0608:cs0608080/cs0608080

1:

2:

3:

4: \documentclass[11pt]{article}

5: \usepackage[letterpaper,hmargin=1in,vmargin=1.25in]{geometry}

6:

7: \author{Hao Chen\\

8: Department of Computing and \\

9: Information Technology\\

10: Fudan University\\

11: Shanghai 200433,P.R.China\\

12: and\\

13: Jianhua Li\\

14: Department of Electronic Engineering\\

15: Shanghai JiaoTong University\\

16: Shanghai 200030, P.R.China }

17: \title{\bf Lower Bounds on \\

18: the Algebraic Immunity of Boolean Functions}

19: \date{May, 2006}

20:

21:

22:

23: \begin{document}

24:

25: \maketitle

26: \begin{abstract}

27: From the motivation of algebraic attacks to stream and block

28: ciphers([1,2,7,13,14,15]), the concept of {\em algebraic immunity}

29: (AI) of a Boolean function was introduced in [21] and studied in

30: [3,5,10,11,17,18,19,20,21]. High algebraic immunity is a necessary

31: condition for resisting algebraic attacks. In this paper, we give

32: some lower bounds on the algebraic immunity of Boolean functions.

33: The results are applied to give lower bounds on the AI of symmetric

34: Boolean functions and rotation symmetric Boolean functions. Some

35: balanced rotation symmetric Boolean functions with their AI near the

36: maximum

37: possible value $\lceil \frac{n}{2}\rceil$ are constructed. \\

38:

39: {\bf Index Terms}--- Algebraic attack, Boolean function, algebraic

40: immunity, symmetric Boolean function, rotation symmetric Boolean

41: function

42:

43: \end{abstract}

44:

45:

46:

47:

48:

49: {\bf I. Introduction and Preliminaries}\\

50:

51: A Boolean function of $n$ variable is a mapping $f: F_2^n

52: \rightarrow F_2$, where $F_2$ is the field of two elements. The

53: weight of a Boolean function $wt(f)=|S_1(f)|$, where

54: $S_1(f)=\{(x_1,...,x_n): f(x_1,...,x_n)=1\} $ and $|*|$ is the

55: cardinality of the set. Any Boolean function has its algebraic normal form (ANF)\\

56: $$

57: \begin{array}{ccccccccccccc}

58: f(x_1,...,x_n)=a_0+\Sigma_{i_1<...<i_t} a_{i_1,...,i_t}

59: x_{i_1} \cdots x_{i_t}\\

60: \end{array}

61: $$

62: , where $a_0,..., a_{i_1,...,i_t}, \in F_2$. The (algebraic) degree

63: of $f$ is the number of  variables in the highest order term in the

64: above ANF. The Boolean function of degree 1 is called affine form.

65: Given a Boolean function $f$ of $n$ variables, a $n$ variable

66: Boolean function $g$ is called its annihilator function if $gf=0$,

67: or equivalently, $g$ is zero at all points of $S_1(f)$.  A Boolean

68: function is called balanced if the number of points in $S_1(f)$,

69: $wt(f)=2^{n-1}$. The distance of two Boolean functions $f$ and $g$

70: is $d(f,g)=|S_1(f-h)|$. The nonlinearity of a Boolean function $F$

71: is defined as $NL(f)=min_l \{d(f,l)\}$ where $l$ takes

72: over all possible affine forms (see [9]).\\

73:

74: Boolean functions are widely used in block and stream ciphers, f.g.,

75: in S-boxes, combination generators and filter generators. It is

76: known that Boolean functions used in the practice of cryptography

77: have to satisfy some criteria, f.g., their degrees and

78: nonlinearities etc have to be high (see [9]). Algebraic attack was

79: proposed recently to block and stream ciphers (see

80: [1],[2],[7],[13],[14],[15]).   Because of some successful algebraic

81: attacks to several keystream generators, now it is interested to

82: understand the algebraic immunity $AI(f)$ of a Boolean function $f$,

83: which was introduced in [21]. General properties about algebraic

84: immunity of Boolean functions have been studied in

85: [3],[10],[11],[17],[19],[20],[21]. High algebraic immunity is a

86: necessary condition (but not sufficient) for resisting algebraic

87: attacks. It was proved that the AI of a $n$ variable Boolean

88: function is less than or equal to $\lceil \frac{n}{2}\rceil$ (see

89: [21]) . Recently several  algorithms for the computation for AI of

90: Boolean functions were given in[4]. If the $AI(f)$ of a Boolean

91: function $f$ is relatively small, the algorithms can be used to

92: determine the $AI(f)$ efficiently. However it is also known that

93: there are Boolean functions of $n$ variables with their $AI$ equal

94: to the maximal possible value $\lceil \frac{n}{2}\rceil$ (see

95: [5],[10],[12],[18]). Thus it is interesting to know more Boolean

96: functions with their AI equal to or near the

97: upper bound $\lceil \frac{n}{2}\rceil$.\\

98:

99:

100:

101: A Boolean function is called symmetric if its value is determined by

102: the weight of its input vector. Symmetric Boolean functions have

103: been studied by many authors(see [8] and references there) from the

104: motivation of block and stream ciphers. In software and hardware

105: implementation the symmetric Boolean functions are efficient. Thus

106: it is interested to know the properties of AI of symmetric Boolean

107: functions.  In [5], the algebraic immunity of symmetric Boolean

108: functions was thoroughly studied. The AI of elementary symmetric

109: Boolean functions was explicitly determined and some symmetric

110: functions of maximum possible AI have been constructed. Rotation

111: symmetric Boolean functions (RSBF) were introduced and studied in

112: [22] for the purpose of fast hashing. A Boolean function $f$ on

113: $F_2^n$ is called rotation symmetric if

114: $f(x_1,x_2,...,x_n)=f(x_n,x_1,...,x_{n-1})$ for any

115: $(x_1,x_2,...,x_n)\in F_2^n$. The experimental studies of the

116: algebraic immunity of RSBF was initiated in [17]. From the

117: motivation of the possible use of symmetric and rotation symmetric

118: Boolean functions in cryptography , we are interested to have lower

119: bounds on the algebraic immunity of these functions and

120: the construction of these functions with relative high algebraic immunity.\\

121:

122:

123: We recall some basic facts about the algebraic immunity of a $n$

124: variable Boolean function( see [21],[10],[19],[3]).\\

125:

126: {\bf Definition. } {\em Let $f$ be a Boolean function on $F_2^n$,

127: its algebraic immunity $AI(f)$ is defined to be the smallest number

128: $k$, such that,  there exists one Boolean function $g$ of degree $k$ which is

129: the annihilator function of $f$ or $1+f$.}\\

130:

131:

132:

133:

134: {\bf Theorem 1 (see [10],[21],[17]).} {\em Let $f$ be a $n$ variable

135: Boolean function. Then 1) $AI(f) \leq \lceil\frac{n}{2} \rceil$; 2)

136: $NL(f) \geq 2\Sigma_{i=0}^{AI(f)-2}C_{n-1}^i$, where $C_u^j$ is the

137: binomial coefficient; 3) If $AI(f) >d$ then $\Sigma_{i=0}^d

138: C_n^i \leq wt(f) \leq \Sigma _{i=0}^{n-(d+1)} C_n^i$.}\\

139:

140:

141: {\bf Theorem 2(see [3]).} {\em Let $f$ be a Boolean function of $n$

142: variables. Suppose  $wt(f) \geq 2^n-2^{n-d}$. Then any annihilator

143: of $f$ has its algebraic degree at least $d$.}\\

144:

145: We note that Theorem 2 can not be applied directly to {\em balanced}

146: Boolean functions when lower bounding the AI of Boolean functions.

147: As far as our knowledge, there are quite few {\em explicitly given}

148: Boolean functions with the maximal possible AI and people do not

149: know much about how to lower bound the algebraic immunity of Boolean

150: functions (see [10],[12],[17],[18]). In this paper we apply Theorem

151: 2 to the restrictions of Boolean functions on some affine subspaces

152: of $F_2^n$. Thus we present a method to obtain some lower bounds on

153: the algebraic immunity of Boolean functions. In this case, it is

154: possible that the restrictions of the annihilator functions on the

155: affine subspaces are zero. However if the affine subspaces are taken

156: sufficiently many, this consideration leads to

157: some useful results on the lower bound for the AI  of Boolean functions.\\

158:

159:

160:

161: {\bf II. Main Result}\\

162:

163:

164: The following Theorem 3 is the main result of this paper.\\

165:

166:

167: {\bf Theorem 3.} {\em If $f$ is a Boolean function on $F_2^n$ and

168: $L_1$ (respectively $L_2$) is an affine subspaces with dimension $t$

169: (respectively $s$), such that , $|S_1(f|_{L_1})|>2^{t}-2^{t-d}$

170: (respectively $S_1((1+f)|_{L_2})|>2^s-2^{s-d}$). Then \\

171: 1) either the annihilator functions of $f$ with minimum possible

172: degree (respectively the annihilator functions of $1+f$ with minimum

173: possible degree) have their degree at least $d$ or; \\

174: 2) the annihilator functions of $f$ with minimum possible degree

175: (respectively the annihilator functions of $1+f$ with minimum

176: possible degree) are zero on $L_1$

177: (respectively on $L_2$).}\\

178:

179: When Theorem 3 is applied to the balanced Boolean functions and

180: codimension $1$ affine subspace we have the following simple

181: conclusion. The proof of Corollary 1 is a direct application of Theorem 3.\\

182:

183: {\bf Corollary 1.} {\em Let $f$ be a balanced Boolean function on

184: $F_2^n$ and $l$ is an affine form on $F_2^n$. Suppose $d(f,l) \geq

185: 2^n-2^{n-d}$. Then we have, \\

186: 1) either the algebraic immunity $AI(f)$ is at least $d$ or;\\

187: 2) the annihilator functions of $f$ with the minimum possible degree

188: or the annihilator functions of $1+f$ with the minimum possible degree contain $l$ as a factor.}\\

189:

190: In section III we can use Theorem 3 to give lower bounds on the

191: algebraic immunity of some symmetric and rotation symmetric

192: Boolean functions by using sufficiently many affine subspaces.\\

193:

194: We also have the following result about the Hamming weight of the

195: restrictions of Boolean functions on affine subspaces.\\

196:

197:

198: {\bf Corollary 2.} {\em Let $f$ be a Boolean function on $F_2^n$

199: with $AI(f)=d+1$ and $L$ be a affine subspace of $F_2^n$ with

200: codimension $r$. Then the Hamming weight of $f$ restricted on $L$

201: satisfies $\Sigma_{i=0}^{d-r} C_{n-r}^{i} \leq wt(f|_{L}) \leq

202: \Sigma_{i=0}^{n-(d+1)} C_{n-r}^i$.}\\

203:

204:

205:

206:

207:

208:

209: When Corollary 2 applied to symmetric Boolean functions we have the

210: following result.\\

211:

212: {\bf Corollary 3.} {\em Let $f$ be a $n$ variable symmetric Boolean

213: function. Then $f$ can not have the maximal possible algebraic

214: immunity $\lceil \frac{n}{2}\rceil$ in the following two cases.}\\

215: {\em 1) When $n$ is odd and $wt(x) \geq \lfloor  \frac{n}{2} \rfloor

216: $ , $f(x)$ is $1$ only when $wt(x)$ is odd (or only when $wt(x)$ is

217: even), $f(x)$ can be arbitrary for $wt(x) < \lfloor \frac{n}{2}\rfloor$.}\\

218: {\em 2) When $n$ is even and $wt(x) \geq \frac{n}{2}-1$, $f(x)$ is

219: $1$ only when $wt(x)$ is odd (or only when $wt(x)$ is even), $f(x)$

220: can be

221: arbitrary for $wt(x) < \frac{n}{2}-1$.}\\

222:

223: By computing $d(f,l)$, where $l$ is the affine form $x_1+...+x_n$ or

224: $x_1+...+x_n+1$, and applying Corollary 2, we have the conclusion of

225: Corollary 3 immediately.\\

226:

227:

228:

229:

230:

231:

232:

233:

234:

235: {\bf Proof of Theorem 3.} Let $g$ be an annihilator function of $f$,

236: that is $gf=0$. We have $(g|_{L_1})(f|_{L_1})=0$. From Theorem 2

237: $g|_{L_1}$ has its algebraic

238: degree at least $d$ if it is not a zero function. The conclusion is proved.\\

239:

240:

241:

242: {\bf Proof of Corollary 2.} Let $l_1,...,l_r$ be $r$ linearly

243: independent affine forms such that  $L$ is defined by

244: $l_1=...=l_r=0$. Considering the Boolean function $f|_L$ as a

245: Boolean function of $n-r$ variables, if its algebraic immunity is

246: smaller $d-r$, we have a Boolean function $g'$ of $n-r$ variables

247: with algebraic degree at most $d-r$ such that $g'(f|_L)=0$ or

248: $g'((1+f)|_L)=0$. Thus the Boolean function $g=(l_1+1) \cdots

249: (l_r+1) g'$ can be think as a Boolean function of $n$ variables of

250: algebraic degree at most $d$. We have $gf=0$ or $g(1+f)=0$. This is

251: a contradiction. Therefore the algebraic immunity of $f|_L$ is at

252: least

253: $d-r+1$, we have the conclusion of 1) from the Theorem 1.\\

254:

255:

256:

257:

258:

259:

260: {\bf III. Lower Bound for AI of Symmetric and Rotation Symmetric

261: Boolean Functions}\\

262:

263:

264:

265: In this section we use the main result to prove some lower bounds on

266: the  algebraic immunity of

267: symmetric and rotation symmetric Boolean functions.\\

268:

269: {\bf A. Symmetric Boolean Functions}\\

270:

271:

272: {\bf Corollary 4.} {\em Let $f$ be a $n$ variable symmetric Boolean

273: function with simplified value vector

274: $v(f)=(v_0(f),...,v_i(f),...,v_n(f))$, i.e., $f(x)=v_i(f)$ when

275: $wt(x)=i$. Set\\

276: $$

277: \begin{array}{ccccccccc}

278:  U=\min \{\Sigma_{v_i(f)=1,i\leq \lceil n/2 \rceil} C_{\lceil

279: n/2 \rceil}^i, \Sigma_{v_i(f)=0,i\geq \lfloor n/2 \rfloor} C_{\lceil

280: n/2 \rceil}^{i-\lfloor n/2 \rfloor} \}

281: \end{array}

282: $$

283: Suppose $ U > 2^{\lceil n/2

284: \rceil }-2^{\lceil n/2 \rceil -d}$. Then $AI(f) \geq d+1$.}\\

285:

286: {\bf Proof.} Let $i_1,...,i_{\lfloor \frac{n}{2} \rfloor}$ be arbitrary

287:  $\lfloor \frac{n}{2}\rfloor$ indices, $L_b$ be the dimension $\lceil \frac{n}{2}\rceil$ subspace

288:  of $F_2^n$ defined by $x_{i_1}=...=x_{i_{\lfloor \frac{n}{2}\rfloor}}=b$, where $b=0$ or $b=1$. If the

289:  condition of Corollary 4 is satisfied, $S_1(f|_{L_0})> 2^{\lceil n/2

290: \rceil }-2^{\lceil n/2 \rceil -d}$ and $S_1((1+f)|_{L_1})>2^{\lceil

291: n/2\rceil }-2^{\lceil n/2 \rceil -d}$. From Theorem 3, either

292: $AI(f)>d$ or the annihilator functions of $f$ or $1+f$ with minimum

293: possible degree are zero on $L_0$ and $L_1$. This implies that the

294: monomials in the algebraic normal forms $f$ (and $1+f$) have to

295: contain at least $\lceil \frac{n}{2}\rceil$ variables.

296: In the later case $AI(f)= \lceil \frac{n}{2}\rceil$. The conclusion is proved.\\

297:

298:

299:

300:

301: {\bf Example 1.} Let $f$ be a $15$ variable symmetric Boolean

302: function

303: $f=\sigma_2+\sigma_4+\sigma_6+\sigma_{10}+\sigma_{12}+\sigma_{14}$.

304: Then we have

305: its simplified value vector $v_f=(0,0,1,1,1,1,1,1,0,0,0,0,0,0,1,1)$. Then $U=246>240$ and $AI(f)\geq 5$\\

306:

307: {\bf Example 2.} Let $f$ be a $n$ variable symmetric Boolean

308: function, $I=\{1,...,\lfloor \frac{n}{2} \rfloor, n-i\}-\{i\}$ where

309: $i \leq \lfloor \frac{n}{2} \rfloor$, $J=\{\lceil \frac{n}{2}

310: \rceil,...,n,i\}-\{n-i\}$. The symmetric Boolean function is defined

311: as follows.\\

312:

313:

314:

315:

316: $$

317: \begin{array}{ccccccc}

318: f(x)=1, wt(x) \in I\\

319: f(x)=0, wt(x) \in J\\

320: \end{array}

321: $$

322:

323: Let $t$ be the smallest positive integer such that $C_{\lceil

324: \frac{n}{2} \rceil}^i+1 < 2^t$. It is clear $t<ilog_2n-i$.  We have

325: $U >2^{\lceil \frac{n}{2} \rceil}-2^t$ and $AI(f) \geq \lceil

326: \frac{n}{2} \rceil -t+1$. It is obvious that $t$ is asymptotically

327: less than $ilog_2 n$. These Boolean functions have their algebraic

328: immunities asymptotically

329: larger than $n/2- ilog_2 n+i-1$.\\

330:

331: It is observed from Corollary 4 and Example 2, for a symmetric

332: Boolean function $f$ with the property that most vectors in $S_1(f)$

333: have their weight less than $\lceil \frac{n}{2}\rceil$ and most

334: vectors in $S_0(f)$ have their weight larger than $\lceil

335: \frac{n}{2}\rceil$, its AI is relatively high. This suggests that

336:  these symmetric Boolean functions can be

337: possibly used in stream ciphers, if they satisfy other cryptographic

338: criteria.\\

339:

340: {\bf B.  Rotation Symmetric Boolean Functions}\\

341:

342:

343: In this subsection we use Theorem 3 to give lower bound

344: for the algebraic immunity of RSBFs.\\

345:

346:

347:

348: {\bf Example 3.} Let $f$ be a rotation symmetric Boolean function

349: of $6$ variable\\

350: $$

351: \begin{array}{cccccccccc}

352: f=x_1x_2x_3+x_2x_3x_4+x_3x_4x_5+x_4x_5x_6+x_5x_6x_1+x_6x_1x_2\\

353: +x_1x_4+x_2x_5+x_3x_6+x_1x_3x_5+x_2x_4x_6+\\

354: x_1x_2x_3x_4+x_2x_3x_4x_5+x_3x_4x_6x_1+\\

355: x_1x_2x_3x_4x_5+x_2x_3x_4x_5x_6+x_3x_4x_5x_6x_1+x_4x_5x_6x_1x_2+x_5x_6x_1x_2x_3+x_6x_1x_2x_3x_4

356: \end{array}

357: $$

358:

359: This is a balanced Boolean function with nonlinearity $24$ and $\Delta(f)=40$, which

360: satisfies $PC(2)$ criteria (see [24]).\\

361:

362: We consider two affine subspaces $L_1$ (respectively $L_2$) in

363: $F_2^6$ defined by $x_1=x_2=x_3=0$(respectively $x_1=1,x_2=x_3=0$).

364: It is easy to check that $S_1((1+f)|_{L_1})$ has $7$ points (in

365: $L_1$) and $S_1(f|_{L_2})$ has $5$ points( in $L_2$). Thus the

366: annihilator functions of $1+f$ (respectively, $f$) have degree at

367: least $2$ or are zero on $L_1$ (respectively $L_2$). In the later

368: case, the annihilator functions of $1+f$ (respectively, $f$) are

369: zero on any rotation transformation of $L_1$ (respectively, $L_2$).

370: From this observation, we have $AI(f) \geq

371: 2$.\\

372:

373:

374:

375:

376: {\bf Example 4.} It is clear that each orbit in $F_2^n$ under the

377: circular action $\rho (x_1,x_2,...,x_n)=(x_n,x_1,...,x_{n-1})$

378: contains $h$  elements, where $h$ is a factor of $n$. On the other

379: hand the orbit of a weight $i$ vector in $F_2^n$ under the action of

380: all permutations contains $C_n^i$ elements, which is the union of

381: orbits of circular actions.\\

382:

383: From [5] and [8] we know the following {\em Balanced} symmetric

384: Boolean function $f$ of $n$ ($n$ is odd) variables

385: has the maximal possible AI $\lceil \frac{n}{2} \rceil$.\\

386: $$

387: \begin{array}{cccccc}

388: f(x)=1, wt(x) <\lceil \frac{n}{2} \rceil\\

389: f(x)=0, wt(x)  \geq \lceil \frac{n}{2} \rceil

390: \end{array}

391: $$

392: When $n$ is even,the value $b$ in the following definition can be

393: suitably chosen

394:  such that it is balanced(in this case the function is not symmetric, however it can be rotation symmetric if

395:  $b$ is chosen to be the same on the orbits of circular actions).\\

396: $$

397: \begin{array}{cccccc}

398: f(x)=1, wt(x) < \frac{n}{2} \\

399: f(x)=0, wt(x) <  \frac{n}{2} \\

400: f(x)=b \in F_2, wt(x)=\frac{n}{2}

401: \end{array}

402: $$

403:

404: If we exchange some orbits under circular actions in the  two sets

405: $S_0(f)$ and $S_1(f)$,  we get some rotation symmetric Boolean

406: functions and the lower bound on their $AI$ can be proved by

407: applying Theorem 3. Let $H \subset S_0(f)$ and $H' \subset S_1(f)$

408: be two subsets with the same cardinality , which are the union of

409: orbits under circular actions. Set $X=S_0(f)\bigcup

410: H'-H,X'=S_1(f)\bigcup H-H'$. Let $f'$ be the Boolean function with

411: $S_0(f')=X, S_1(f')=X'$. This is a balanced

412: Boolean function. We have the following result.\\

413:

414: {\bf Corollary 5.} {\em $AI(f') > \lceil \frac{n} {2} \rceil -\lceil

415: log_2 |H| \rceil$.}\\

416:

417:

418: When $n$ goes to infinity, we have constructed  some balanced

419: rotation symmetric Boolean functions  with their algebraic immunity

420: asymptotically equal to $ \lceil \frac{n}{2} \rceil

421: -log_2 n $ if $|H|=|H'|=n$ (f.g., $H$ and $H'$ consist of  one orbit).\\

422:

423: {\bf Proof.} Let $i_1,...,i_{\lfloor \frac{n}{2} \rfloor}$ be

424: arbitrary  $\lfloor \frac{n}{2}\rfloor$ distinct indices, $L_b$ be

425: the dimension $\lceil \frac{n}{2}\rceil$ subspace

426:  of $F_2^n$ defined by $x_{i_1}=...=x_{i_{\lfloor \frac{n}{2}\rfloor}}=b$, where $b=0$ or $b=1$. We have

427:   $S_1(f')\supset S_1(f)-H'$ and $S_1(f'|_{L_0})> 2^{\lceil n/2 \rceil }-2^{d}$, where $d= \lceil

428: log_2 |H| \rceil$. Similarly we have $S_1(1+f') \supset S_1(1+f)-H$

429: and  $S_1((1+f')|_{L_1})>2^{\lceil n/2\rceil }-2^{d}$. From Theorem

430: 3, either $AI(f)>\lceil \frac{n} {2} \rceil -\lceil log_2 |H|

431: \rceil$ or the annihilator functions of $f'$ or $1+f'$ are zero on

432: $L_0$ and $L_1$. This implies that the monomials in the algebraic

433: normal forms $f'$ and $1+f'$ have to contain at least $\lceil

434: \frac{n}{2}\rceil$

435: variables. In the later case $AI(f)= \lceil \frac{n}{2}\rceil$. The conclusion is proved.\\

436:

437:

438:

439: {\bf IV. Conclusion}\\

440:

441: We presented a method to obtain some lower bounds on the algebraic

442: immunity for Boolean functions. When the results are applied to

443: symmetric or rotation symmetric Boolean functions, some  lower

444: bounds on the  algebraic immunity can be proved for these Boolean

445: functions. Some rotation symmetric Boolean functions with their AI

446: near the maximal possible value $\lceil\frac{n}{2}\rceil$ are

447: constructed. Our method suggested some symmetric and rotation

448: symmetric Boolean functions of large number of variables with high

449: algebraic immunity. Thus they can be possibly  used in stream

450: ciphers

451: if these Boolean functions satisfy other cryptographic criteria. \\

452:

453:

454: {\bf Acknowledgement.} The work of the 1st author's was supported in

455: part by NNSF of China under Grant 90607005 and Distinguish Young

456: Scholar Grant 10225106.\\

457:

458:

459: \begin{center}

460: REFERENCES

461: \end{center}

462:

463:

464: [1]F.Armknecht and M.Krause, Algebraic attacks on stream combiners

465: with memory, in Advances in Cryptology-Crypto2003, LNCS 2729, pages 162-176, Springer-Verlag.\\

466:

467: [2] F.Armknecht, Improving fast algebraic attacks, in Fast Software

468: Encryption -2004, LNCS 3017, pages 65-82, Springer-Verlag.\\

469:

470: [3] F.Armknecht,On the existence of low-degree equations for

471: algebraic attacks, Cryptology e-print Archive, 2004/185\\

472:

473: [4] F.Armknecht, C.Carlet, P.Gaborit, S.Kunzli, W.Meier and

474: O.Ruatta, Efficient computation of algebraic immunity for algebraic

475: and fast algebraic attacks, Advances in Cryptology -Eurocrypt 2006,

476: LNCS 4004, pages 147-164.\\

477:

478: [5] An Braeken and B.Preneel, On the algebraic immunity of

479: symmetric Boolean functions, Indocrypt 2005.\\

480:

481: [6] An Braeken, J.Lano and B.Preneel, Evaluating the resistance of

482: stream ciphers with linear feedback against fast algebraic attacks,

483: ACISP 2006, LNCS 4058, pages 40-51.\\

484:

485:

486:

487: [7] A.Canteaut, Open problems related to algebraic attacks on

488: stream ciphers, In WCC 2005, pages 1-10.\\

489:

490:

491: [8] A.Canteaut and M.Videau, Symmetric Boolean functions, IEEE

492: Transactions on Information theory, vol. 51(2005), no. 8, pages

493: 2791-2811.\\

494:

495: [9] C. Carlet  "Boolean Functions for Cryptography and Error

496: Correcting Codes" (150 pages), chapter of the monography  ``Boolean

497: methods and models" published by Cambridge University Press (Peter

498: Hammer et Yves Crama editors).\\

499:

500: [10] C.Carlet, D.K.Dalai, K.C.Gupta and S.Maitra, Algebraic immunity

501: for crypotographically significant Boolean functions: analysis and

502: construction, IEEE Trans. Inf. Theory, vol.52(2006), no.7, pages

503: 3105-3121.\\

504:

505: [11] C.Carlet, On the Higher Order Nonlinearities of Algebraic

506: Immune Functions, Advances in Cryptology-Crypto 2006, LNCS 4117.\\

507:

508: [12] C.Carlet, A method of construction of balanced functions with

509: optimum algebraic immunity, Cryptology e-print Archive, 2006\\

510:

511:

512: [13] N.Courtois and W.Meier, Algebraic attacks on stream ciphers

513: with linear feedback,

514: in Advances in Cryptology-Eurocrypt 2003, LNCS2656, pages 346-359, Springer-Verlag.\\

515:

516:

517:

518:

519: [14] N.Courtois, Fast algebraic attacks on stream ciphers with

520: linear feedback,

521: in Advances in Cryptology-Crypto2003, LNCS 2729, pages 176-194, Springer-Verlag.\\

522:

523: [15] N.Courtois and J.Pieprzyk, Cryptanalysis of block ciphers with

524: overdetermined systems of equations, in Advances in

525: Cryptology-Asiacrypt2002, LNCS, 2501, pages 267-287.\\

526:

527:

528: [16] T.W.Cusick and P. Stanica, Fast evaluation, weighted and

529: nonlinearity of rotation-symmetric functions, Discrete Math.,

530: vol.258(2002), pages 289-301.\\

531:

532:

533: [17] D.K.Dalai,K.C.Gupta and S.Maitra, Results on algebraic immunity

534: of cryptographically significant Boolean functions, in Indocrypt 2004, LNCS 3348\\

535:

536:

537: [18] D.K.Dalai, S.Maitra and S.Sarkar, Basic Theory in construction

538: of Boolean functions with maximal possible annihilator immunity,

539: Cryptology e-print Archive, 2005/229.\\

540:

541: [19] J.D.Golic, Vectorial Boolean functions and induced algebraic

542: equations, IEEE Transactions on Information Theory, vol. 52,

543: no. 2, pages 528-537, Feb.2006.\\

544:

545: [20] G. Gong, On existence and invariant of algebraic attacks,

546: preprint.\\

547:

548: [21] W.Meier, E.Pasalic and C.Carlet, Algebraic attacks and

549: decomposition of Boolean functions, in Advances in

550: Cryptology-Eurocrypt-2004, LNCS 3027, pages 474-491,

551: Springer-Verlag.\\

552:

553:

554:

555:

556: [22] J. Pieprzyk and C.X.Qu, Fast hashing and rotation symmetric

557: functions, J.Universal Comput.Sci., vol.5(1999), pages 20-31.\\

558:

559:

560: [23] P.Stanica and S.Maitra, A constructive count of rotation

561: symmetric functions, Information processing Letter, vol. 88(2003),

562: pages 299-304.\\

563:

564: [24] P.Stanica and S.Maitra, Rotation symmetric Boolean functions

565: -Count and cryptographic

566: properties, preprint.\\

567:

568:

569:

570:

571:

572:

573:

574:

575:

576:

577:

578:

579: \end{document}

580: