Counting and characterising functions with “fast points” for differential attacks

Abstract

Higher order derivatives have been introduced by Lai in a cryptographic context. A number of attacks such as differential cryptanalysis, the cube and the AIDA attack have been reformulated using higher order derivatives. Duan and Lai have introduced the notion of “fast points” of a polynomial function f as being vectors a so that computing the derivative with respect to a decreases the total degree of f by more than one. This notion is motivated by the fact that most of the attacks become more efficient if they use fast points. Duan and Lai gave a characterisation of fast points and Duan et al. gave some results regarding the number of functions with fast points in some particular cases. We firstly give an alternative characterisation of fast points and secondly give an explicit formula for the number of functions with fast points for any given degree and number of variables, thus covering all the cases left open in Duan et al. Our main tool is an invertible linear change of coordinates which transforms the higher order derivative with respect to an arbitrary set of linearly independent vectors into the higher order derivative with respect to a set of vectors in the canonical basis. Finally we discuss the cryptographic significance of our results.