Counting Boolean functions with faster points

Duan and Lai introduced the notion of “fast point” for a Boolean function f as being a direction a so that the algebraic degree of the derivative of f in direction a is strictly lower than the expected deg(f)-1\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\deg (f)-1$$\end{document}. Their study was motivated by the fact that the existence of fast points makes many cryptographic differential attacks (such as the cube and AIDA attack) more efficient. The number of functions with fast points was determined by Duan et al. in some special cases and by Sălăgean and Mandache-Sălăgean in the general case. We generalise the notion of fast point, defining a fast point of order ℓ\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\ell $$\end{document} as being a fast point a so that the degree of the derivative of f in direction a is lower by at least ℓ\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\ell $$\end{document} than the expected degree. We determine an explicit formula for the number of functions of degree d in n variables which have fast points of order ℓ\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\ell $$\end{document}. Furthermore, we determine the number of functions of degree d in n variables which have a given number of fast points of order ℓ\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\ell $$\end{document}, and also the number of functions which have a given profile in terms of the number of fast points of each order. We apply our results to compute the probability of a function to have fast points of order ℓ\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\ell $$\end{document}. We also compute the number of functions which admit linear structures (i.e. their derivative in a certain direction is constant); such functions have a long history of being used in the analysis of symmetric ciphers.


Introduction
Boolean functions used in cryptography are usually required to resist a range of attacks. They need to have a sufficiently high algebraic degree (i.e. the degree of the function written in its algebraic normal form) in order to resist algebraic attacks. Differential attacks on cryptographic functions typically exploit properties of the discrete derivative. The discrete derivative of a function f in the direction a is defined as D a f (x) = f (x + a) − f (x). The derivatives should also have a high degree; the highest that can be achieved is one less than the degree of the original function, i.e. deg(D a f ) ≤ deg( f )−1. Higher order derivatives of order k are obtained by differentiating k times in several directions. The higher order derivatives should also have a sufficiently high degree (the maximum possible being deg( f ) − k)). For example, the cube attack of Dinur and Shamir [5] and the AIDA attack of Vielhaber [14], as well as further variants of these attacks, exploit the situation where a higher order derivative of the function has a very low degree (degree 1 in the original AIDA and cube attacks, degree 1 or 2 in [1] and [8] for example; cube testers introduced in [2] test for several non-randomness properties, one of which being low degree). Computing a higher order derivative of order k is computationally expensive as k increases (2 k complexity) so the attacks work particularly well when the degree drops quicker than expected.
Motivated by these applications, Duan and Lai [6] introduced the notion of "fast point" for a cryptographic function: a is a fast point for a function f if the degree of D a f drops more than expected, i.e. the degree is strictly lower than deg( f ) − 1. The fast points of a function f form a linear space. Duan et al. [7] started computing the number of functions that admit fast points; explicit formulae were obtained for small degrees and very large degrees (close to the number of variables), and exhaustive search results were obtained for small numbers of variables.
Sȃlȃgean and Mandache-Sȃlȃgean [13] obtained a recurrence relation as well as an explicit formula for the number of functions that admit fast points, for any number of variables n and any degree d. This sequence of numbers (triangular sequence indexed by n and d for 1 ≤ d ≤ n) is given as sequence A316554 in OEIS (Online Encyclopedia of Integer Sequences, [12]) and it solves the cases left open by Duan et al. in [7]. Moreover, the counting is refined to functions of degree d in n variables which admit a particular number of fast points, i.e. their space of fast points has a particular dimension.
In this paper we define "faster points" i.e. points where the degree of the derivative drops by at least 2 more than expected. More generally, a fast point of order for a function f will be a point where the degree of D a f is at most deg( f ) − 1 − , i.e. it dropped more than expected. The fast points of order of a function f form a linear space. The dimensions of these spaces are affine invariants, i.e. they are invariant to invertible affine changes of coordinates.
In Sect. 3 we will count the number of functions of degree d in n variables which have a given space U as their space of fast points of order . This number does not depend on the space itself, only on its dimension, so this allows us to count, for each fixed k, the number of functions which have exactly 2 k fast points of order ; also the number of functions which have no fast points of order . For all these numbers we give both recurrence relations and explicit formulae, see Theorem 2 for fast points of order 2 and Theorem 3 for arbitrary order. The proofs use some techniques similar to the ones in [13], but also some different techniques, particularly a version of the inversion formulae of Carlitz [3], see Lemma 2. As an application of these counting results, in Sect. 4 we determine the number of functions which have linear structures. The notion of linear structure was introduced by Chaum and Evertse in 1985 in [4] and has since been used widely in the analysis of cryptographic primitives. An element a is a linear structure for a function f if D a f is a constant function. With our definition, a linear structure for f is a fast point of order deg( f ) − 1, so we can apply our results directly to compute the number of functions which have linear structures for each degree d and n variables.
A second application is to estimate the probability that a function picked uniformly at random has fast points of order ; also the probability that a function has fast points of order when we pick it from among the functions which do have fast points of order − 1. All these probabilities are extremely small (see Proposition 1).
We further refine our counting results in Sect. 5. For each fixed sequence of spaces U 1 ⊇ U 2 ⊇ . . . ⊇ U we count the number of functions which have exactly those U i as their space of fast points of order i. Also, for k 1 ≥ k 2 ≥ . . . k we count the functions whose space of fast points of order i has dimension k i , for i = 1, . . . , . The new aspect here compared to the results in Sect. 3 is that we also need to count functions which do not have any fast points in a particular subspace. For all these numbers we give explicit formulae, see Theorem 4. Note that although we count the number of functions for each set of given values of these affine invariants, this is different from counting the number of equivalence classes and the size of each class under the equivalence given by affine invertible changes of coordinates. For the latter, Hou [9] and Langevin and Leander [11] obtained results for up to 8 variables by a combination of theoretical results and computer search, and combining several invariants to discriminate each class. What we compute here is the sum of the cardinalities of those classes which share a particular value of the invariant defined as the dimensions of the space of fast points of each order (and there are several classes with the same value of this invariant).

