Fast Computing the Algebraic Degree of Boolean Functions
aa r X i v : . [ c s . D M ] M a y Fast Computing the Algebraic Degree ofBoolean Functions
Valentin Bakoev
Faculty of Mathematics and Informatics,“St. Cyril and St. Methodius” University of Veliko Tarnovo,2 Theodosi Tarnovski Str., 5003 Veliko Tarnovo, Bulgaria;email: [email protected]
Abstract
Here we consider an approach for fast computing the algebraic degree of Booleanfunctions. It combines fast computing the ANF (known as ANF transform) and there-after the algebraic degree by using the weight-lexicographic order (WLO) of the vectorsof the n -dimensional Boolean cube. Byte-wise and bitwise versions of a search basedon the WLO and their implementations are discussed. They are compared with theusual exhaustive search applied in computing the algebraic degree. For Boolean func-tions of n variables, the bitwise implementation of the search by WLO has total timecomplexity O ( n. n ). When such a function is given by its truth table vector and itsalgebraic degree is computed by the bitwise versions of the algorithms discussed, thetotal time complexity is Θ((9 n − . n − ) = Θ( n. n ). All algorithms discussed havetime complexities of the same type, but with big differences in the constants hidden inthe Θ-notation. The experimental results after numerous tests confirm the theoreticalresults—the running times of the bitwise implementation are dozens of times betterthan the running times of the byte-wise algorithms. Mathematics Subject Classification : Primary 68R05; Secondary 06A07, 05A15, 05A18.
Keywords:
Boolean function, algebraic normal form, algebraic degree, weight-lexicographicorder, WLO sequence generating, byte-wise algorithm, WLO masks generating, bitwise al-gorithm
Boolean functions are of great importance in the modern cryptography, coding theory, digitalcircuit theory, etc. When they are used in the design of block ciphers, pseudo-randomnumbers generators (PRNG) in stream ciphers etc., they should satisfy certain cryptographiccriteria [6, 7, 5]. One of the most important cryptographic parameters is the algebraicdegree of a Boolean function or vectorial Boolean function, called also an S-box. This degreeshould be higher in order the corresponding Boolean function (or S-box, or PRNG) to beresistant to various types of cryptanalytic attacks. The process of generating such Booleanfunctions needs this parameter, as well as the other important cryptographic parameters, to1e computed as fast as possible. In this way, more Boolean functions can be generated anda better choice among them can be done.Let f be a Boolean function of n variables given by its Truth Table vector denotedby T T ( f ). There are two main approaches for computing the algebraic degree of f .The first one uses the Algebraic Normal Form (ANF) representation of f and selects themonomial of the highest degree in it. The second approach uses only the T T ( f ), its weight,support, etc., without computing the ANF of f . In [10, 6, 5, 8] it is proven that if T T ( f )has an odd weight, then the algebraic degree of f is maximal. This condition holds for thehalf of all Boolean functions and it can be verified very easily. The algorithms proposedin [8] work only with the T T ( f ) and use this property. They are fast for just over half ofall Boolean functions of n variables. However, when these algorithms are compared with analgorithm of the first type (i.e., based on ANF), the computational results set some questionsabout the efficiency of algorithms used for computing the ANF and thereafter the algebraicdegree. This is one of the reasons that motivated us to do a more comprehensive studyof the first approach—fast computing the algebraic degree of Boolean functions by theirANFs. We have already done three basic steps in this direction discussed in sections 3 and4.2. Here we represent the next step which is a natural continuation of the previous ones.It includes a bitwise implementation of the ANF Transform (ANFT) followed by a bitwisecomputing the algebraic degree by using masks for one special sequence representing theweight-lexicographic order (WLO) of the vectors of Boolean cube.The paper is structured as follows. The basic notions are given in Section 2. In Section3 we outline some preliminary results about the enumeration and distribution of Booleanfunctions of n variables according to their algebraic degrees, as well as the WLO of the vectorsof the Boolean cube and the corresponding sequences. At the beginning of Section 4, analgorithm for computing the algebraic degree of Boolean function by using the WLO sequenceis discussed. Section 4.2 starts with a comment on the preliminary results about the bitwiseANF transform. Thereafter, a search by using masks for the WLO sequence is considered.Section 5 shows a scheme of computations and used algorithms. The time complexities of thealgorithms under consideration are summarized and the experimental results after numeroustests are given. They are used for comparison of the byte-wise and bitwise implementationsof the proposed algorithms. The general conclusion is: in computing the algebraic degreeof a Boolean function it is worth to use the bitwise implementation of proposed algorithmsinstead of the byte-wise one—it is tens of times faster. In the last section, some ideas aboutthe forthcoming steps of this study are outlined. Experiments in one of these directions havealready begun and their first results are good. Here N denotes the set of natural numbers. We consider that 0 ∈ N and N + = N \{ } is theset of positive natural numbers.Usually, the n -dimensional Boolean cube is defined as { , } n = { ( x , x , . . . , x n ) | x i ∈ , } , ∀ i = 1 , , . . . , n } , i.e., it is the set of all n -dimensional binary vectors. So |{ , } n | = |{ , }| n = 2 n . Further, we use the following alternative, inductive and constructive defini-tion. Definition 1.
