F}_2^n)^{k+1}\), we know from Lemma 7 that the test \(\displaystyle \bigoplus _{c_1,\ldots ,c_k \in \mathbb {F}_2} f\left( \left( \displaystyle \bigoplus _{j=1}^{k} c_ju_{j}\right) \oplus u_0 \right) =0\) fails if and only if the monomial \(x_{i_1}\cdots x_{i_k}\) appears in \(f \circ \varphi _{M,u_0}\) for some invertible matrix M which has the columns \( u_1, u_2, \ldots , u_k\) in some positions \(1\le i_1< \ldots < i_k\le n\). The number of invertible matrices M that have the vectors \(u_1, u_2, \ldots , u_k\) appearing (in this order) as some of their columns is

$$\begin{aligned} \left( {\begin{array}{c}n\\ k\end{array}}\right) (2^n-2^k)(2^n-2^{k+1})\cdots (2^n - 2^{n-1}) \end{aligned}$$

(there are \(\left( {\begin{array}{c}n\\ k\end{array}}\right) \) ways of choosing the positions where these k columns appear, and for each of them we can choose incrementally the remaining \(n-k\) columns such that each newly chosen column is not in the vector space generated by the previously chosen columns, to ensure that the final matrix is invertible). Therefore each fixed \((u_0, u_1, u_2, \ldots , u_k)\) for which the test fails corresponds to \(\left( {\begin{array}{c}n\\ k\end{array}}\right) (2^n-2^k)(2^n-2^{k+1})\cdots (2^n - 2^{n-1})\) monomials in polynomials of the form \(f \circ \varphi _{M,u_0}\), and thus

$$\begin{aligned} N_1 = N_2 \left( {\begin{array}{c}n\\ k\end{array}}\right) (2^n-2^k) (2^n-2^{k+1})\cdots (2^n - 2^{n-1}). \end{aligned}$$

Combining this relation with (8) and (9) yields the desired result. Note that the probability of an arbitrary k-tuple of vectors \(u_1, u_2, \ldots , u_k\) to be linearly independent is

$$\begin{aligned} \frac{(2^n-1)(2^n-2)\cdots (2^n-2^{k-1})}{2^{kn}} = \left( 1-\frac{1}{2^n}\right) \cdots \left( 1-\frac{1}{2^{n-k+1}}\right) . \end{aligned}$$

\(\square \)

From Lemma 7 and Theorem 8 above and the fact that the degree is invariant to invertible affine transformations, we can deduce:

Corollary 9

Let \(f: \mathbb {F}_2^n \rightarrow \mathbb {F}_2\) be a function.

  1. (i)

    If \(\deg (f)<k\) then \(\textrm{dt}_k(f) = \textrm{add}_k(f) = 0\)

  2. (ii)

    Both \(\textrm{add}_k(f)\) and \(\textrm{dt}_k(f)\) are invariant to affine equivalence, i.e. \(f \sim g\) implies \(\textrm{add}_k(f)= \textrm{add}_k(g)\) and \(\textrm{dt}_k(f)= \textrm{dt}_k(g)\). Moreover, \(f \sim _{k-1} g\) implies \(\textrm{add}_k(f)= \textrm{add}_k(g)\) and \(\textrm{dt}_k(f)= \textrm{dt}_k(g)\).

We prove some useful properties of \(\textrm{dt}_k(f)\):

Proposition 10

Let \(f, g_1:\mathbb {F}_2^n \rightarrow \mathbb {F}_2\) and \(g_2:\mathbb {F}_2^m \rightarrow \mathbb {F}_2\) be functions in n variables.

  1. (i)

    If \(g(x_1, \ldots , x_n, x_{n+1}) = f(x_1, \ldots , x_n)\), then \(\textrm{dt}_k(g) = \textrm{dt}_k(f)\).

  2. (ii)

    If \(g(x_1, \ldots , x_{n+m}) = g_1(x_1, \ldots , x_n) \oplus g_2(x_{n+1}, \ldots , x_{n+m})\), then \(\textrm{dt}_k(g) = \textrm{dt}_k(g_1) + \textrm{dt}_k(g_2) - 2 \textrm{dt}_k(g_1)\textrm{dt}_k(g_2)\).

Proof

The statement (i) is a special case of (ii) with \(m=1\) and \(g_2(x_{n+1})=0\), therefore we will only prove (ii).