Preliminaries
We denote by F 2 the binary field. A Boolean function f with n-bits input and one bit output can be viewed as a function f : F n 2 → F 2 . Any such function can be represented in algebraic form as a polynomial function in n variables, of degree at most one in each variable. (More precisely, because x 2 = x when x ∈ F 2 , each function corresponds to an element in F 2 [x 1 , . . . , x n ]/ x 2 1 + x 1 , . . . , x 2 n + x n ; we identify each coset with its unique representative multivariate polynomial which has degree at most one in each variable.) The total degree of this multivariate polynomial is called the algebraic degree of the function f . In this paper we will call the algebraic degree of f simply the degree of f , denoted deg( f ), with the usual convention that the degree of the zero function is −∞. We will denote by BF(n) the set of Boolean functions in n variables, and by BF(n, d) the set of Boolean functions in n variables of degree exactly d, where 0 ≤ d ≤ n.
Let f ∈ BF(n, d) and a = (a 1 , . . . , a n ) ∈ F n 2 , a = 0, where 0 denotes the all-zero vector. The derivative D a f of f in direction a is defined as the Boolean function in n variables The degree of D a f is lower than or equal to d − 1 (see [10]), i.e. differentiation decreases the degree of the function by at least 1. Vectors a for which the degree of D a f is strictly lower than d − 1 (i.e. the degree drops more than expected) are called "fast points" of f (see [6]). The set of fast points of f (including, by convention, 0 as a trivial fast point) is a linear subspace of F n 2 of dimension at most n − d (see [6]). Note that if f has degree d, then only its monomials of degree d matter when determining whether the degree of D a f is equal to d − 1 or strictly lower, and therefore determining whether a is a fast point. In other words, a ∈ F n 2 is a fast point of f if and only if a is a fast point of f + g, where g is an arbitrary Boolean function in n variables of degree at most d − 1. Hence for counting Boolean functions having fast points, it is natural to define the following equivalence on BF(n): for f 1 , f 2 ∈ BF(n) ∼ . Next we formally define "faster points".
Note the usual fast points are fast points of order 1. If a 1 , The dimension of this space is at most n − d, since a fast point of order is also a fast point of order − 1 and dim(FP (1) We have a filtration of linear subspaces: When determining whether a function f of degree d has fast points of order only the monomials of degree d, d − 1, . . . , d − + 1 matter, as they are the only ones that can produce polynomials of degree strictly above d − 1 − after differentiation; so we only need to consider the function f up to the equivalence ∼ . The set of functions (up to the suitable equivalence) which have their space of fast points of order equal to a given subspace U ⊆ F n 2 will be denoted: The set of functions (up to the suitable equivalence) for which the space of fast points of order has a given dimension k will be denoted: In particular, F ( ) (n, d; 0) is the set of functions (up to the suitable equivalence) which have no fast points of order . For integers 0 ≤ k ≤ n the Gaussian binomial coefficients (or q-binomial coefficients) are defined as Recall that the number of k dimensional F q -linear subspaces of F n q (when q is a power of a prime) is n k q . We will mostly use these Gaussian binomial coefficients for q = 2, and in this case we will omit the index and simply denote n k = n k 2 . For the cardinality of F (1) (n, d; k) a recurrence relation as well as an explicit formula were computed by Sȃlȃgean and Mandache-Sȃlȃgean, [13]. The number of functions of degree d in n variables which have fast points was also computed (see sequence A316554 in OEIS, [12]). We recall the explicit formulae: The number of functions of degree d in n variables which have fast points is: We have For 1 ≤ i ≤ n let e i = (0, . . . , 0, 1, 0, . . . , 0) ∈ F n 2 be the vector which has 1 in its i-th position and zeroes elsewhere. The set {e 1 , . . . , e n } forms the standard basis (canonical basis) of F n 2 over F 2 .
Most properties we are interested in are invariant to linear (or affine) changes of variables (changes of coordinates). Recall that two functions f 1 , f 2 : F n 2 → F 2 are called affine equivalent if there is an invertible affine map ϕ : F n 2 → F n 2 such that f 1 = f 2 • ϕ. Any function P (or a relation) defined over the set of Boolean function is called an affine invariant if P( f 1 ) = P( f 2 ) for any two affine equivalent functions f 1 , f 2 . A few useful facts are collected below: (