1) The set { , } = { (0) , (1) } is called one-dimensional Boolean cube and itselements (0) and (1) are called one-dimensional binary vectors .2) Let { , } n − = { α , α , . . . , α n − − } be the ( n − -dimensional Boolean cube and α , α , . . . , α n − − be its ( n − -dimensional binary vectors .3) The n -dimensional Boolean cube { , } n is built by taking the vectors of { , } n − twice: firstly, each vector of { , } n − is prefixed by zero, and thereafter each vector of { , } n − is prefixed by one: { , } n = { (0 , α ) , (0 , α ) , . . . , (0 , α n − − ) , (1 , α ) , (1 , α ) , . . . , (1 , α n − − ) } . For an arbitrary vector α = ( a , a , . . . , a n ) ∈ { , } n , the natural number α = P ni =1 a i . n − i is called a serial number of the vector α . So α is the natural number having n -digit binary representation a a . . . a n . A (Hamming) weight of α is the natural number wt ( α ), equal to the number of non-zero coordinates of α , i.e., wt ( α ) = P ni =1 a i . For any k ∈ N , k ≤ n , the set of all n -dimensional binary vectors of weight k is called a k -th layer ofthe n -dimensional Boolean cube. It is denoted by L n,k = { α | α ∈ { , } n : wt ( α ) = k } andwe have | L n,k | = (cid:0) nk (cid:1) , for k = 0 , , . . . , n . These numbers are the binomial coefficients fromthe n -th row of Pascal’s triangle and so P nk =0 (cid:0) nk (cid:1) = 2 n = |{ , } n | . The family of all layers L n = { L n, , L n, , . . . , L n,n } is a partition of the n -dimensional Boolean cube into layers.For arbitrary vectors α = ( a , a , . . . , a n ) and β = ( b , b , . . . , b n ) ∈ { , } n , we say that” α precedes lexicographically β ” and denote this by α ≤ β , if α = β or if ∃ k, ≤ k ≤ n ,such that a k < b k and a i = b i , for all i < k . The relation ” ≤ ” is a total (unique) order in { , } n , called lexicographic order . The vectors of { , } n are ordered lexicographically in thesequence α , α , . . . α k , . . . , α n − if and only if: • α l ≤ α k , ∀ l ≤ k and α k ≤ α r , ∀ k ≤ r ; • the sequence of their serial numbers α , α , . . . , α k , . . . , α n − is exactly 0 , ,. . . , k, . . . , n − Boolean function of n variables (denoted usually by x , x , . . . , x n ) is a mapping f : { , } n → { , } , i.e. f maps any binary input x = ( x , x , . . . , x n ) ∈ { , } n to a singlebinary output y = f ( x ) ∈ { , } . Any Boolean function f can be represented in a uniqueway by the vector of its functional values, called a Truth Table vector and denoted by
T T ( f ) = ( f , f , . . . f n − ), where f i = f ( α i ) and α i is the i -th vector in the lexicographicorder of { , } n , for i = 0 , , . . . , n −
1. The set of all Boolean functions of n variables isdenoted by B n and its size is |B n | = 2 n . 3nother unique representation of the Boolean function f ∈ B n is the algebraic normalform (ANF) of f , which is a multivariate polynomial f ( x , x , . . . , x n ) = M γ ∈{ , } n a γ x γ . Here γ = ( c , c , . . . , c n ) ∈ { , } n , the coefficient a γ ∈ { , } , and x γ means the mono-mial x c x c . . . x c n n = Q ni =1 x c i i , where x i = 1 and x i = x i , for i = 1 , , . . . n . A degree of themonomial x = x c x c . . . x c n n is the integer deg ( x ) = wt ( γ )—it is the number of variables ofthe type x i = x i , or the essential variables for x γ . The algebraic degree (or simply degree )of f is defined as deg ( f ) = max { deg ( x γ ) | a γ = 1 } . When f ∈ B n and the T T ( f ) is given,the values of the coefficients a , a , . . . , a n − can be computed by a fast algorithm, usuallycalled an ANF transform (ANFT) . The ANFT is well studied, it is derived in different waysby many authors, for example [6, 5, 9]. Its byte-wise implementation has a time-complexityΘ( n. n ). The vector ( a , a , . . . , a n − ) ∈ { , } n obtained after the ANFT is denoted by A f . When f ∈ B n is the constant zero function (i.e., T T ( f ) = (0 , , . . . , A f = (0 , , . . . ,
0) and its algebraic degree is defined as deg ( f ) = −∞ . If f is the constantone function ( T T ( f ) = (1 , , . . . , A f = (1 , , , . . . ,
0) and deg ( f ) = 0. It is well-known that half of all Boolean functions of n variables have an algebraic degreeequal to n , for n ∈ N + [10, 6, 5, 8]. Furthermore, in [6, p. 49] Carlet notes that when n tends to infinity, random Boolean functions have almost surely algebraic degrees at least n −
1. We consider that the overall enumeration and distribution of all Boolean functionsof n variables ( n ∈ N + ) according to their algebraic degrees is very important for our study.The paper where we explore them is still in review, but some results can be seen in OEIS[11], sequence A319511. We will briefly outline the results needed for further exposition.Let d ( n, k ) be the number of all Boolean functions f ∈ B n such that deg ( f ) = k . Theorem 2.
For arbitrary integers n ∈ N and ≤ k ≤ n , the number d ( n, k ) = (2( nk ) − . P k − i =0 ( ni ) . Sketch of proof: let X be the set of n variables. There are (cid:0) nk (cid:1) monomials of degree = k because so many are the ways to choose k variables from X . The first multiplier in theformula denotes the number of ways to choose at least one such monomial to participate in In dependence of the area of consideration, the same algorithm is called also (fast) M¨obius Transform,Zhegalkin Transform, Positive polarity Reed-Muller Transform, etc. < k and to add them to the ANF.
Corollary 3.
The number d ( n, n − tends to · |B n | when n → ∞ . Let p ( n, k ) be the discrete probability a random Boolean function f ∈ B n to have analgebraic degree = k . It is defined as p ( n, k ) = d ( n, k ) |B n | = d ( n, k )2 n , for n ≥ ≤ k ≤ n . The values of p ( n, k ) obtained for a fixed n give the distributionof the functions from B n according to their algebraic degrees. Table 1 represents this distri-bution, for 3 ≤ n ≤
10 and n − ≤ k ≤ n . The values of p ( n, k ) in it are rounded up to 10digits after the decimal point. Furthermore, p ( n, k ) ≈
0, for 0 ≤ k < n −
3, and their valuesare not shown in the table.Table 1: Distribution of the functions from B n according to their algebraic degrees, for n = 3 , , . . . , The values of p ( n, k ), for: n k = n − k = n − k = n − k = n These results were used: • To check for representativeness the files used to test all algorithms discussed here.These are 4 files containing 10 , , and 10 randomly generated unsigned integersin 64-bit computer words. We used each of these files as an input for Boolean functionsof 6 , , , . . . ,
16 variables (reading 2 n − integers from the chosen file) and we computedthe algebraic degrees of all these functions. The absolute value of the difference betweenthe theoretical and computed distribution is less than 0 .
88% (it exceeds 0 .