Since the sets of variables of the two functions \(g_1\) and \(g_2\) are disjoint, their values can be viewed as independent events. The function g fails the test if and only if exactly one of the functions \(g_1\) or \(g_2\) fails the test, so \(\textrm{dt}_k(g) = \textrm{dt}_k(g_1)(1- \textrm{dt}_k(g_2)) + \textrm{dt}_k(g_2)(1-\textrm{dt}_k(g_1))\).

\(\square \)

4 Probability of failing the \(\deg (f)<k\) test when f has degree k

The \(\deg (f)<k\) test would be used as follows: we run the \(\deg (f)<k\) test a number of times, say t times, for different choices of vectors \(u_0,\ldots , u_k\in (\mathbb {F}_2^n)^{k+1}\) (chosen independently, with uniform distribution). If f passes all the t tests, we conclude that we probably have \(\deg (f)<k\); if f fails at least one of the test we conclude that \(\deg (f)\ge k\).

When \(\deg (f)\) is truly below k, the function f will always pass the \(\deg (f)<k\) test as, by Corollary 9, we have \(\textrm{dt}_k(f)=0\). In other words, there are no false negatives. However, when the true degree of f is at least k, it is possible to wrongly conclude that \(\deg (f)<k\) (false positive). The probability of that happening is \((1-\textrm{dt}_k(f))^t\). It is therefore important to determine \(\textrm{dt}_k(f)\) for polynomials of degree k or more. In this paper we commence the study of \(\textrm{dt}_k(f)\) by proving results for the case when \(\deg (f)= k\); the case \(\deg (f)> k\) will be the subject of further work.

Throughout this section we assume that \(\deg (f)=k\). Note that for affine invertible transformations \(\varphi _{M,u_0}(x) = Mx+u_0\), the monomials of maximum degree in \(f \circ \varphi _{M,u_0}\), are the same regardless of the value of \(u_0\), and therefore the same as the ones in \(f\circ \varphi _{M}\), where \(\varphi _{M}(x) = Mx\) is a linear invertible transformation. Therefore, when we study only the monomials of maximum degree, it is sufficient to look at linear, rather than affine transformations, so when \(\deg (f)=k\) the equation (6) becomes:

$$\begin{aligned} \textrm{add}_k(f) = \frac{\displaystyle \sum _{M \in GL(n, \mathbb {F}_2)} \textrm{dd}_k(f\circ \varphi _{M})}{(2^n-1)(2^n-2)\cdots (2^n-2^{n-1})}. \end{aligned}$$

Similarly, using Lemma 7 we see that if \(\deg (f) = k\) it suffices to consider those \(\deg (f)<k\) tests at \(u_0, u_1, \ldots , u_k\) for which \(u_0=\textbf{0}\), i.e. we have

$$\begin{aligned} \textrm{dt}_k(f) = \frac{\mid \{ (u_1, u_2, \ldots , u_k) \in (\mathbb {F}_2^n)^k : \displaystyle \bigoplus _{c_1,\ldots ,c_k \in \mathbb {F}_2} f\left( \displaystyle \bigoplus _{i=1}^{k} c_iu_i\right) \ne 0\}\mid }{2^{kn}}. \end{aligned}$$
(10)

Recall from Corollary 9 that \(\textrm{add}_k(f)\) and \(\textrm{dt}_k(f)\) are invariant under the equivalence \(\sim _{k-1}\) i.e. \(f\sim _{k-1} g\) implies \(\textrm{add}_k(f)= \textrm{add}_k(g)\) and \(\textrm{dt}_k(f)= \textrm{dt}_k(g)\). When considering polynomials of degree k under \(\sim _{k-1}\) equivalence, it suffices to consider representatives which only contain monomials of degree k, i.e. are homogeneous. In this context, the following construction was used extensively in the classification in [6] and [8]. Assume f is homogeneous of degree k and write its algebraic normal form as \(f(x_1, \ldots , x_n) = \sum _{t} b_t t\), with t ranging over all monomials of degree k in the variables \(x_1, \ldots , x_n\). Define \(f^c(x_1, \ldots , x_n) = \sum _{t} b_t \frac{x_1\cdots x_n}{t}\) (this is sometimes called the complement of f, but it should not be confused with the Boolean complement, which is \(f\oplus 1\)).