Counting faster points
We will make extensive use of the following inversion formula, which is a variant of the result of Carlitz [3]: if and only if Proof We recall [3,Theorem 2]. Let (a i ) and (b i ) be sequences of complex numbers, and q a complex number such that The system of equations for all n ≥ 0.
For the particular case a i = 1, b i = 0 for all i (and therefore ψ(k, n, q) = 1), this becomes if and only if Putting S(n) = f (n) and T (n) = (−1) n q n(n−1) 2 g(n), Eq. (5) becomes (3) and Eq. (6) becomes After replacing the index of summation k with n − k in the last equation, we obtain precisely Eq. (4).
We will exploit invariance to linear (affine) invertible changes of coordinates: The cardinality of F ( ) (n, d; U ) depends on the dimension of U but not on the space U itself. In particular The functions f in n variables for which the space of fast points of order is generated by vectors in the canonical basis, e n−k+1 , . . . , e n are, essentially, functions in fewer variables, i.e. they actually do not depend on x n−k+1 , . . . , x n . More precisely, we can do the following reduction: We are now ready to count the functions which have a given space U (or any space of given dimension k) as their space of fast points of order 2.
and the explicit formula We also have, for any 0 ≤ k ≤ n − d and any space U of dimension k: where the union is over U ranging over all subspaces of F n 2 of dimension at most n − d (recall that spaces of fast points can have dimension at most n − d). The cardinality of the set on the right hand side is (2 ( n d ) − 1)2 ( n d−1 ) , since for any class we can pick the representative which only has monomials of degree d and d − 1; there are n d monomials of degree d, and each of them can have a coefficient of 0 or 1; however, the situation of all-zero coefficients is excluded as the degree of f must be d. There are n d−1 monomials of degree d − 1, each with coefficient 0 or 1 (this time with the possibility of all coefficients being 0). For computing the cardinality of the set on the left hand side, using the fact that the sets are disjoint we have: Using Corollary 1 and Lemma 4 and the fact that there are n k subspaces of each dimension k,we have which completes the proof of the recurrence relation (7). For the proof of the first explicit formula we rewrite (7) as using the fact that |F (2) (k, d; 0)| = 0 when k < d. This recurrence relation is of the type of equation (3) in Lemma 2, viewing d as fixed and putting S(n) = 2 ( n d ) − 1 2 ( n d−1 ) and T (n) = |F (2) (n, d; 0)|. Therefore, equation (4) in Lemma 2 gives the first explicit formula (8) in the theorem statement (with the summation going up to n, but then note that S(n − i) = 0 for n − d < i ≤ n).
Alternatively, (8) could also be proven using the technique from the proof of [13, Theorem 6].
For the next explicit formula (9), we use Eq. (8), Corollary 1 and Lemma 4. Finally for the final formula (10) we use the fact that F (2) (n, d; k) = ∪ U F (2) (n, d; U ) where U ranges over all the n k spaces of dimension k in F n 2 and the sets in the union are disjoint. The Theorem above can be generalised to counting the functions which have a given space U (or any space of given dimension k) as their space of fast points of order .