1% in onlya few cases), for all tests. So we consider that the algorithms work with samples ofBoolean functions which are representative enough. • When creating the algorithms represented in the following sections. The distributionshows why the WLO has been studied in detail and what to expect for the runningtime of algorithms that use WLO. 5 .2 WLO of the Vectors of n -dimensional Boolean Cube The simplest algorithm for computing the algebraic degree of a Boolean function is an
Exhaustive Search (we refer to it as
ES algorithm ): if f ∈ B n and A f = ( a , a , . . . , a n − )is given, it checks consecutively whether a i = 1, for i = 0 , , . . . , n −
1. The algorithmselects the vector of maximal weight among all vectors α i ∈ { , } n such that a i = 1. Thealgorithm checks exhaustively all values in A f (which correspond to the lexicographic orderof the vectors of { , } n ) and so it performs Θ(2 n ) checks.The basic parts of a faster way for the same computing are considered in [1, 2]. Here theyare given in short, but all related notions, proofs, illustrations, algorithms and programmingcodes, details, etc., can be seen in [2].The sequence of layers L n, , L n, , . . . , L n,n gives an order of the vectors of { , } n inaccordance with their weights. When α, β ∈ { , } n and wt ( α ) < wt ( β ), then α precedes β in the sequence of layers, and if wt ( α ) = wt ( β ) = k , then α, β ∈ L n,k and there isno precedence between them. We define the corresponding relation R < wt as follows: forarbitrary α, β ∈ { , } n , ( α, β ) ∈ R < wt if wt ( α ) < wt ( β ) or if α = β . When ( α, β ) ∈ R < wt we say that ” α precedes by weight β ” and write also α < wt β . Thus R < wt is a partialorder in { , } n and we refer to it (and to the order determined by it) as a Weight-Order (WO). To develop an algorithm we use the serial numbers of the vectors in the sequenceof layers instead of the vectors themselves. For an arbitrary layer L n,k = { α , α , . . . , α m } of { , } n , we define the sequence of serial numbers of the vectors of L n,k and denote it by l n,k = α , α , . . . , α m . Let l n = l n, , l n, , . . . , l n,n be the sequence of all serial numbers corresponding to the vectors in the sequence of layers L n, , L n, , . . . , L n,n . Thus l n representsa WO of the vectors of { , } n and we call l n a WO sequence of { , } n . One of all possible Q nk =0 (cid:0) nk (cid:1) ! WO sequences deserves a special attention. Firstly, we define the operation addition of the natural number to a sequence as follows: if n, m ∈ N + and s = a , a , . . . , a n is a sequence of integers, then s + m = a + m, a + m, . . . , a n + m . Following Definition 1,we obtain: Definition 4.
1) The WO sequence of the one-dimensional Boolean cube is l = 0 , l n − = l n − , , l n − , , . . . , l n − ,n − be the WO sequence of the ( n − n -dimensional Boolean cube l n = l n, , l n, , . . . , l n,n is defined asfollows: • l n, = 0 and it corresponds to the layer L n, = { ˜0 n } , where ˜0 n is the zero vector of n coordinates; • l n,n = 2 n − L n,n = { ˜1 n } , where ˜1 n is the all-ones vectorof n coordinates; • l n,k = l n − ,k , l n − ,k − + 2 n − , for k = 1 , , . . . , n −
1. Here l n,k is a concatenation of twosequences: the sequence l n − ,k is taken (or copied) firstly, and the sequence l n − ,k − + 2 n − follows after it. The sequence l n,k corresponds to the layer L n,k . You can see the sequence A051459 in the OEIS [11] for details. heorem 5. Let n ∈ N + and l n = l n, , l n, , . . . , l n,n be the WO sequence, obtained in accor-dance with Definition 4. Then, the serial numbers in the sequence l n,k determine a lexico-graphic order of the vectors of the corresponding layer L n,k , for k = 0 , , . . . , n . Theorem 5 is proven by mathematical induction in [2]. It states that Definition 4 de-termines a second criterion for ordering the vectors within the existing WO of the Booleancube—this is the lexicographic order . Since it is a total order for each subsequence l n,k ,0 ≤ k ≤ n , a total weight order for the sequence l n is obtained. We call it a Weight-Lexicographic Order (WLO).The
