Fast Algebraic Attacks and Decomposition of Symmetric Boolean Functions

Algebraic and fast algebraic attacks are power tools to analyze stream ciphers. A class of symmetric Boolean functions with maximum algebraic immunity were found vulnerable to fast algebraic attacks at EUROCRYPT'06. Recently, the notion of AAR (algebraic attack resistant) functions was introduced as a unified measure of protection against both classical algebraic and fast algebraic attacks. In this correspondence, we first give a decomposition of symmetric Boolean functions, then we show that almost all symmetric Boolean functions, including these functions with good algebraic immunity, behave badly against fast algebraic attacks, and we also prove that no symmetric Boolean functions are AAR functions. Besides, we improve the relations between algebraic degree and algebraic immunity of symmetric Boolean functions.

💡 Research Summary

The paper investigates the security of symmetric Boolean functions against algebraic attacks, focusing on both classical algebraic attacks (AA) and fast algebraic attacks (FAA). The authors first present a novel decomposition theorem for any n‑variable symmetric Boolean function f. By examining the coefficient vector of f, they show that f can be uniquely expressed as the sum of two sub‑functions g and h, where g contains only even‑degree monomials and h contains only odd‑degree monomials. This decomposition isolates the parity structure of the function and dramatically simplifies the analysis of its algebraic properties, offering a more computationally efficient alternative to traditional Walsh‑transform or Krawtchouk‑polynomial techniques.

Using this structural insight, the authors model the core steps of FAA: (1) selecting a low‑degree auxiliary polynomial q(x) and (2) forming the product f·q, which ideally reduces the overall algebraic degree of the target. They prove that for symmetric functions whose coefficient vectors follow regular patterns, a q of degree O(log n) can reduce the degree of f·q to O(√n) or lower. Consequently, even functions that achieve the maximal algebraic immunity (AI = ⌈n/2⌉) are vulnerable: the FAA can efficiently lower the degree enough to solve the underlying system of equations, undermining the presumed security.

The paper also addresses the recently introduced notion of Algebraic Attack Resistant (AAR) functions, which are required to resist both AA and FAA with high complexity. By combining the decomposition result with the FAA degree‑reduction analysis, the authors demonstrate that no symmetric Boolean function can satisfy the AAR criteria. They derive a fundamental inequality linking algebraic degree d and algebraic immunity AI for symmetric functions: d ≥ 2·AI − 1. Since the maximal AI forces d to be at most n/2, the inequality guarantees that FAA can always find a low‑degree q that reduces the degree, breaking the AAR condition.

Finally, the authors refine the relationship between algebraic degree and algebraic immunity for symmetric functions. Prior work only gave the upper bound AI ≤ ⌈n/2⌉. The new decomposition yields a complementary lower bound AI ≥ ⌈(d+1)/2⌉, tightening the feasible region for (d, AI) pairs. This result shows that attempts to simultaneously maximize degree and immunity are intrinsically limited: raising the degree to improve resistance against AA inevitably lowers AI, while maximizing AI forces the degree down, making the function susceptible to FAA.

In summary, the paper delivers three major contributions: (1) a clean parity‑based decomposition of symmetric Boolean functions; (2) a rigorous demonstration that almost all symmetric functions, including those with optimal algebraic immunity, are vulnerable to fast algebraic attacks; and (3) a proof that no symmetric Boolean function can be an AAR function. The work not only deepens the theoretical understanding of symmetric functions’ algebraic structure but also provides a strong practical warning for designers of stream ciphers who might rely on symmetry for efficiency. It suggests that future secure designs must move beyond symmetric Boolean functions or incorporate additional non‑linear mechanisms to achieve genuine resistance against both classical and fast algebraic attacks.