and let U be a space of dimension k. Then
and

Furthermore, the number of functions which have fast points of order (any number of non-trivial fast points of order ) is
: Proof As in the proof of Theorem 2, we have as the set of functions of degree d in n variables can be partitioned into the sets F ( ) (n, d; U ) with U ranging over all subspaces of F n 2 of dimension up to n − d. For the cardinality of the right hand side we have: Using Corollary 1 and Lemma 4 for the cardinality of the left hand side we obtain: Putting these together we obtain the recurrence relation which we solve using Lemma 2 to obtain Using this formula and Lemma 4, we then obtain (11) and (12). For Eq. (13) we have:

Applications
As a first application of these counting results, we can determine the number of functions which have linear structures. An element a ∈ F n 2 \ {0} is a linear structure for a function f if D a f is a constant function. With our definition, a linear structure for f is a fast point of order deg( f ) − 1. Therefore, applying Theorem 3 we have:

Corollary 2 The number of functions of degree d in n variables which have linear structures is:
where the functions are counted up to addition of an affine function.
We compute the number of functions of degree 3 in 7 variables which have fast points of order 2, i.e. they have linear structures. Using Corollary 2, this number is: In other words, if we pick a function of degree 3 in 7 variables uniformly at random, the probability that it has a linear structure is approximately 0.00006.
As a second application of our counting results we estimate various probabilities for functions to have faster points (in particular, to have linear structures), similar to the estimates in [13].

Proposition 1 Assume a function f is chosen uniformly at random among the functions of degree d in n variables. Let 1 ≤ ≤ d.
The probability that f has at least one fast point of order is When d − ≥ 2 and n − d ≥ 3, this can be approximated as The conditional probability that f has at least one fast point of order knowing that it does have fast points of order − 1 (for > 1) is When d − ≥ 2 and n − d ≥ 3, this can be approximated as Proof For the first equation, we use Theorem 3 and the fact that For the second equation, note that in the denominator we have equivalence classes [ f ] (d− ) for fast points of order − 1, so we need to multiply by 2 ( n d− +1 ) the result obtained by replacing by − 1 in (13).
For the approximations, we note that in the sum (13), the terms have alternating signs and decrease rapidly in absolute value, so the sum can be approximated by its first term. Namely, the ratio of the absolute values of term i + 1 to the term i is: which is negligible provided d − ≥ 2 and n − d ≥ 3.