WLO algorithm is based on Definition 4 and Theorem 5, and so they imply itscorrectness. For a given input n ∈ N + , it starts from l and computes consecutively thesequences l , l , . . . , l n . Some results computed by the algorithm are given in Table 2. Moreresults can be seen in OEIS [11], sequence A294648.Table 2: Results obtained by the WLO algorithm for n = 1 , , . . . , n l n . . . The time complexity of the WLO algorithm is Θ(2 n ), it is exponential with respect tothe size of the input n . Furthermore, it is linear with respect to the size of the output. Thespace complexity of the algorithm is of the same type. We note that the running time forprecomputation of the sequence l n in a lookup table is negligible ( ≈ The terms of the WLO sequence l n form a permutation of the numbers 0 , , . . . , n − l n = ( i , i , . . . , i n − ). We use the sequence l n to compute thealgebraic degree of a given Boolean function f ∈ B n . The proposed algorithm is similar tothe ES algorithm, but it checks the coordinates of A f = ( a , a , . . . , a n − ) in accordance withthe values of l n , from right to left. It starts with the i n − -th coordinate of A f . If it is equalto zero the algorithm checks the i n − -th coordinate of A f , and so on, looking for the firstcoordinate of A f which is equal to one and then it stops. If there is not such a coordinate,7hen f is the constant zero function. Otherwise, if the algorithm stops the searching on the i j -th coordinate (0 ≤ j < n ) of A f , it returns the number of the subsequence that containsthe number i j as an output. If i j is a term of l n,k , 0 ≤ k ≤ n , then the layer L n,k containsa vector which serial number is i j and therefore deg ( f ) = k . The algorithm is correct, sinceit follows the WLO and stops at the right place—if it continues with the checks, it will findpossible monomials of degree ≤ k . Thus the algorithm performs O (2 n ) checks and this is its time complexity . This general estimation concerns a very small number of functions f ∈ B n because the computing will finish after O ( n ) checks at almost 100% of all such functions(especially when n grows)—as it is shown in Section 3.1. Since this algorithm works in abyte-wise manner and after the byte-wise ANFT, we call it Byte-wise WLO algorithm . In [3] we represented a comprehensive study of the bitwise implementation of the ANFT.When 64-bit computer words are used, the obtained algorithm has a time-complexity Θ((9 n − . n − ) and a space complexity Θ(2 n − ), i.e., both are of the type Θ(2 n ). But the exper-imental results show that the bitwise version of the algorithm is about 25 times faster incomparison to the byte-wise version . Analogous research concerning the parallel bitwiseimplementation of the ANFT is represented in [4] and similar results about its efficiency areobtained.After these results it is natural to think about a bitwise implementation of the lastalgorithm. Otherwise, bitwise computing an ANFT seems unnecessary, since computing theother cryptographic parameters of Boolean functions needs a byte-wise representation (seeFig. 1). Our first idea is to check all vectors in the same layer in one (or several) step(s).For this purpose we use n + 1 masks m n, , m n, , . . . , m n,n corresponding to the vectors in thelayers L n, , L n, , . . . , L n,n . The mask m n,i is a binary vector of the same length as A f and m n,i contains units only in these bits, whose coordinates correspond to the numbers in thesubsequence l n,i , for i = 0 , , . . . , n . So we need to repeat bitwise conjunctions between A f and m n,i , for i = n, n − , . . . ,
0, until A f ∧ m n,i = 0. If this equality holds for all values of i ,then f is the constant zero function. Otherwise, if k is the first value of i (when i decreasesfrom n to 0) such that A f ∧ m n,k >
0, then k is the algebraic degree of f . So the algorithmstops and returns k. We call it Bitwise WLO algorithm accepting that it always usesmasks.When A f occupies one computer word, the algorithm performs at most n + 1 steps andso its time complexity is O ( n ), i.e., it is of logarithmic type ( n = log n ) with respectto the size of the input. If the size of the computer word is 64 = 2 bits and f is afunction of n > T T ( f ) and A f occupy s = 2 n /
64 = 2 n − computer words.So m n,i will occupy s computer words too and the computing A f ∧ m n,i will be done in s steps, for i = n, n − , . . . ,
0. If on some of these steps the conjunction between the Both algorithms have been implemented as C++ programs in Code::Blocks 13.12 IDE, built as 32-bitapplications in Release mode and tested with the largest file of 10 integers. A f and m n,i is greater than zero, the algorithm returns i and stops. Therefore, in the general case, the bitwise WLO algorithm has a time complexity O ( n + 1) .O ( s ) = O ( n. n − ). This estimation concerns a very small number of functions f ∈ B n again—the computing will finish after O (1 + s ) = O (2 n − ) checks at almost 100% ofall such functions.Let us consider the masks’ generating. For arbitrary i, ≤ i ≤ n , it is easy to put unitsin all these bits of m n,i that correspond to the numbers in the subsequence l n,i . We note thatwe use the serial numbers of the masks, stored in the necessary number of 64-bit computerwords, as well as the vectors T T ( f ) and A f . Furthermore, we generate them in accordancewith the following definition. Definition 6.