We prove some additional useful properties of \(\textrm{dt}_k(f)\):

Proposition 11

Let \(f:\mathbb {F}_2^n \rightarrow \mathbb {F}_2\) be a function of degree \(k\ge 1\) in n variables.

  1. (i)

    If \(g(x_1, \ldots , x_n, x_{n+1}) = x_{n+1} f(x_1, \ldots , x_n)\), then \(\textrm{dt}_{k+1}(g) = \left( 1 - \frac{1}{2^{k+1}} \right) \textrm{dt}_k(f)\).

  2. (ii)

    If f is homogeneous of degree \(k\le \frac{n}{2}\), then \(\textrm{add}_{n-k}(f^c) = \textrm{add}_k(f)\) and \(\textrm{dt}_{n-k}(f^c) = \textrm{dt}_k(f) \displaystyle \prod _{i=k+1}^{n-k}\left( 1 - \frac{1}{2^{i}}\right) \).

Proof

(i) Consider \(k+1\) vectors \(u_0, u_1, \ldots , u_k \in (\mathbb {F}_2^n)^{k+1} \) such that \(u_1, u_2, \ldots , u_k\) are linearly independent. Running the \(\deg (f)<k\) test on these vectors involves adding the values of f on all vectors in the affine space \(U = u_0 \oplus \langle u_1, u_2, \ldots , u_k \rangle \). The result will be the same for all the other \((k+1)\)-tuples \(u'_0, u'_1, \ldots , u'_k \in (\mathbb {F}_2^n)^{k+1} \) for which \(u'_0 \oplus \langle u'_1, u'_2, \ldots , u'_k \rangle = u_0 \oplus \langle u_1, u_2, \ldots , u_k \rangle \). There are \((2^k-1)(2^k-2)\cdots (2^k-2^{k-1})\) ways to choose a k-tuple \(u'_1, \ldots , u'_k \in (\mathbb {F}_2^n)^{k} \) such that \( \langle u'_1, u'_2, \ldots , u'_k \rangle = \langle u_1, u_2, \ldots , u_k \rangle \) and \(2^k(2^k-1)(2^k-2)\cdots (2^k-2^{k-1})\) ways to choose a \((k+1)\)-tuple \(u'_0, u'_1, \ldots , u'_k \in (\mathbb {F}_2^n)^{k+1} \) such that \( u'_0 \oplus \langle u'_1, u'_2, \ldots , u'_k \rangle = u_0 \oplus \langle u_1, u_2, \ldots , u_k \rangle \).

Let us denote by \(L_{k+1}(g)\) the set of vector spaces of dimension \(k+1\) in \(\mathbb {F}_2^{n+1}\) on which the \(\deg (g)< k+1\) test fails, and denote by \(A_{k}(f)\) the set of affine spaces of dimension k in \(\mathbb {F}_2^{n}\) on which the \(\deg (f)< k\) test fails. From the definition (5) of \(\textrm{dt}_k(f)\) and from (10) we have:

$$\begin{aligned} \textrm{dt}_k(f) = \frac{2^k(2^k-1)(2^k-2)\cdots (2^k-2^{k-1})\mid A_k(f)\mid }{2^{(k+1)n}} \end{aligned}$$

and

$$\begin{aligned} \textrm{dt}_{k+1}(g) = \frac{(2^{k+1}-1)(2^{k+1}-2)\cdots (2^{k+1}-2^{k})\mid L_{k+1}(g)\mid }{2^{(k+1)(n+1)}}. \end{aligned}$$

Therefore

$$\begin{aligned} \textrm{dt}_{k+1}(g) = \textrm{dt}_k(f) \left( 1-\frac{1}{2^{k+1}} \right) \frac{\mid L_{k+1}(g)\mid }{\mid A_k(f)\mid }. \end{aligned}$$

All we have to do now is to show that the sets \(L_{k+1}(g)\) and \(A_k(f)\) have the same cardinality.

Note firstly that if a \((k+1)\)-dimensional linear space \(V'\) of \(\mathbb {F}_2^{n+1}\) does not contain any element with last component equal to 1, then \(g(v)=0\) for all \(v\in V'\) and therefore g passes the test on \(V'\), i.e. \(V'\not \in L_{k+1}(g)\).

Each k-dimensional affine space U in \(\mathbb {F}_2^{n}\) can be written as \(U = u_0 \oplus U_0\) for some \(u_0\in \mathbb {F}_2^n\) and a uniquely determined k-dimensional vector space \(U_0\). We associate to U the \((k+1)\)-dimensional linear space in \(\mathbb {F}_2^{n+1}\) defined as \(V = V_1 \cup V_0\) with

$$\begin{aligned} V_1= & {} \{(a_1, \ldots , a_n,1): (a_1, \ldots , a_n)\in U\} \\ V_0= & {} \{(a_1, \ldots , a_n, 0): (a_1, \ldots , a_n)\in U_0\}. \end{aligned}$$

One can verify that this is a one-to-one correspondence between the k-dimensional affine spaces of \(\mathbb {F}_2^{n}\) and those \((k+1)\)-dimensional linear spaces of \(\mathbb {F}_2^{n+1}\) which contain elements with last component equal to 1. For the spaces U and V as defined above we have

$$\begin{aligned} \bigoplus _{v\in V} g(v) = \bigoplus _{v\in V_0} g(v)\oplus \bigoplus _{v\in V_1} g(v) = \bigoplus _{v\in V_1} g(v) = \bigoplus _{u\in U} f(u), \end{aligned}$$
(11)

therefore \(U\in A_k(f)\) if and only if \(V\in L_{k+1}(g)\), so \(L_{k+1}(g)\) and \(A_k(f)\) have the same cardinality.

(ii) In [6, page 110] it was proven that the orbit of \(f^c\) under the equivalence \(\sim _{n-k-1}\) has the same cardinality as the orbit of f under \(\sim _{k-1}\), and moreover, the orbit of \(f^c\) is \(\{h^c: h \sim _{k-1} f\}\). Since h and \(h^c\) have the same number of monomials, from Definition 4 we have that \(\textrm{add}_k(f) = \textrm{add}_{n-k}(f^c)\). We then apply Theorem 8 to obtain the required result regarding \(\textrm{dt}_{n-k}(f^c)\).

Propositions 10 and 11 above allow us to compute the values of \(\textrm{dt}_k(f)\) for some simple functions f:

Corollary 12

We have

$$\begin{aligned}&\textrm{dt}_k(x_1\cdots x_k) = \displaystyle \prod _{i=1}^k \left( 1-\frac{1}{2^i} \right) . \\&\textrm{dt}_k(x_1\cdots x_k \oplus x_{k+1}\cdots x_{2k}) = 2 \displaystyle \prod _{i=1}^k \left( 1-\frac{1}{2^i} \right) \left( 1 - \displaystyle \prod _{i=1}^k \left( 1-\frac{1}{2^i} \right) \right) . \\&\textrm{dt}_{k+t}(x_{2k+1}\cdots x_{2k+t}(x_1\cdots x_k \oplus x_{k+1}\cdots x_{2k} )) = 2 \displaystyle \prod _{i=1}^{k+t} \left( 1-\frac{1}{2^i} \right) \left( 1 - \displaystyle \prod _{i=1}^k \left( 1-\frac{1}{2^i} \right) \right) . \end{aligned}$$

Example 13

Using the Corollary 12 above we compute the exact values of \(\textrm{dt}_k(f)\) for some functions f. For example \(\textrm{dt}_3(x_1x_2x_3) = 21/64 = 0.328125\), \(\textrm{dt}_2(x_1x_2 \oplus x_3x_4) = 15/32 = 0.46875\), \(\textrm{dt}_4((x_1x_2 \oplus x_3x_4)x_5x_6) = 0.384521484\). Finally, revisiting Example 1, for \(f =x_1x_2x_3 + x_4x_5x_6 \oplus x_7x_8x_9\) we compute \(\textrm{dt}_3(f) = \frac{31437}{2^{16}} \approx 0.47969\). This means that after running 9 times our \(\deg (f)<3\) test on this f we have only a \((1-0.47969)^9 = 0.0028\) probability of incorrectly deciding that \(\deg (f)<3\); compare that with a probability of 0.72 for the original test, as explained in Example 1.

We will now prove lower and upper bounds for \(\textrm{dt}_k(f)\):

Theorem 14

Let \(f:\mathbb {F}_2^n \rightarrow \mathbb {F}_2\) be a function of degree \(k\ge 1\). Then

$$\begin{aligned} \displaystyle \prod _{i=1}^k \left( 1-\frac{1}{2^i} \right) \le \textrm{dt}_k(f) \le \frac{1}{2}\left( 1-\frac{1}{2^n} \right) ^{k-1}. \end{aligned}$$

The lower bound is achieved if and only if \(f \sim _{k-1} x_1\cdots x_k \).

