Abstract
Duan and Lai introduced the notion of “fast point” for a Boolean function f as being a direction a so that the algebraic degree of the derivative of f in direction a is strictly lower than the expected deg (f)-1. Their study was motivated by the fact that the existence of fast points makes many cryptographic differential attacks (such as the cube and AIDA attack) more efficient. The number of functions with fast points was determined by Duan et al. in some special cases and by Sălăgean and Mandache-Sălăgean in the general case. We generalise the notion of fast point, defining a fast point of order ell as being a fast point a so that the degree of the derivative of f in direction a is lower by at least ell than the expected degree. We determine an explicit formula for the number of functions of degree d in n variables which have fast points of order ell . Furthermore, we determine the number of functions of degree d in n variables which have a given number of fast points of order ell , and also the number of functions which have a given profile in terms of the number of fast points of each order. We apply our results to compute the probability of a function to have fast points of order ell . We also compute the number of functions which admit linear structures (i.e. their derivative in a certain direction is constant); such functions have a long history of being used in the analysis of symmetric ciphers.
Highlights
Boolean functions used in cryptography are usually required to resist a range of attacks
The cube attack of Dinur and Shamir [5] and the AIDA attack of Vielhaber [14], as well as further variants of these attacks, exploit the situation where a higher order derivative of the function has a very low degree
Duan and Lai [6] introduced the notion of “fast point” for a cryptographic function: a is a fast point for a function f if the degree of Da f drops more than expected, i.e. the degree is strictly lower than deg( f ) − 1
Summary
Boolean functions used in cryptography are usually required to resist a range of attacks. Computing a higher order derivative of order k is computationally expensive as k increases (2k complexity) so the attacks work well when the degree drops quicker than expected Motivated by these applications, Duan and Lai [6] introduced the notion of “fast point” for a cryptographic function: a is a fast point for a function f if the degree of Da f drops more than expected, i.e. the degree is strictly lower than deg( f ) − 1. Salagean and Mandache-Salagean [13] obtained a recurrence relation as well as an explicit formula for the number of functions that admit fast points, for any number of variables n and any degree d. What we compute here is the sum of the cardinalities of those classes which share a particular value of the invariant defined as the dimensions of the space of fast points of each order (and there are several classes with the same value of this invariant)
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