Example 2
For the computation in Example 1 above, if we use instead Proposition 1 (14) to estimate the probability of a function of degree 3 in 7 variables to have a linear structure we obtain: 1 which has an error of less than 1% compared to the precise value computed in Example 1.

Counting the number of functions with a given profile of fast points of different orders
Next we will refine the counting so that we can count functions where the spaces of fast points of each order are specified. For F 2 -linear subspaces of the form F n More generally, keeping in mind that the dimensions of the spaces of fast points of each order for a function f are affine invariants (see Lemma 3), we define for integers n − d ≥ k 1 ≥ k 2 ≥ · · · ≥ k ≥ 0: We will determine the cardinalities of the sets above. Similarly to Corollary 1 we have where k i = dim(U i ) and W k i = e n−k i +1 , . . . e n , with e i being the canonical basis vectors and W 0 = {0} by convention. Let us examine an element f ∈ F ( ) (n, d; W k 1 , W k 2 , . . . , W k ). We can assume that the representative f only contains monomials of degree d, d − 1, . . . , d − + 1.
, with each f i containing only monomials of degree i (i.e. f i is the homogeneous part of degree i of f ). Using Lemma 1(iv) we see that f d does not contain any of the variables x n−k 1 +1 , . . . , x n ; f d−1 does not contain any of the variables x n−k 2 +1 , . . . , x n etc. Moreover f d does not have any fast points (of any order) when viewed as a function in n − k 1 variables. For f d−1 the situation is less straightforward; when viewed as a function in n − k 2 variables, it can have fast points, but any such points have to be outside e n−k 1 +1 , . . . e n−k 2 .
We will therefore need to count functions which do not have fast points within a certain specified space. We define X k (n, d) with 0 ≤ k ≤ d ≤ n as the set of functions f of degree d in n variables such that none of the non-zero elements of the space W k is a fast point for f (note that f may have non-trivial fast points, but only if they are outside W k ). We also include f = 0 in the set X k (n, d). More precisely: The cardinality of the set X k (n, d) would remain the same if in the definition of X k (n, d) we replace the space W k by any space U of dimension k: −1) : f ∈ BF(n, d) and FP (1) One can generalise this further by fixing two spaces U 1 ⊆ U 0 and considering the functions f with the property that the points in U 1 are fast points of f but no other points of U 0 are fast points of f . Note that we do not care how many fast points f has outside U 0 . The cardinality of this set can be expressed using the sets X k (n, d) as follows: Lemma 5 Let U 1 ⊆ U 0 be two subspaces of F n 2 of dimension k 1 and k 0 respectively.
Proof Let us first consider the particular case U 0 = W k 0 and U 1 = W k 0 . Let f be a function such that FP (1) we can assume f only contains monomials of degree d. Since the elements of U 1 are fast points for f , by Lemma 1(iv) this means f does not contain any of the variables x n−k 1 +1 , . . . , x n ; it is a polynomial in the remaining n−k 1 variables x 1 , . . . , x n−k 1 . We now determine FP (1) k 1 , d).
We can view f as a function in n variables, i.e. we can define a function g as g(x 1 , . . . , x n ) = f (x 1 , . . . , x n−k 1 ). Since g does not depend on x n−k 1 +1 , . . . , x n , we have that U 1 ⊆ FP (1) (g). On the other hand, FP (1) For the general case, consider a basis a n−k 0 +1 , . . . , a n for U 0 such that a n−k 1 +1 , . . . , a n is a basis for U 1 . Consider an affine transformation ϕ : F n 2 → F n 2 such that ϕ(e i ) = a i for i = n − k 0 + 1, . . . , n. Let f be such that FP (1) We then use the first part of the proof.

