Algebraic immunity of vectorial boolean functions and boolean groebner bases

The basic concepts and results related to the Boolean Groebner bases and their application for computing the algebraic immunity of vectorial Boolean functions are considered. This parameter plays an important role for the security evaluation of block ciphers against algebraic attacks. Unlike the available works, the description is carried out at the elementary level using terms of Boolean functions theory. In addition, obtained proofs are shorter than the previous ones. This allows us to achieve significant progress in building the fundamentals of the theory (for the Boolean case) using only elementary methods. The paper can be useful for students and postgraduate students studying cryptology. It may also save time for professionals who want to get familiar with the mathematical techniques used in algebraic attacks on block ciphers.


Introduction
The security evaluation of block ciphers as well as some stream ciphers against algebraic attacks [1,2,3] generates a problem of finding or estimating the maximal number of linearly independent equations of lowest degree among all Boolean equations that describes a given vectorial Boolean function (an s-block). Although the solution of the problem is received in [4] but mentioned work is little known and assumes reader erudition in the field of polynomial ideals and Groebner bases, which, in turn, requires knowledge of commutative algebra basics.
The purpose of this paper is to outline the basic concepts and results related to the formulated above problem including the concepts of the (Boolean) Groebner basis and algebraic immunity of vectorial Boolean function. At present there are several definitions of algebraic immunity of vectorial Boolean functions [1,4,5,6,7], among which the definition given by Ars-Faugère [4] is the most appropriate from a practical point of view. Section 1 summarizes the basic statements on ideals in the ring of Boolean functions. In particular, it is shown that each ideal is uniquely determined by the set of its zeros and is generated by a unique function that can be effectively constructed by the set of zeros of the ideal. A relation between the dimension of an ideal (as a subspace of the vector space of Boolean functions) and the number of its zeros is proved. The well-known Hilbert Nullstellensatz for the ring of Boolean functions (see [8], for example) directly follows from the mentioned relation.
Section 2 gives the definition of the algebraic immunity of a vectorial Boolean function and describes a method of estimating this parameter based on certain results of [9]. The proposed method allows fast solving of the decision problem (whether or not the algebraic immunity is above the specified threshold) directly by the truth table of the vectorial function using the Gaussian elimination algorithm.
Finally, Sections 3 and 4 are devoted to the basics of the Boolean Groebner bases theory and their application for computing the algebraic immunity. The main purpose is to prove the Ars-Faugère theorem [4], which makes possible to find algebraic immunity along with all equations of lowest degree. These equations result from the system of equations that describes a given vectorial Boolean function.
The results presented in the paper are essentially known. However, unlike the available works, the description is carried out with the help of elementary techniques and obtained proofs are shorter. Furthermore, in contrast to the traditional approach to Groebner bases of polynomial ideals (see [8], for example), the description in the paper is based on the terms of Boolean functions theory. This allows us to achieve significant progress in building the foundations of the theory (for the Boolean case) using only elementary methods.
To the author mind, the presented paper can be useful for students and postgraduate students studying cryptology. It may also save time for professionals who want to get familiar with the mathematical techniques used in algebraic attacks on block cipher. Recall that a set ⊆ is called an ideal in the ring if ∀ ∈ ∀ 1 , 2 ∈ : 1 ⊕ 2 ∈ , 1 ∈ . The notation ▷ means that is an ideal in . The ideal generated by a set { 1 , ..., } ⊆ is defined as follows:

Ideals in the ring of Boolean functions
For any ▷ , ⊆ let The set 1 is called the algebraic variety [8] or the set of zeroes of the ideal . The set 2 is the ideal of all Boolean functions which turn into zero on . The basic properties of ideals in the ring are the following.
In particular, there is a one-to-one correspondence between the ideals in the ring and the subsets of the set (such that each ideal is uniquely determined by the set of its zeros). Besides, each ideal ▷ is generated by only one Boolean function defined as follows: Proof. First of all, let us prove the equality = ⟨ ⟩. If = {0}, then this equality is obvious. Let ̸ = {0} and / ∈ ( ). Then there exists a function ∈ such that ( ) = 1. We have where the functions , ∈ , are defined by the rule ( ) = 1 ⇔ = , ∈ . Since ▷ and ∈ we obtain So, for any / ∈ ( ) we have Besides, for any ∈ we have = . Thus, ⊆ ⟨ ⟩ and, therefore, = ⟨ ⟩, which completes the proof.
As an example, let us consider a system Then consists of all functions ∈ such that the equation ( 1 , ..., ) = 0 is a consequence of the system (4) and the set of all solutions of this system is ( ). Next, the specified system is equivalent to one equation Let be an arbitrary ideal in the ring ; then the set is also an ideal called the annihilator of the ideal . The annihilator of a function ∈ is defined as the annihilator of the ideal generated by this function: Statement 2 For any ▷ the ring is a direct sum of the ideals and ( ). In other words, for each function there exists a unique representation Proof. It is enough to observe that ( ( )) = ∖ ( ) and use Statement 1. To conclude this section let's describe the connection between ideals in the ring and some block codes. Notice that every ideal ▷ is a subspace of the vector space of all Boolean functions in variables and, therefore, a linear code of length 2 over the field of two elements. The code-words of this code are the value vectors of the functions belonging to Let's write the words of the code (5) in a 2 × 2 table, where = dim denotes the dimension of the ideal . It is clear that the set ( ) coincides with the set of all zero columns in this table and the set ∖ ( ) is equal to the support of the code . Next, all 2 vectors ( ( ) : ∈ ∖ ( )), where ∈ , are pairwise different. Since their length is | ∖ ( )| we have ≤ | ∖ ( )|. On the other hand, according to Statement 1 any function ∈ such that ( ) = 0 for all ∈ ( ) belongs to the code . Thus, 2 | ∖ ( )| ≤ | |, that is | ∖ ( )| ≤ . So, we obtain the following statement establishing the relationship between the dimension of an ideal and the number of its zeros.