Proof

Recall that since f is of degree k, it suffices to consider the \(\deg (f)<k\) tests at \(u_0, u_1, \ldots , u_k\) with \(u_0 = \textbf{0}\), see (10).

The proof will be by induction on k. We consider first the case when \(k=1\). Recall that the normalised Hamming weight of f is defined as the proportion of its inputs that produce non-zero outputs, i.e.:

$$\begin{aligned} \textrm{wt}(f) = \frac{\mid \{x\in \mathbb {F}_2^n: f(x)\ne 0\}\mid }{2^n}. \end{aligned}$$

When f has degree one, the \(\deg (f)<1\) test at \(\textbf{0}, u_1\) is \(f(u_1)\oplus f(\textbf{0})=0\). The probability of failing this test, over all \(u_1\in \mathbb {F}_2^n\) is equal to \(\textrm{wt}(f)\) if \(f(\textbf{0})=0\) and it is equal to \(1-\textrm{wt}(f)\) if \(f(\textbf{0})=1\). Since f has degree 1, i.e. it is an affine non-constant function, its normalised weight is \(\frac{1}{2}\). Therefore \(\textrm{dt}_1(f)=\frac{1}{2}\), so the lower and upper bounds hold with equality. Note that any function of degree 1 is affine equivalent to \(x_1\).

Now consider an arbitrary degree k and assume the statement holds for degrees less than k. Recall that the discrete derivative of f in a direction \(a\in \mathbb {F}_2^n\) is defined as \(\textrm{D}_{a}f(x) = f(x\oplus a) \oplus f(x)\) (usually the case \(a = \textbf{0}\) is excluded, but here we will allow it, and obviously the derivative is identically zero when \(a = \textbf{0}\)).

Recall that \(\deg (\textrm{D}_{a}f)\le \deg (f)-1\) (see [7]). A vector \(a\in \mathbb {F}_2^n\setminus \{\textbf{0}\}\) is called a fast point for f if \(\deg (\textrm{D}_{a}f)< \deg (f)-1\) ([4]). As we allow derivatives in the direction \(a = \textbf{0}\), this vector is also a fast point. In [11] it was shown that the number of fast points (including \(a = \textbf{0}\)) for a function f of degree k in n variables can vary from 1 to at most \(2^{n-k}\), the latter being achieved if and only if \(f \sim _{k-1} x_1\cdots x_k\). Let us denote by S(f) the vectors in \(\mathbb {F}_2^n\) that are not fast points for f. We have therefore

$$\begin{aligned} 2^n-2^{n-k} \le \mid S(f)\mid \le 2^n -1 \end{aligned}$$
(12)

with the lower bound achieved when \(f \sim _{k-1} x_1\cdots x_k\).

The \(\deg (f)<k\) test on f at \(\textbf{0}, u_1, \ldots , u_k\)

$$\begin{aligned} \displaystyle \bigoplus _{c_1,\ldots ,c_k \in \mathbb {F}_2} f\left( \displaystyle \bigoplus _{i=1}^{k} c_iu_i\right) = 0 \end{aligned}$$

can be rewritten as

$$\begin{aligned} \displaystyle \bigoplus _{c_1,\ldots ,c_{k-1} \in \mathbb {F}_2} \textrm{D}_{u_k} f\left( \displaystyle \bigoplus _{i=1}^{k-1} c_iu_i\right) = 0, \end{aligned}$$

which is the \(\deg (\textrm{D}_{u_k} f)< k-1\) test at \(\textbf{0}, u_1, \ldots , u_{k-1}\). Whenever \(u_k\) is a fast point for f we have \(\deg (\textrm{D}_{u_k} f)<k-1\) and therefore \(\textrm{D}_{u_k} f\) will pass the test. When \(u_k\) is not a fast point, \(\deg (\textrm{D}_{u_k} f)=k-1\) and using (10) we have

$$\begin{aligned} \textrm{dt}_k(f) = \frac{1}{2^n}\sum _{u_k\in S(f)} \textrm{dt}_{k-1}( \textrm{D}_{u_k} f ). \end{aligned}$$
(13)

Also, when \(u_k\) is not a fast point, \(\deg (\textrm{D}_{u_k} f)=k-1\) means we can apply the induction hypothesis to \(\textrm{D}_{u_k} f\)

$$\begin{aligned} \displaystyle \prod _{i=1}^{k-1} \left( 1-\frac{1}{2^i} \right) \le \textrm{dt}_{k-1}(\textrm{D}_{u_k} f) \le \frac{1}{2}\left( 1-\frac{1}{2^n} \right) ^{k-2}. \end{aligned}$$

Combining this with equation (13) we obtain

$$\begin{aligned} \frac{\mid S(f)\mid }{2^n}\displaystyle \prod _{i=1}^{k-1} \left( 1-\frac{1}{2^i} \right) \le \textrm{dt}_k(f) \le \frac{\mid S(f)\mid }{2^n}\frac{1}{2}\left( 1-\frac{1}{2^n} \right) ^{k-2}. \end{aligned}$$

and finally using (12) we obtain the bounds in the theorem’s statement. Note that the lower bound is achieved if and only if \(\mid S(f)\mid = 2^n-2^{n-k}\) and \(\textrm{D}_{u_k} f \sim _{k-2} x_1\cdots x_{k-1}\), which holds if and only if \(f\sim _{k-1} x_1\cdots x_k\). \(\square \)

Example 15

For functions f in 8 variables, Theorem 14 above shows that when f has degree 3 we have \(0.328125 \le \textrm{dt}_3(f)\le 0.496101379\); when f has degree 4 we have \(0.307617 \le \textrm{dt}_4(f)\le 0.4941635\).

If we are interested in lower and upper bounds for \(\textrm{dt}_k(f)\) which do not depend on either k or the number of variables n, Theorem 14 implies:

Corollary 16

Let f be a function of degree \(k\ge 1\). Then

$$\begin{aligned} \prod _{i=1}^{\infty }\left( 1 - \frac{1}{2^i} \right) \le \textrm{dt}_k(f) \le \frac{1}{2}. \end{aligned}$$

The lower bound is the q-Pochhammer symbol at \((0.5, 0.5, \infty )\) and is equal to \(0.288788\ldots \).

5 Numerical results

We computed the values of \(\textrm{dt}_k(f)\) and \(\textrm{add}_k(f)\) for all functions of degree \(k\ge 1\) in 8 variables. Due to the invariance to \(\sim _{k-1}\), it suffices to compute these values for one representative from each class.

The cases \(k=1,2\) are trivial. Namely, for \(k=1\) there is only one equivalence class, with representative \(f(x_1, \ldots , x_8) = x_1\), and we have \(\textrm{dt}_1(f) = \frac{1}{2}\) (see the first part of the proof of Theorem 14). For degree \(k=2\) there are four equivalence classes, corresponding to \(x_1x_2, x_1x_2 \oplus x_3x_4, x_1x_2 \oplus x_3x_4 \oplus x_5x_6\), and \(x_1x_2 \oplus x_3x_4 \oplus x_5x_6 \oplus x_7x_8\). Using Propositions 10 and 11 we can compute \(\textrm{dt}_2(f)\) as being 0.375000, 0.468750, 0.492188 and 0.498047 respectively.

For degree \(k=3\) we used the 31 representatives of equivalence classes of polynomials in 8 variables listed in [6]. For degree \(k=4\) we used the 998 equivalence classes of polynomials of degree \(k=4\) in 8 variables listed in [8].

For each function f of degree k, we computed \(\textrm{add}_k(f)\) by picking one basis \(u_1,\ldots ,u_k\) for each of the \(\left( {\begin{array}{c}8\\ k\end{array}}\right) _2\) vector spaces of \(\mathbb {F}_2^8\) of dimension k, and then running the \(\deg (f)<k\) test for each such basis. We then computed \(\textrm{dt}_k(f)\) using Theorem 8.

Table 1 Test results for degree 3 in 8 variables
Full size table

Table 1 lists the values of \(\textrm{add}_3(f)\) and \(\textrm{dt}_3(f)\) for each of the 31 non-zero representatives of degree 3 in 8 variables; they are listed in increasing order of \(\textrm{dt}_3(f)\). The values of \(\textrm{dt}_3(f)\) range from 0.328125 to 0.489626. The lower and upper bounds given by Theorem 14 would be 0.328125 and 0.496101379 respectively, see Example 15; while the lower bound is achieved, the upper bound is not tight in this case. All but one polynomial (namely the one that consists of a single monomial) have \(\textrm{dt}_3(f)\) in the interval (0.4, 0.5). We note that there are only 16 different values for \(\textrm{dt}_3(f)\); some of the 31 classes do have the same value of \(\textrm{dt}_3(f)\).

For the 998 polynomials of degree 4 in 8 variables, there are 54 different values of \(\textrm{dt}_4(f)\), ranging from 0.307617 to 0.480051. The lower and upper bounds given by Theorem 14 would be 0.307617 and 0.4941635 respectively, see Example 15; while the lower bound is achieved, the upper bound is not tight in this case. All polynomials have \(\textrm{dt}_4(f)\) in the interval (0.4, 0.5) except for two polynomial classes, namely the class of a monomial, e.g. \(x_1x_2x_3x_4\) and the class of \(x_1x_2(x_3x_4 \oplus x_5x_6)\), which have the values 0.307617 and 0.384521, as expected from Corollary 12.

Histograms are given in Figs. 1 and 2 in the Appendix. The first histogram shows, for equally sized intervals, the number of polynomials that have \(\textrm{dt}_k(f)\) in that interval. We notice that the vast majority of classes have \(\textrm{dt}_4(f)\) between 0.462808 and 0.480051. The second histogram shows, for each possible value of \(\textrm{dt}_4(f)\), the number of classes that have that particular value. This allows us to see whether \(\textrm{dt}_k(f)\) could be used to distinguish between equivalence classes (recall that \(\textrm{dt}_k(f)\) is invariant to the equivalence \(\sim _{k-1}\)). Given fg, if \(\textrm{dt}_k(f)\ne \textrm{dt}_k(g)\), we know that f and g are inequivalent. However, if \(\textrm{dt}_k(f)= \textrm{dt}_k(g)\) we are unable to use this invariant to decide whether f and g are equivalent or not. A combination of several invariants has been used to distinguish (almost) all the classes in the classification of [6] and [8]. Unfortunately, as seen from Fig. 2, \(\textrm{dt}_k(f)\) on its own is not particularly suited for distinguishing classes, as there are many classes with the same value. However it could prove useful in combination with other existing invariants.

For degree \(k=5\) there are again 31 representatives, which are obtained as \(f^c\) with f running through the 31 degree 3 representatives mentioned above. Using Proposition 11(ii), one can compute \(\textrm{dt}_5(f^c) = \textrm{dt}_3(f)\left( 1 - \frac{1}{2^4} \right) \left( 1 - \frac{1}{2^5} \right) = 0.96875\textrm{dt}_3(f)\). Similarly, for degree \(k=6\) there are 4 representatives, which are obtained from the degree 2 representatives by \(\textrm{dt}_6(f^c) = \textrm{dt}_2(f)\prod _{i=3}^{6}\left( 1 - \frac{1}{2^i} \right) = 0.984375\textrm{dt}_2(f)\). Finally, for each of the degrees 7 and 8 there is only one class, with representatives \(x_1\cdots x_7\) and \(x_1\cdots x_8\), respectively. Using Corollary 12 we have that \(\textrm{dt}_k(f)\) is 0.291056 and 0.289919, respectively.

6 Conclusion

We proposed a probabilistic test, called the \(\deg (f)<k\) test, for deciding whether the algebraic degree of a Boolean function f is below a certain value k. There are no false negatives for this test (if the degree of f is indeed below k then f always passes the test) but there can be false positives, i.e. polynomials of degree at least k which pass some instances of the test. The probability of such polynomials failing the test, denoted \(\textrm{dt}_k(f)\), determines therefore the accuracy of the test.

We studied \(\textrm{dt}_{k}(f)\) by proving results for the case when the degree of f is actually k. We determined lower and upper bounds for \(\textrm{dt}_k(f)\), with the lower bound being tight. These bounds imply \(\textrm{dt}_k(f) \in (0.288788,0.5]\), which means in particular that it suffices to run the test 9 times for a probability of at least 0.95 of f failing at least one instance of the test and therefore correctly concluding that \(\deg (f)\ge k\). We also computed exact formulae for \(\textrm{dt}_k(f)\) for some classes of polynomials in an arbitrary number of variables n, as well as computer calculations of \(\textrm{dt}_k(f)\) for all polynomials in up to \(n=8\) variables. The study of \(\textrm{dt}_k(f)\) for polynomials of degree strictly higher than k will be the subject of future work.