# Additive and linear structures of cryptographic functions

## Abstract

In the design and analysis of cryptographic algorithms, exploiting the structures of such algorithms is an important aspect. In this paper, additive and linear structures of functions from *GF* ^{n} *(q)* to *GF* ^{m} *(q)* will be considered. A function *f* is said to have an additive structure if there is a non-zero vector *a*, such that *f(x+a)−f(x)* remains invariant for all *x*. Such a vector *a* is called an additive translator of the function *f*. A function *f* is said to have a linear structure if *f* has an additive translator *a* and if *f(x+ca)−f(x)=c(f(a)−f(0))* for all *c* in *GF(q*). We call this *a* a linear translator of *f.* We show how to use such additive and linear structures to simplify the expression of the function *f*. It is shown that function *f* has *r* linearly independent linear translators if and only if there is a non-singular linear transformation such that the composition of this linear transformation with the original function gives a function that is the sum of a linear function of *r* variables and some function of the other *n−r* variables. In particular, when *q* is a prime, then any additive translator is a linear translator, which implies that *f* becomes a sum of an *r*-variable linear function and an *n−r*-variable function if and only if *f* has *r* linearly independent additive translators. Moreover, for an invertible function *f*, there is a one-to-one relationship between the linear translators of *f* and the linear translators of its inverse function.

## References

- 1.D. Chaum, J.H. Evertse, Cryptanalysis of DES with a reduced number of rounds,
*Advances in Cryptology — CRYPTO'85, Proceedings*, pp. 192–211, Springer-Verlag, 1986.Google Scholar - 2.J.H. Evertse, Linear structures in block ciphers,
*Advances in Cryptology — EUROCRYPT'87, Proceedings*, pp. 249–266, Springer-Verlag, 1988.Google Scholar - 3.M. Hellman, R. Merkle, R. Schroeppel, L. Washington, W. Diffie, S. Pohlig, P. Schweitzer, Results of an initial attempt to cryptanalyze the NBS Data Encryption Standard, Information System Lab. report SEL 76-042, Stanford University, 1976.Google Scholar
- 4.W. Meier, O. Staffelbach, Nonlinearity criteria for cryptographic functions,
*Advances in Cryptology — EUROCRYPT'89, Proceedings*, pp. 549–562, Springer-Verlag, 1990.Google Scholar - 5.K. Nyberg, On the construction of highly nonlinear permutations
*Advances in Cryptology — EUROCRYPT'92, Proceedings*, pp. 92–98, Springer-Verlag, 1993.Google Scholar - 6.J.A. Reeds, J.L. Manferdeli, DES has no per round linear factors,
*Advances in Cryptology — CRYPTO'84, Proceedings*, pp. 377–389, Springer-Verlag, 1985.Google Scholar - 7.C. E. Shannon, “Communication Theory of Secrecy Systems”, Bell. System Technical Journal, Vol. 28, pp. 656–715, Oct. 1949.Google Scholar
- 8.E. Biham and A. Shamir,
*Differential Cryptanalysis of the Data Encryption Standard*, Springer-Verlag, 1993.Google Scholar - 9.X. Lai, J. L. Massey and S. Murphy, “Markov Ciphers and Differential Crypt-analysis”,
*Advances in Cryptology — EUROCRYPT'91, Proceedings*, LNCS 547, pp. 17–38, Springer-Verlag, Berlin, 1991.Google Scholar