Statement 3 For any ▷
the following equality holds: As a consequence, we obtain the following variant of Hilbert's Nullstellensatz (see [8], for example).  By definition [4], the algebraic immunity of the vectorial function is the number ( ) = min deg ( ). The following statement is a direct consequence of results from the previous section. Thus, to estimate the algebraic immunity of a vectorial function it is sufficient to construct the function and find the smallest degree of nonzero Boolean functions that annihilate it. Based on the results from Sec. 5.1 in [9] let us prove the following statement, which enables to use the Gaussian elimination for finding the algebraic immunity of a vectorial function. First, let us introduce a few notation.
For any positive integer denote For an arbitrary vectorial function : → consider the 2 × ( , ) matrix , whose rows are numbered by the vectors ∈ and the columns -by the pairs ( , ), where , ∈ and | | + | | ≤ . By definition, an element of the matrix , located at the intersection of its row with the number and the column with the number ( , ) is equal to the value of the monomial at the point ( , ) = ( , ( )).

Statement 5 We have
Proof. According to the definition of the matrix , , a non-zero function Thus, according to Consequence 2, to estimate the algebraic immunity of a vectorial Boolean function : → it is sufficient: 1) to find the maximal positive integer such that ( , ) ≤ 2 ; 2) to construct the matrix , and evaluate its rank using the Gaussian elimination algorithm. If

Groebner bases of ideals in the ring of Boolean functions
Let's denote by 0 the set of -dimensional vectors with non-negative integer coordinates. This set is a semi-group with respect to the operation + of vector addition. The partial ordering ≤ on the set 0 is defined as follows: = 1, 2, ..., ).
Let be a nonzero ideal in the ring of Boolean functions in variables. A system 1 , ..., ∈ is called a Groebner basis of the ideal for the monomial ordering ⪯ on the set 0 if for any ∈ there exists ∈ {1, 2, ..., } such that ⪯ ( ) is divisible by ⪯ ( ). A Groebner basis 1 , ..., is called minimal if ⪯ ( ) is not divisible by ⪯ ( ) for all ̸ = .
whose leading monomials form the set of all monomials of degree 2 in 1 , 2 , 3 . Next, the set ( ) contains exactly 4 vectors (the zeroes of ). So, deg ≥ 2 for all ∈ ∖ {0}. Indeed, if the ideal contains a non-zero affine function, then it is balanced, turns into zero on the set ( ), and, therefore, coincides with . Thus, the system of functions is a minimal Groebner basis of the ideal .

Application of Groebner bases for
constructing the lowest-degree equations describing a vectorial Boolean function and computing its algebraic immunity The following statement solves the problem formulated at the Introduction of the paper.
Statement is proved.

Conclusion
The algebraic immunity ( ) of a vectorial Boolean function : → is defined as the lowest degree of Boolean equations in 2 variables that describe the function (Statement 4). To estimate the algebraic immunity the results from Section 2 can be used. They allow fast solving of the decision problem (whether or not the algebraic immunity is above the specified threshold) directly by the truth table of the vectorial function using the Gaussian elimination algorithm.
To estimate ( ) as well as to find all lowest-degree equations describing a vectorial Boolean function it is sufficient to construct a minimal Groebner basis of the ideal ( ) with respect to an arbitrary graded monomial ordering and use Statement 7. In practice, for computing a minimal Groebner basis of an ideal in the ring of Boolean functions the system of computer algebra can be used [10]: for = 8 computation takes a few seconds.