Additive and linear structures of cryptographic functions

  • Xuejia Lai
Session 1: Stream Ciphers-Design
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1008)


In the design and analysis of cryptographic algorithms, exploiting the structures of such algorithms is an important aspect. In this paper, additive and linear structures of functions from GF n (q) to GF m (q) will be considered. A function f is said to have an additive structure if there is a non-zero vector a, such that f(x+a)−f(x) remains invariant for all x. Such a vector a is called an additive translator of the function f. A function f is said to have a linear structure if f has an additive translator a and if f(x+ca)−f(x)=c(f(a)−f(0)) for all c in GF(q). We call this a a linear translator of f. We show how to use such additive and linear structures to simplify the expression of the function f. It is shown that function f has r linearly independent linear translators if and only if there is a non-singular linear transformation such that the composition of this linear transformation with the original function gives a function that is the sum of a linear function of r variables and some function of the other n−r variables. In particular, when q is a prime, then any additive translator is a linear translator, which implies that f becomes a sum of an r-variable linear function and an n−r-variable function if and only if f has r linearly independent additive translators. Moreover, for an invertible function f, there is a one-to-one relationship between the linear translators of f and the linear translators of its inverse function.


  1. 1.
    D. Chaum, J.H. Evertse, Cryptanalysis of DES with a reduced number of rounds, Advances in Cryptology — CRYPTO'85, Proceedings, pp. 192–211, Springer-Verlag, 1986.Google Scholar
  2. 2.
    J.H. Evertse, Linear structures in block ciphers, Advances in Cryptology — EUROCRYPT'87, Proceedings, pp. 249–266, Springer-Verlag, 1988.Google Scholar
  3. 3.
    M. Hellman, R. Merkle, R. Schroeppel, L. Washington, W. Diffie, S. Pohlig, P. Schweitzer, Results of an initial attempt to cryptanalyze the NBS Data Encryption Standard, Information System Lab. report SEL 76-042, Stanford University, 1976.Google Scholar
  4. 4.
    W. Meier, O. Staffelbach, Nonlinearity criteria for cryptographic functions, Advances in Cryptology — EUROCRYPT'89, Proceedings, pp. 549–562, Springer-Verlag, 1990.Google Scholar
  5. 5.
    K. Nyberg, On the construction of highly nonlinear permutations Advances in Cryptology — EUROCRYPT'92, Proceedings, pp. 92–98, Springer-Verlag, 1993.Google Scholar
  6. 6.
    J.A. Reeds, J.L. Manferdeli, DES has no per round linear factors, Advances in Cryptology — CRYPTO'84, Proceedings, pp. 377–389, Springer-Verlag, 1985.Google Scholar
  7. 7.
    C. E. Shannon, “Communication Theory of Secrecy Systems”, Bell. System Technical Journal, Vol. 28, pp. 656–715, Oct. 1949.Google Scholar
  8. 8.
    E. Biham and A. Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer-Verlag, 1993.Google Scholar
  9. 9.
    X. Lai, J. L. Massey and S. Murphy, “Markov Ciphers and Differential Crypt-analysis”, Advances in Cryptology — EUROCRYPT'91, Proceedings, LNCS 547, pp. 17–38, Springer-Verlag, Berlin, 1991.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1995

Authors and Affiliations

  • Xuejia Lai
    • 1
  1. 1.R3 Security Engineering AGAathalSwitzerland

Personalised recommendations