1) For n = 1, the serial numbers of the masks corresponding to the subse-quences l , and l , are m , = 2 and m , = 1.2) Let m n − , , m n − , , . . . , m n − ,n − be the serial numbers of the masks correspond-ing to the subsequences l n − , , l n − , , . . . , l n − ,n − .3) The serial number of the mask m n,i corresponding to the subsequence l n,i is: m n,i = n − . m n − , = 2 n − , if i = 0 , , if i = n , n − . m n − ,i + m n − ,i − , if 0 < i < n , for i = 0 , , . . . , n .Definition 6 corresponds to definitions 1 and 4. Its correctness can be proven strictlyby mathematical induction on n . The running time for generating (precomputation of) themasks in accordance with Definition 6 is negligible ( ≈ n > s = 2 n − computerwords for each mask. The serial numbers of masks grow exponentially—see Table 3, as wellas the sequence A305860 in OEIS [11].Table 3: Serial numbers of the masks, for n = 1 , . . . , n m n, m n, m n, m n, m n, m n, Example 7.
Let us consider f ∈ B whose ANF, the coordinates’ (or bits’) numbers (thesewhich are greater than 9 are represented by their last digit) and the masks (for n = 4) aregiven in Table 4. When we use the byte-wise WLO Algorithm, it checks consecutively thecoordinates of A f , from right to left, i.e., 15, 14, 13, 11, 7, 12—see the WLO sequence l in9able 2. A f contains zeros in all coordinates before 12-th, in this coordinate A f containsone and so the algorithm stops after . Since 12 is a term of l , , hence deg ( f ) = 2.When the bitwise WLO algorithm is used, it computes the conjunctions: A f ∧ m , = 0, A f ∧ m , = 0, A f ∧ m , > deg ( f ) = 2 and it is computed in . Table 4: The data used in Example 7 Coordinates’ numbers 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 A f = 1 0 0 1 0 1 1 0 1 0 1 0 1 0 0 0 m , = 32768 , m , = 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 m , = 26752 , m , = 0 1 1 0 1 0 0 0 1 0 0 0 0 0 0 0 m , = 5736 , m , = 0 0 0 1 0 1 1 0 0 1 1 0 1 0 0 0 m , = 278 , m , = 0 0 0 0 0 0 0 1 0 0 0 1 0 1 1 0 m , = 1 , m , = 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 The second idea for a new bitwise algorithm is to check the bits of A f in accordancewith the WLO sequence. This algorithm will be similar to the byte-wise WLO algorithmand it will have a time complexity of the same type: O (2 n ). We discarded this idea becausethe time complexity of the bitwise WLO algorithm is O ( n. n − ) and n. n − < n when6 < n <
64. But during the revision of this paper, we noticed that for almost 100% of all f ∈ B n , the bitwise WLO algorithm performs O (2 n − ) checks, whereas the byte-wise WLOalgorithm (as well as the new bitwise algorithm) performs O ( n ) checks. Furthermore, thecheck of a serial bit of A f (in accordance with the WLO sequence) needs no more than 5bitwise operations. Hence the new bitwise algorithm will have a small constant hidden inthe O -notation. For example, the bitwise WLO algorithm will be better for small n (say n ≤ n = 16 the bitwise WLO algorithm will perform quite more operations thanthe new bitwise algorithm. The forthcoming tests will show when and how faster is the newalgorithm. We return to the main problem of this study—fast computing the algebraic degree of aBoolean function f ∈ B n given by its T T ( f ). A scheme of the computations and usedalgorithms is shown in Fig. 1.In accordance with this scheme, the time complexities of the algorithms considered aresummarized as follows:1. The byte-wise ANFT algorithm followed by the ES algorithm are referred as Byte-wiseANFT&ES further. So, their time complexity is a sum of Θ( n. n ) + Θ(2 n ) = Θ( n. n ).2. The byte-wise ANFT algorithm followed by the byte-wise WLO algorithm are referredas Byte-wise ANFT&WLO . Their time complexity is Θ( n. n ) + O (2 n ) = Θ( n. n ).10igure 1: A scheme for computing the algebraic degree of Boolean functions3. The bitwise ANFT algorithm followed by the bitwise WLO algorithm are referred as Bitwise algorithms . When 64-bit computer words are used, the time complexity ofthe bitwise algorithms is Θ((9 n − . n − ) + O ( n. n − ) = Θ((9 n − . n − ) = Θ( n. n ).It has to be noted that these time complexities are: • dominated by the time complexity of the corresponding ANFT—the cost of search isrelatively small and it is absorbed into the cost of ANFT; • of the same type Θ( n. n ), and the differences between them are in the constants hiddenin the Θ-notation.To understand what these theoretical time complexities mean in practice, we have donea lot of tests. Some more important tests’ parameters are:1. Hardware parameters: Intel Pentium CPU G4400, 3.3 GHz, 4GB RAM, Samsung SSD650 120 GB.2. Software parameters: Windows 10 OS and MVS Express 2015 for Windows Desktop.The algorithms are written in C++. All programs were built in Release mode as 32-bitand 64-bit console applications and executed without Internet connection.3. Methodology of testing: all tests were executed 3 times, on the same computer, un-der the same conditions. The running times are taken in average. All results werechecked for coincidence. The time for reading from file and conversion to byte-wiserepresentation is excluded. 11able 5 shows the obtained running times of the compared algorithms for all 2 Booleanfunctions of 5 variables.Table 5: Experimental results about all 2 Boolean functions of 5 variables
Tested Pure running time in seconds for:algorithms 32-bit application 64-bit applicationByte-wise ANFT&ES 540.824 507.407Byte-wise ANFT&WLO 450.521 378.374Bitwise algorithms 6.470 6.512
Functions of 6 and more variables have been tested with the file of 10 integers. Dependingon the number of variables, 2 n − integers are read from the file and so they form the serialBoolean function. Tables 6 and 7 show the results for Boolean functions (BFs) of 6 and morevariables (vars). Table 6: Experimental results for 32-bit applications Pure running time in seconds for Boolean functions of:implementation 6 vars, 8 vars, 10 vars, 12 vars, 16 vars,of: 10 BFs 10 / /
16 BFs 10 /
64 BFs 97 656 BFsByte-wise ANFT&ES 38.834 42.400 42.664 43.466 44.740Byte-wise ANFT&WLO 22.003 20.022 18.758 18.230 18.808Bitwise algorithms 1.078 1.958 1.560 1.563 1.431
Table 7: Experimental results for 64-bit applications
Pure running time in seconds for Boolean functions of:implementation 6 vars, 8 vars, 10 vars, 12 vars, 16 vars,of: 10 BFs 10 / /
16 BFs 10 /
64 BFs 97 656 BFsByte-wise ANFT&ES 37.429 39.178 37.699 38.789 40.350Byte-wise ANFT&WLO 17.443 15.880 14.224 14.243 14.454Bitwise algorithms 0.861 0.819 0.709 0.640 0.718
We hope that the obtained results show convincingly the advantages of the WLO approachesin computing the algebraic degree of Boolean functions. The bitwise implementations of theconsidered algorithms are dozens of times faster than the byte-wise implementations. Theirusage economizes valuable time, especially in generating S-boxes. The natural continuationof the topic under consideration includes an experimental study of:12
The second bitwise algorithm proposed at the end of Section 4.2. • Combination of both approaches discussed in Section 1 as follows. First, compute theweight of
T T ( f ). If it is an odd number, then f is of maximal degree. Otherwise,continue with the bitwise algorithms. Some tests with the largest file (of 10 integers)have already begun. The first results show that due to this modification, the bitwisealgorithms run about two times faster. • More appropriate software environment (for example, Linux) in order to minimize theeffects of background processes running during the executions of the tests. Afterward,repeat all tests since some running times in the last two tables are less than one secondand they might not been precise enough. • Application of the bitwise algorithms in computing the algebraic degree of true exam-ples of S-boxes. • Parallel implementations of the bitwise algorithms.
Acknowledgments
The author is grateful for the partial support from the Research Fund of the University ofVeliko Tarnovo, Bulgaria, under Contract FSD-31-340-14/26.03.2019.
References [1] Bakoev V., Ordinances of the vectors of the n -dimensional Boolean cube in accordancewith their weights, (Presented Conference Paper style). In: Book of Abstracts, XIVSerbian Mathematical Congress, May 16–19, 2018, Kragujevac, Serbia, p. 103[2] Bakoev V., About the ordinances of the vectors of the n-dimensional Boolean cube inaccordance with their weights (2018). https://arxiv.org/abs/1811.04421[3] Bakoev V., Fast Bitwise Implementation of the Algebraic Normal Form Transform,Serdica Journal of Computing,11