Proposition 2
The following formula holds: Therefore for each fixed d we can obtain |X k (n, d)| by the following recursive formulae (recursion on both k and n): .
. For arbitrary k we have: where V ranges over all subspaces of W k ; for each dimension i there are k i such spaces. Note that the sets in the union are pairwise disjoint and by Lemma 5 they have

Proposition 3
The following explicit formulae for |X k (n, d)| hold: and Proof For the first formula, the recurrence relation from Proposition 2 becomes, after replacing the index of summation by It then satisfies the conditions from Eq. (3) in Lemma 2, considering d and n − k fixed and putting T ( j) = |X j (n − k + j, d)| and S( j) = 2 ( n−k+ j d ) . Equation (4) in Lemma 2 gives then the first explicit formula.
Alternatively, we could have used the same technique as in the proof of [13,Theorem 6].
For the second formula in the theorem statement we use a different approach, counting the cardinality of X k (n, d) directly. First let us count the number of subspaces V of F n 2 of dimension i such that V ∩ W k = {0}. This latter condition implies 0 ≤ i ≤ n − k. To pick a basis v 1 , . . . , v i for such a space V we have 2 n − 2 k possibilities to pick v 1 ∈ F n 2 \ W k , then 2 n − 2 k+1 possibilities to pick v 2 ∈ F n 2 \ W k , v 1 etc. However, this way each space V ends up being counted (2 i − 1)(2 i − 2) · · · (2 n − 2 i−1 ) times (the number of bases of V , taking into account the ordering of the basis elements). So altogether the number of spaces is We can now move to determining the number of functions with prescribed spaces (or prescribed dimensions of spaces) of fast points of each order.
For the direct implication, let By Lemma 1(iv), we have that f d−i+1 does not contain the variables x n−k i +1 , . . . , x n . If f d had any fast points of order 1 outside W k 1 , then those would also be fast points of order 1 for f , so indeed we must have FP (1) ( f d ) = W k 1 . Now let us examine f d−i+1 for i > 1. If f d−i+1 = 0 we are done. Otherwise, since f d−i+1 does not contain the variables x n−k i +1 , . . . , x n , we have that W k i ⊆ FP (1) We have since a ∈ W k i−1 and the first i functions do not contain the variables x n−k i−1 +1 , . . . , x n .
For the reverse implication, assume f is such that FP (1) ( f d ) = W k 1 and f d−i+1 are such that either f d−i+1 = 0 or FP (1) . . , , we know that f d−i+1 does not contain the variables x n−k i +1 , . . . , x n , so we have W k i ⊆ FP (i) ( f ). Now let a ∈ FP (i) ( f ). By induction on i we show that a ∈ W k i . For i = 1 we have that a is a fast point of order 1 for f , which means it is also a fast point of order 1 for f d , so a ∈ FP (1) ( f d ) = W k 1 . For the inductive step, note that if a is a fast point of order i for f , then it is also a fast point of order i − 1, so by the induction hypothesis a ∈ W k i−1 . Therefore, as in (19), a is a fast point of order i for f iff f d−i+1 = 0 or a is a fast point of order 1 for f d−i+1 , hence a ∈ W k i−1 ∩ FP (1) We therefore have now an alternative to Theorem 2 for computing F (2)  where U ranges over all subspaces of F n 2 ; the sets in the union are disjoint.

Conclusion
Motivated by the properties of cryptographic functions exploited by differential attacks, Duan and Lai [6] introduced the notion of Boolean functions that admit "fast points". We generalised this notion, defining functions f which have "fast points of order " i.e. the degree of at least one of the discrete derivatives of f is lower by than the expected value (i.e. it is d − 1 − or less, instead of the expected d − 1, where d is the algebraic degree of f ). We obtained explicit formulae for the number of such functions of degree d in n variables.
As an important particular case, this allowed us to compute the number of functions which admit a linear structure. Moreover, we computed the number of functions which have a given profile in terms of the number of fast points of each order.