Constructing Boolean Functions by Modifying ... - Semantic Scholar

IEICE TRANS. FUNDAMENTALS, VOL.E88–A, NO.1 JANUARY 2005

59

PAPER

Special Section on Cryptography and Information Security

Constructing Boolean Functions by Modifying Maiorana-McFarland’s Superclass Functions Xiangyong ZENG†a) and Lei HU††b) , Nonmembers

SUMMARY In this study, we construct balanced Boolean functions with a high nonlinearity and an optimum algebraic degree for both odd and even dimensions. Our approach is based on modifying functions from the Maiorana-McFarland’s superclass, which has been introduced by Carlet. A drawback of Maiorana-McFarland’s function is that their restrictions obtained by fixing some variables in their input are affine. Affine functions are cryptographically weak functions, so there is a risk that this property will be exploited in attacks. Due to the contribution of Carlet, our constructions do not have the potential weakness that is shared by the Maiorana-McFarland construction or its modifications. key words: Boolean function, nonlinearity, algebraic degree, balancedness, Walsh spectrum

1.

Introduction

Boolean functions used in cryptosystems are required to have good cryptographic properties, such as balancedness, a high nonlinearity and a high algebraic degree, to ensure that the systems are resistant against linear cryptanalysis [1]. By achieving optimum nonlinearity, bent functions resist linear attacks in the best possible manner ([2], [3]). However, they are improper for direct use since they are not balanced. Moreover, they exist only in even dimensions. This has led people to search for new classes of Boolean functions that behave like a bent function. Such a class of functions is often called “3-valued,” or “plateaued,” or “bentlike” ([4]– [8]), that is, such a function takes only three Walsh spectrum values 0, ±2i for a positive integer i, and can be balanced for both odd and even dimensions. (Note that if a Boolean function is said to have a 3-value spectra, this means that its spectra have three distinct values, and one spectrum value is zero and the other two are opposite numbers. By Parseval’s n equality, nonzero spectrum values must be ±2i with i > 2 2 .) Based on the divisibility of the Walsh transform, an nvariable Boolean function f with 3-value spectra 0, ±2i must satisfy deg( f ) ≤ n − i + 1 [9]. When n is odd, f can achieve n−1 the nonlinearity 2n−1 − 2 2 (such a value is called the bent concatenation nonlinearity), but the degree of f is bounded Manuscript received February 26, 2004. Manuscript revised June 25, 2004. Final manuscript received August 30, 2004. † The author is with the Faculty of Mathematics and Computer Science, Hubei University, Xueyuan Road 11, Wuhan 430062, P.R. China. †† The author is with the State Key Laboratory of Information Security (Graduate School of Chinese Academy of Sciences), 19A Yuquan Road, Beijing 100049, P.R. China. a) E-mail: [email protected] b) E-mail: [email protected]

by deg( f ) ≤ n+1 2 . When n is even, f can achieve the nonlinn earity 2n−1 −2 2 and its degree should satisfy deg( f ) ≤ n2 . So, n−1 for n-variable functions f with 3-value spectra, 2n−1 − 2 2 n (2n−1 − 2 2 ) is their maximal nonlinearity for odd (even) n, and they do not have a high algebraic degree near n. Also, they have high divisibilities of their Walsh spectra, and there is a risk that this property can be exploited in attacks against block ciphers as describled in [10]. So it is of interest to construct balanced functions with a high nonlinearity and a high algebraic degree. When n is odd, to the best of our knowledge, there is no other known way to construct n-variable Boolean functions with a nonlinearity larger than the bent concatenation nonlinearity unless the Patterson-Weidemann functions or their modifications are used as building blocks ([11], [12]). We will construct balanced functions achieving a bent concatenation nonlinearity and possessing an optimum algebraic degree. For n being even, Carlet gives two concrete classes of n-variable functions with the nonlinearity n n 2n−1 − 2 2 −1 − 2 4 (this value is the best nonlinearity for balanced functions when n ≤ 26 and n2 is odd), where n4 denotes the largest integer not exceeding n4 [13]. Essentially, these functions are not new and can be constructed by Dobbertin’s method [14], where the algebraic degree is not considered. We will construct n-variable balanced funcn n tions with a nonlinearity close to 2n−1 − 2 2 −1 − 2 4 whilst possessing an optimum algebraic degree for an even n. Although many functions with good cryptographic properties can be obtained from the Maiorana-McFarland construction or its modifications ([15]–[19]), as pointed out in [13], there may exist a weakness in these functions as the derived functions, by fixing certain input bits of these functions, are affine. To avoid this drawback, Carlet introduced a concept of Maiorana-McFarland’s superclass. Different from previous constructions, our approach is based on modifying functions from the Maiorana-McFarland’s superclass. Due to the contribution of Carlet to the superclass, our constructions do not have this drawback. This paper is arranged as follows: In Section 2 we give some definitions and preliminaries. In Sections 3-4, we describe some Boolean functions from the MaioranaMcFarland’s superclass and their use as building blocks to construct balanced Boolean functions with a high nonlinearity and algebraic degree for both odd and even dimensions.

c 2005 The Institute of Electronics, Information and Communication Engineers Copyright


60

2.

Preliminaries

In this paper, we shall distinguish between the additions of integers in the real field R, denoted by + and i , and the additions mod 2, denoted by ⊕ and ⊕i . x denotes the largest integer not exceeding x. First we review some basic facts about Boolean functions. A Boolean function in n variables is an F2 -valued function on the space F2n of n-tuples over F2 . Every Boolean function f on F2n admits a unique representation as a polynomial over F2 in n binary variables of the form f (xn , · · · , x1 ) = aI xi . I⊆{1,···,n}

i∈I

This representation is called the algebraic normal form (ANF) of f . We will call the degree of ANF the algebraic degree of f and denote it deg( f ). The truth table of the function f on F2n is a (0, 1)-sequence defined by ( f (α0 ), f (α0 ), · · ·, f (α2n −1 )), where α0 = (0, · · ·, 0, 0), α1 = (0, · · ·, 0, 1), · · ·, α2n −1 = (1, · · ·, 1, 1), arranging in lexicographic order. The Walsh transform of an n-variable function f : F2n → F2 is an integer value function W f defined as (−1) f (x)⊕λ·x W f (λ) = x∈F2n

for λ ∈ F2n , where the inner product operation is λ · x = n λi xi for λ = (λn , · · · , λ1 ) and x = (xn , · · · , x1 ). The values i=1

of W f are called the spectra of f . The function f is balanced if and only if W f (0) = 0. Let η, η1 , and η2 be binary strings of the same length. The bitwise complement of η is denoted by ηc . We denote the number of places where η1 and η2 are distinct |(η1 η2 )|. The Hamming distance between η1 and η2 is d(η1 , η2 ) = |(η1 η2 )|. The Walsh distance wd(η1 , η2 ) is defined as |(η1 = η2 )| − |(η1 η2 )|. The Hamming weight of η is the number of entries 1 in η and is denoted by wt(η). The concatenation of η1 followed by η2 is denoted by η1 η2 . Let η be the truth table of the function f . If the context is clear, we will use η and f without distinction for simplicity. Let A(n) (L(n)) denote the set of all n-variable affine (linear) functions. The nonlinearity N f of an n-variable function is defined as N f = ming∈A(n) (d( f, g)). Bent functions have an optimal nonlinearity [3], but are not balanced, so they can not be directly used in the design of cryptosystems. Functions with 3-value spectra behave like a bent function and can be balanced for both odd and even dimensions, however, the trade-off between the nonlinearity and algebraic degree of these functions is not very

good. Furthermore, the nonlinearity of functions with 3value spectra in the even dimension is not fully satisfactory. Our purpose is to obtain balanced Boolean functions with a high nonlinearity whilst possessing an optimum algebraic degree. 3.

Some Functions from Maiorana-McFarland’s Superclass

The Maiorana-McFarland construction provides a class of cryptographic Boolean functions. A drawback of MaioranaMcFarland’s function is that their restrictions obtained by fixing some variables in their input are affine [13]. Affine functions are cryptographically weak functions, so there is a risk that this property is exploited in attacks. To avoid this drawback, Carlet introduces a new class of functions, the Maiorana-McFarland’s superclass, which leads to a larger class of cryptographic Boolean functions ([8], [13]). In this section, we will describe some functions from the Maiorana-McFarland’s superclass and use them as building blocks to construct new Boolean functions in Section 4. We will frequently use the following lemma to calculate the spectra of Boolean functions. Refer to [20], for information regarding the quadratic form over a finite field. Lemma 1: Let Q(xk , · · · , x1 ) be a binary quadratic function over F2 of the form x1 x2 + · · · + x2t−1 x2t (2 ≤ 2t ≤ k) or x1 x2 + · · · + x2t−1 x2t + x2t+1 (3 ≤ 2t + 1 ≤ k). Then as an equation of x1 , · · · , xk , the numbers ρz of solutions for Q(x1 , · · · , xk ) = z are 2k−1 + 2k−t−1 v(z) and 2k−1 where v(0) = 1 and v(1) = −1, respectively. By choosing suitable functions ψ, φ, g of fψ,φ,g (x, y) in [13], we can obtain the following functions: 3.1 Functions with 2k − 2m Variables Let  s    x2i−1 x2i ⊕ c0     i=1 fc0 (y, x) =  m k−2m     x2i−1 x2i ⊕ yi xi+2m   i=1

if y = 0; if y 0,

i=1

where x = (xk , · · · , x1 ) ∈ F2k , y = (yk−2m , · · · , y1 ) ∈ F2k−2m , c0 ∈ F2 and 0 < m < s ≤ 2k [13]. For any given a = (ak , · · · , a1 ) ∈ F2k and b = (bk−2m , · · · , b1 ) ∈ F2k−2m , set   s m  x2i−1 x2i ⊕c0 +a·x x2i−1 x2i ⊕a·x   (−1) i=1  . − (−1) i=1 τ= x∈F2k

Then W fc0 (b, a)

ZENG and HU: CONSTRUCTING BOOLEAN FUNCTIONS BY MODIFYING MAIORANA-MCFARLAND’S SUPERCLASS FUNCTIONS

61

=

(−1) fc0 (y,x)⊕a·x⊕b·y

x∈F2k ,y∈F2k−2m

=

m

(−1)

x2i−1 x2i ⊕(

i=1

k−2m

yi xi+2m )⊕a·x⊕b·y

i=1

+τ

where x, y and c0 are given as in Section 3.1, z ∈ F2 , k is assumed to be even and k > 2m [13]. k Similarly as in Section 3.1, 2 2 divides Wgc0 (c, b, a) for any a ∈ F2k , b ∈ F2k−2m and c ∈ F2 , and

x∈F2k ,y∈F2k−2m

=

(−1)b·y

y∈F2k−2m

=

m

(−1) i=1

x2i−1 x2i ⊕

k−2m

yi xi+2m ⊕a·x

i=1

deg(gc0 ) ≤ 2k − 2m + 1 + 1 − +τ

3.3 Functions with 2k − 2m + 1 Variables for Odd k

x∈F2k

(−1)b·y

y∈F2k−2m ,y=a

m

(−1) i=1

x2i−1 x2i ⊕

2m

ai xi

i=1

+τ

Let hc0 (z, y, x)  k−1 k−1   2 2 −m     x x ⊕ x y ⊕ y2i y2i+1 ⊕ c0 if z = 0; 2i−1 2i k 1     i=1 i=1   k−1   2  = x2i−1 x2i ⊕ xk if z = 1, y = 0;     i=1    m k−2m      x x ⊕ ( yi xi+2m ) if z = 1, y 0;  2i−1 2i 

x∈F2k

= (−1)b·a 2k−2m

m

(−1) i=1

x2i−1 x2i ⊕

2m i=1

ai xi

+ τ,

x∈F22m

where a = (ak , · · · , a2m+2 , a2m+1 ). Making an invertible affine transformation of x: x2i−1 → x2i−1 ⊕ a2i , x2i → x2i ⊕ a2i−1 for 1 ≤ i ≤ 2m,

i=1

then

= (−1)

k−2m

2

m

(−1)

x2i−1 x2i ⊕

m

i=1

i=1

m

a2i−1 a2i

+τ

deg(hc0 ) ≤

x∈F22m

ba ⊕

= (−1)

m

a2i−1 a2i

i=1

k−2m

2

(−1) i=1

x2i−1 x2i

+τ

x∈F22m

ba ⊕

= (−1)

m

a2i−1 a2i

i=1

2k−m + τ.

By Lemma 1, we have

s

(−1) i=1

x2i−1 x2i ⊕c0 ⊕a·x

= 0 or 2k−s

x∈F2k

and

m

(−1) i=1

x2i−1 x2i ⊕a·x

= 0 or 2k−m ,

x∈F2k

and so, 2k−s divides W fc0 (b, a) since m < s ≤ 2k . Using theorem 18 of [9], deg( fc0 ) ≤ 2k − 2m + 1 − (k − s) = k + s + 1 − 2m. 3.2 Functions with 2k − 2m + 1 Variables for Even k Let gc0 (z, y, x)  k k   2 2 −m     x2i−1 x2i ⊕ ( y2i−1 y2i ) ⊕ c0 if z = 0;     i=1 i=1   k   2  = x2i−1 x2i ⊕ c0 if z = 1, y = 0;     i=1    m k−2m      x2i−1 x2i ⊕ ( yi xi+2m ) if z = 1, y 0;   i=1

i=1

i=1

where x, y, z and c0 are given as in Section 3.2, and k is assumed to be odd and k > 2m [13]. Similarly,

W fc0 (b, a) ba

k 3k = − 2m + 2. 2 2

4.

3 3k − 2m + . 2 2

Constructing Cryptographic Functions by Modifications

In this section, we will modify those functions constructed in Section 3 to obtain cryptographic good functions for both odd and even dimensions. First, we construct Boolean functions for odd dimensions. Construction 1: Assume m > 0, n = 2k − 2m + 1, and let the function f0 of n − 1 variables be defined as in Section 3.1. Define an n-variable function f as f (xn , · · · , x1 ) = f0 (xn−1 , · · ·, x1 ) ⊕ (1 ⊕ xn−1 ) · · · (1 ⊕ x1 ) ⊕ xn (1 ⊕ xn−1 ) · · · (1 ⊕ xk+1 ). For convenience, to characterize the cryptographic properties of f , we first give its equivalent description.

Lemma 2. We define a function of n − 1 variables fi : F2n−1 → F2 by modifying fi (i = 0, 1) as fi (x)c if (xn−1 , · · · , x1 ) = (0, · · · , 0) , fi (x) = fi (x) otherwise where x = (xn−1 , · · ·, x1 ). Then f (xn , · · · , x1 ) = (1 ⊕ xn ) f0 (xn−1 , · · ·, x1 ) ⊕ xn f1 (xn−1 , · · ·, x1 ),

i.e., f = f0 f1 . Proof: This lemma is obvious by checking the following two equalities.


62

fi (xn−1 , · · · , x1 ) = fi (xn−1 , · · · , x1 ) ⊕ (1 ⊕ xn−1 ) · · · (1 ⊕ x1 ), 1 1 fi (xn−1 , · · · , x1 ) = fi (xn−1 , · · · , xn−1 ) i=0

i=0

Let η3 = λ31 λ32 · · · λ32k−2m −1 and lv = lv1 lv2 · · · lv2k−2m −1 . Each lvj (1 ≤ j ≤ 2k−2m − 1) has the form αx or αx + 1 for α ∈ F2k . α = (α2 , α1 ), where α1 and α2 are binary vectors of length 2m and k − 2m, respectively. Each λ3j is the truth table of some function of x given by

= (1 ⊕ xn−1 ) · · · (1 ⊕ xk+1 ).

m

With Lemma 2, we can characterize the cryptographic properties of f as Theorem 1. It should be noted that Sarkar and Maitra have constructed n-variable balanced functions n−1 with the nonlinearity 2n−1 − 2 2 and the algebraic degree n − 1 for odd n ≥ 7 ([18], [19]), but their constructions are not based on modifying Maiorana-McFarland’s superclass functions. Theorem 1. For arbitrary odd n ≥ 7, the n-variable function f constructed in construction 1 is balanced, and its nonlinn−1 earity is 2n−1 − 2 2 and its algebraic degree is n − 1. Proof: First we know that the algebraic degree of f constructed as construction 1 is n − 1 by 3.1 and n − k < n − (k − s) < n − 1. By 3.1, f0 is a concatenation of 2k−2m distinct quadratic functions of k variables, and its truth table can be written as η1 η2 η3 , where η1 , η2 and η3 are binary strings of length 1, 2k − 1 and 22k−2m − 2k , respectively. Similarly, the truth table of f1 can be written as ηc1 ηc2 η3 . For any given 0 y ∈ F2k−2m , as a function of x,   k−2m m   f0 (y, x) = f1 (y, x) = x2i−1 x2i ⊕  yi xi+2m  i=1

(1) If α2 ∈ F2k−2m \ {0}, then by Lemma 1, 2d(η3 , ly ) = 2[2k−1 (2k−2m − 2) + 2k−1 ± 2k−m−1 ] = 22k−2m − 2k ± 2k−m , and d( f, ll) = 22k−2m ± 2k−m = 2n−1 ± 2

then we have 2k > m and we can construct an n-variable function f as construction 1. n−1 2

n−1 2

.

(2) If α2 = 0 ∈ F2k−2m , then by Lemma 1, 2d(η3 , ly ) = 2[2k−1 (2k−2m − 1)] = 22k−2m − 2k , and d( f, ll) = 22k−2m = 2n−1 . Case 2: Next we consider linear functions of the form llc ∈ L(n). We write l = lu1 lu2 lv , where lu1 , lu2 and lv are binary strings of length 1, 2k −1 and 22k−2m −2k , respectively. Then d( f, llc ) = = = =

and so, f is balanced. For arbitrary odd n = 2p + 1 ≥ 7, let (p + 1, 1) for odd p (k, m) = , (p + 2, 2) for even p

yi xi+2m

i=1

over F2k with (yk−2m , · · · , y1 ) ∈ F2k−2m \ {0}.

i=1

wt( f0 ) + wt( f1 ) wt(ηc1 η2 ) + wt(η1 ηc2 ) + 2wt(η3 ) 2k + 2[(2k−2m − 1)2k−1 ] 2n−1 ,

k−2m

i=1

is balanced. Thus using Lemma 2, wt( f ) = = = =

x2i−1 x2i ⊕

d(ηc1 η2 η3 η1 ηc2 η3 , lu1 lu2 lv lcu1 lcu2 lcv ) 2d(ηc1 η2 , lu1 lu2 ) + d(η3 , lv ) + d(η3 , lcv ) 2d(ηc1 η2 , lu1 lu2 ) + 22k−2m − 2k 2 + 2d(η1 η2 , lu1 lu2 ) + 22k−2m − 2k .

Note that η1 η2 is the truth table of the k-variable function s x2i−1 x2i and lu1 lu2 ∈ L(k), so by Lemma 1, i=1

d(η1 η2 , lu1 lu2 ) = 2k−1 ± 2k−s−1 . Then d( f, llc ) = 22k−2m ± 2k−s + 2. Combining the two cases, for l ∈ A(n),

Next we show that N f = 2 − 2 . Note that any linear function in L(n) is of the form ll or llc for l ∈ L(n − 1).

Thus, N f = 2n−1 − 2

Case 1: We first consider linear functions of the form ll ∈ L(n), where l ∈ L(n − 1). l = lu lv , where lu and lv are binary strings of length 2k and 22k−2m − 2k , respectively. Then

Because wd(η1 , η2 ) = λ − 2d(η1 , η2 )(λ is the length of η1 , η2 ), it is easy to determine that the function f has nine n+1 distinct values ±2 2 , ±2k−s+1 − 4, 0.

n−1

d( f, ll) = d(ηc1 η2 η3 η1 ηc2 η3 , lu lv lu lv ) = d(ηc1 η2 , lu ) + 2d(η3 , lv ) + d(η1 ηc2 , lu ) = 2k + 2d(η3 , lv ).

22k−2m − 2k−m ≤ d( f, l) ≤ 22k−2m + 2k−m . n−1 2

and the proof is complete.

Now we construct Boolean functions for even dimensions. Construction 2: Assume k is even, k > 2m, n = 2k −2m+2,


63

and let the function g0 of n − 1 variables be defined as in Section 3.2. We define an n-variable g as g(xn , · · ·, x1 ) = g0 (xn−1 , · · · , x1 ) ⊕ (1 ⊕ xn−1 ) · · · (1 ⊕ x1 ) ⊕ xn ⊕ xn xn−1 ⊕ xn xn−1 (1 ⊕ xn−2 ) · · · (1 ⊕ xk+1 ).

so g is balanced. Next we show that Ng = 2n−1 − 2 2 −1 − 2 4 − 2. n

The following lemma gives an equivalent description for g.

Lemma 3. We define the functions of n − 1 variables gi : F2n−1 → F2 by modifying gi (i = 0, 1) as gi (x)c if (xn−1 , · · · , x1 ) = (0, · · · , 0) gi (x) = , gi (x) otherwise

g(xn , · · ·, x1 ) = (1 ⊕ xn )g0 (xn−1 , · · ·, x1 ) ⊕ xn g1 (xn−1 , · · ·, x1 ),

Case 1: We first consider linear functions of the form ll ∈ L(n), where l ∈ L(n − 1). l = lu lv , where lu and lv are binary strings of length 22k−2 +2k and 22k−2 −2k , respectively. Then d(g, ll) = d(ηc1 η2 η3 η4 η1 ηc2 ηc3 η4 , lu lv lu lv ) = d(ηc1 η2 η3 , lu ) + 2d(η4 , lv ) + d(η1 ηc2 ηc3 , lu ) = 22k−2 + 2k + 2d(η4 , lv ).

2d(η4 , lv ) = 22k−2 − 2k ± 2k−1 or 22k−2 − 2k , and thus

i.e., g = g0 g1 .

d(g, ll) = 2n−1 ± 2 2 −1 or 2n−1 . n

Proof: This lemma is clarified by checking the following equations.

gi (xn−1 , · · · , x1 ) = gi (xn−1 , · · · , x1 ) ⊕ (1 ⊕ xn−1 ) · · · (1 ⊕ x1 ), 1 gi (xn−1 , · · ·, x1 )

Case 2: Next we consider linear functions of the form llc ∈ L(n). l = lu1 lu2 lu3 lv , where lu1 , lu2 , lu3 and lv are binary strings of length 1, 22k−2 − 1, 2k and 22k−2 − 2k , respectively. Then d(g, llc ) = d(ηc1 η2 η3 η4 η1 ηc2 ηc3 η4 , lu1 lu2 lu3 lv lcu1 lcu2 lcu3 lcv ) = 2d(ηc1 η2 η3 , lu1 lu2 lu3 ) + d(η4 , lv ) + d(η4 , lcv ) = 2d(ηc1 η2 η3 , lu1 lu2 lu3 ) + 22k−2 − 2k = 2 + 2d(η1 η2 η3 , lu1 lu2 lu3 ) + 22k−2 − 2k = 2d(η1 η2 , lu1 lu2 ) + 2d(η3 , lu3 ) + 2 + 22k−2 − 2k .

i=0

=

1

n

Similarly to that for Theorem 1, we have

where x = (xn−1 , · · ·, x2 , x1 ). Then

= 22k−2 + 2k + 2[(2k−2 − 1)2k−1 ] = 2n−1 ,

gi (xn−1 , · · ·, x1 )

i=0

= 1 ⊕ xn−1 ⊕ xn−1 (1 ⊕ xn−2 ) · · · (1 ⊕ xk+1 ). Theorem 2. For arbitrary even n ≥ 8 and n ≡ 0 mod 4, there exists a balanced n-variable function with the nonlinearity n n 2n−1 − 2 2 −1 − 2 4 − 2 and the algebraic degree n − 1. Proof: Taking m = 1 in construction 2, we have n = 2k and n ≡ 0 mod 4. Since deg(g0 (x)) ≤ n − 2k and k > 2m = 2, we know that the algebraic degree of g constructed in construction 2 is n − 1. In Section 3.2, g0 is a concatenation of 1 quadratic function of 2k − 2 variables and 2k−2 distinct quadratic functions of k variables, and its truth table can be written as η1 η2 η3 η4 , where η1 , η2 , η3 and η4 are binary strings of length 1, 22k−2 − 1, 2k and 22k−2 − 2k , respectively. Similarly, the truth table of g1 can be written as ηc1 ηc2 ηc3 η4 . For any given z ∈ F2 and 0 y ∈ F2k−2 , the function of x, that is,   k−2   yi xi+2  , g0 (z, y, x) = g1 (z, y, x) = x1 x2 ⊕  i=1

k

Note that η1 η2 is the truth table of the function

x2i−1 x2i ⊕

i=1 2 −1 k

y2i−1 y2i and lu1 lu2 ∈ L(2k − 2), so by Lemma 1,

i=1

d(η1 η2 , lu1 lu2 ) = 22k−3 ± 2k−2 . k

η3 is the truth table of the k-variable function

2

i=1

lu3 ∈ A(k), so by Lemma 1, d(η1 η2 , lu3 ) = 2k−1 ± 2 2 −1 . k

Then d(g, llc ) = 2n−1 ± 2 2 −1 ± 2 4 + 2. n

n

Thus, for any l ∈ L(n − 1), d(g, ll), d(g, llc ) ≥ 2n−1 − 2 2 −1 − 2 4 + 2, n

is balanced. Thus by Lemma 3, wt(g) = wt(g0 ) + wt(g1 ) = wt(ηc1 η2 η3 ) + wt(η1 ηc2 ηc3 ) + 2wt(η4 )

2

n

and d(g, ll), d(g, llc ) ≤ 2n−1 + 2 2 −1 + 2 4 + 2, n

n

x2i−1 x2i and


64

then for any l ∈ A(n),

= 22k−2 + 2[2k−2 · 2k−1 ] = 2n−1 ,

d(g, l) ≥ 2n−1 − 2 2 −1 − 2 4 − 2. n

n

Thus, Ng = 2n−1 − 2 2 −1 − 2 4 − 2, and the proof is complete. n

n

The Walsh spectra of the function g constructed as in n n construction 2 contain seven distinct values ±2 2 ± 2 4 +1 − 4, n ±2 2 , 0. Construction 3: Assume k is odd and k > 2m. Set n = 2k − 2m + 2 and let the function h0 of n − 1 variables be defined as in Section 3.3. We define an n-variable function h as

and so, h is balanced. Next we show that Nh = 2n−1 − 2 2 −1 − 2 4 + 2 . n

Lemma 4. We define the functions of n − 1 variables hi : F2n−1 → F2 by modifying hi (i = 0, 1) as hi (x)c if (xn−1 , · · · , x1 ) = (0, · · · , 0) hi (x) = , hi (x) otherwise

d(h, ll) = d(ηc1 η2 η3 η4 η1 ηc2 η3 η4 , lu lv1 lv2 lu lv1 lv2 ) = d(ηc1 η2 , lu ) + 2d(η3 η4 , lv1 lv2 ) + d(η1 ηc2 , lu ) = 22k−2 + 2d(η3 η4 , lv1 lv2 ) = 22k−2 + 2d(η3 , lv1 ) + 2d(η4 , lv2 ). Let η4 = λ41 λ42 · · · λ42k−2 −1 , lv2 = lv12 lv22 · · · lv22k−2 −1 . lv1 and each lvj2 (1 ≤ j ≤ 2k−2 − 1) have the form αx or αx + 1 for α ∈ F2k . α = (α2 , α1 ), where α1 and α2 are binary vectors of length 2 and k − 2, respectively. Each λ4j is the truth table of a function of x, x1 x2 ⊕

where x = (xn−1 , · · · , x1 ). Then

k−2

yi xi+2 ,

i=1

h(xn , · · · , x1 ) = (1 ⊕ xn )h0 (xn−1 , · · · , x1 ) ⊕ xn h1 (xn−1 , · · · , x1 ),

1

Case 1: We first consider linear functions of the form ll ∈ L(n), where l ∈ L(n − 1). l = lu lv1 lv2 , where lu , lv1 and lv2 are binary strings of length 22k−2 , 2k and 22k−2 − 2k , respectively. Then

h(xn , · · · , x1 ) = h0 (xn−1 , · · · , x1 ) ⊕ (1 ⊕ xn−1 ) · · · (1 ⊕ x1 ) ⊕ xn xn−1 ⊕ xn . Lemma 4 gives an equivalent description for h.

n

over F2k with (yk−2 , · · · , y1 ) ∈ F2k−2 \ {0}, and η3 is the truth   k−1   2 table of the function  x2i−1 x2i  ⊕ xk . i=1

i.e., h = h0 h1 . Theorem 3. For arbitrary even n ≥ 6 with n ≡ 2 mod 4, there exists a balanced n-variable function with the nonlinn n+2 earity 2n−1 − 2 2 −1 − 2 4 and the algebraic degree n − 1. Proof: Taking m = 1 in construction 3, we have n = 2k and then n ≡ 2 mod4. Since deg(h0 (x)) ≤ n − 2k − 12 and k > 2m = 2, we know that the algebraic degree of h constructed in construction 3 is n − 1. Let η1 η2 η3 η4 be the truth table of h0 , where η1 , η2 , η3 and η4 are binary strings of length 1, 22k−2 −1, 2k and 22k−2 − 2k , respectively. When z = 1 and y = 0, the function of x, that is,   k−1   2   h0 (z, y, x) = h1 (z, y, x) =  x2i−1 x2i  ⊕ xk ,   i=1

(1) Assume α2 = α2k−2 , · · · , α21 ∈ F2k−2 \ {0}. If α2k−2 = 1, then using Lemma 1, 2d(η3 , lv1 ) = 2k ± 2

k+1 2

and 2d(η4 , lv2 ) = 22k−2 − 2k ± 2k−1 . Thus d(h, ll) = 22k−1 ± 2k−1 ± 2

k+1 2

.

If α2k−2 = 0, then 2d(η3 , lv1 ) = 2k and 2d(η4 , lv2 ) = 22k−2 − 2k ± 2k−1 . Thus, d(h, ll) = 22k−1 ± 2k−1 = 2n−1 ± 2 2 −1 . n

is balanced. When z = 1 and y 0, the function of x, that is,   k−2    h0 (z, y, x) = h1 (z, y, x) = x1 x2 ⊕  yi xi+2  ,

1,

is also balanced. Thus by Lemma 4,

Thus,

i=1

wt(h) = wt(h0 ) + wt(h1 ) = wt(ηc1 η2 ) + wt(η1 ηc2 ) + 2wt(η3 η4 )

(2) Assume α2 = (0, · · · , 0) ∈ F2k−2 , then using Lemma 2d(η3 , lv1 ) = 2k , 2d(η4 , lv2 ) = 22k−2 − 2k .

d(h, ll) = 22k−1 = 2n−1 . Case 2: Next we consider linear functions of the form


65 Table 1

llc ∈ L(n). We write l = lu1 lu2 lv , where lu1 , lu2 and lv are binary strings of length 1, 22k−2 − 1 and 22k−2 , respectively. Then

function h f g

d(h, llc ) = d(ηc1 η2 η3 η4 η1 ηc2 η3 η4 , lu1 lu2 lv lcu1 lcu2 lcv ) = 2d(ηc1 η2 , lu1 lu2 ) + d(η3 η4 , lv ) + d(η3 η4 , lcv ) = 2d(ηc1 η2 , lu1 lu2 ) + 22k−2 = 2 + 2d(η1 η2 , lu1 lu2 ) + 22k−2 .

k−1

2 −1 k−1

x2i−1 x2i ⊕ xk y1 ⊕

i=1

y2i y2i+1 ,

i=1

and that lu1 lu2 ∈ L(2k − 2), by Lemma 1,

Then d(h, llc ) = 2n−1 ± 2 2 −1 + 2. n

Thus, for any l ∈ L(n − 1), d(h, ll), d(h, llc ) ≥ 2n−1 − 2 2 −1 − 2 4 + 2 , n

1

n 2 −1

n 1 4+2

5.

and d(h, ll), d(h, ll ) ≤ 2 c

n−1

+2

+2

,

d(h, l) ≥ 2n−1 − 2 2 −1 − 2 4 + 2 . n

1

So, Nh = 2n−1 − 2 2 −1 − 2 4 + 2 , and the proof is complete. n

n

Conclusion

By modifying the Maiorana-McFarland’s superclass functions, we have constructed balanced n-variable Boolean functions with a high nonlinearity and an optimum algebraic degree for n ≥ 6.

and for any l ∈ A(n), n

algebraic degree 5 6 7

The nonlinearity and algebraic degrees of these functions are described in Table 1. A 6-variable Boolean function with 3-value spectra may achieve the nonlinearity of h(x6 , · · · , x1 ), but for even n > 6, the nonlinearity of nvariable functions constructed by our method is higher than that of any n-variable functions with 3-value spectra. For n ≥ 6, all n-variable functions constructed in this paper achieve an optimum algebraic degree, which is impossible for n-variable functions with 3-value spectra.

d(η1 η2 , lu1 lu2 ) = 22k−3 ± 2k−2 .

n

nonlinearity 24 56 114

= x8 ⊕ x1 x2 ⊕ x3 x4 ⊕ x5 x6 ⊕ x3 x5 x7 ⊕ x4 x6 x7 ⊕ x5 x6 x7 ⊕ x5 x7 x8 ⊕ x6 x7 x8 ⊕x3 x4 x5 x7 ⊕ x3 x4 x6 x7 ⊕ x5 x6 x7 x8 ⊕ x3 x4 x5 x6 x7 ⊕ (1 ⊕ x7 ) · · · (1 ⊕ x2 )(1 ⊕ x1 ), h(x6 , · · · , x1 ) = x6 ⊕ x1 x2 ⊕ x3 x4 ⊕ x3 x5 ⊕ x5 x6 ⊕ x3 x4 x5 ⊕ (1 ⊕ x5 ) · · · (1 ⊕ x2 )(1 ⊕ x1 ),

Note that η1 η2 is the truth table of the function, 2

Nonlinearity and algebraic degree.

n-variable 6 7 8

1

The Walsh spectra of function h constructed as in conn n struction 3 contain nine distinct values ±2 2 − 4, ±2 2 , 0, n n 3 + ±2 2 ± 2 4 2 . When n ≤ 26 and n2 is odd, 2n−1 − 2 2 −1 − 2 4 is the best known nonlinearity for balanced n-variable functions [13]. Carlet claims that this nonlinearity can be attained only with his method in [13] and that of Dobbertin’s in [14]. In fact, these functions constructed by Carlet are not new and can be obtained by Dobbertin’s method. This fact is easy to check. Neither Dobbertin nor Carlet considers the algebraic degree of those functions. Thus, it is an interesting open problem to n n−2 construct functions with the nonlinearity 2n−1 − 2 2 −1 − 2 4 and maximal algebraic degree for n ≤ 26. n

n−2

To end this section, we give three examples of functions, each of which is constructed as one of the above three constructions. f (x7 , · · · , x1 ) = x7 ⊕ x1 x2 ⊕ x3 x4 ⊕ x3 x5 ⊕ x4 x6 ⊕ x5 x7 ⊕x6 x7 ⊕ x3 x4 x5 ⊕ x3 x4 x6 ⊕ x5 x6 x7 ⊕ x3 x4 x5 x6 ⊕ (1 ⊕ x6 ) · · · (1 ⊕ x2 )(1 ⊕ x1 ), g(x8 , · · · , x1 )

Acknowledgements The authors wish to thank the referees for helpful suggestions. The authors also wish to acknowledge the support of the National Science Foundation of China (NSFC) under grant No.s 60373041, 90104034 and 60373089. References [1] M. Matsui, “Linear cryptanalysis method for DES cipher,” Advances in Cryptology-Eurocrypt’93, Workshop on the Theory and Application of Cryptographic Techniques, LNCS 765, pp.386–397, Lofthus, Norway, May 1993. [2] O. Rothaus, “On bent functions,” J. Comb. Theory A, vol.20, pp.300–305, Jan. 1976. [3] W. Meier and O. Staffelbach, “Nonlinearity criteria for cryptographic functions,” Proc. workshop on the theory and application of cryptographic techniques on Advances in cryptology, LNCS 434, pp.549–562, Houthalen, Belgium, Nov. 1990. [4] C. Carlet, “Partially-bent functions,” Des., Codes Cryptog., vol.3, no.2, pp.135–145, May 1993. [5] X.M. Zhang and Y. Zheng, “On plateaud functions,” IEEE Trans. Inf. Theory, vol.47, no.3, pp.1215–1223, March 2001. [6] G. Gong and K. Khoo, “Additive autocorrelation of resilient Boolean functions,” CACR Technical Report, CORR 2003-11, 2003, available: http://www.cacr.math.uwaterloo.ca/ tech reports.html [7] X. Zeng and L. Hu, “A composition construction of bentlike Boolean functions from quadratic polynomials,” available:


66

http://eprint.iacr.org/2003/204 [8] C. Carlet and E. Prouff, “On plateaued functions and their construction,” Proc. Fast Software Encryption, 10th International Workshop, FSE 2003, LNCS 2887, pp.54–73, Lund, Sweden, Feb. 2003. [9] Y. Zheng, X.M. Zhang, and H. Imai, “Duality of Boolean functions and its cryptographic applications,” Proc. 1997 International Conference on Information and Communications Security (ICICS’97), LNCS 1334, pp.159–169, Beijing, China, Nov. 1997. [10] A. Canteau and M. Videau, “Degree of composition of highly nonlinear functions and applications to higher order differential cryptoanalysis,” Advances in Cryptology-Eurocrypt2002, LNCS 2332, pp.518–533, Amsterdam, Netherlands, April 2002. [11] N.J. Patterson and D.H. Wiedemann, “The covering radius of the Reed-Muller code is at least 16276,” IEEE Trans. Inf. Theory, vol.IT29, no.3, pp.354–356, May 1983. [12] S. Maitra and P. Sarkar, “Modifications of Patterson-Wiedemann functions for cryptographic applications,” IEEE Trans. Inf. Theory, vol.48, no.1, pp.278–284, Jan. 2002. [13] C. Carlet, “A larger class of cryptographic Boolean functions via a study of the Maiorana-Mcfarland construction,” Advances in Cryptology-Crypto’2002, LNCS 2442, pp.549–564, Santa Barbara, USA, Aug. 2002. [14] H. Dobbertin, “Construction of bent functions and balanced Boolean functions with high nonlinearity,” Proc. Fast Software Encryption, Second International Workshop, LNCS 1008, pp.61–74, Leuven, Belgium, Dec. 1994. [15] P. Camion, C. Carlet, P. Charpin, and N. Sendrier, “On correlation immune functions,” Advances in Cryptology-Crypto’91, Workshop on the Theory and Application of Cryptographic Techniques, LNCS 547, pp.86–100, Brighton, UK, April 1991. [16] S. Chee, S. Lee, D. Lee, and S.H. Sung, “On correlation immune functions and their nonlinearity,” Advances in CryptologyAsiacrypt’96, International Conference on the Theory and Applications of Cryptology and Information Security, LNCS 1163, pp.232– 243, Kyongju, Korea, Nov. 1996. [17] J. Seberry, X.M. Zhang, and Y. Zheng, “On construction and nonlinearity of correlation immune Boolean functions,” Advances in Cryptology-Eurocrypt’93, Workshop on the Theory and Application of of Cryptographic Techniques, LNCS 765, pp.181–199, Lofthus, Norway, May 1993. [18] S. Maitra and P. Sarkar, “Cryptographically significant Boolean functions with five valued walsh spectra,” Theor. Comput. Sci., vol.276, no.1-2, pp.133–146, April 2002. [19] P. Sarkar and S. Maitra, “Construction of nonlinear Boolean functions with important cryptographic properties,” Advances in Cryptology-Eurocrypt’2000, LNCS 1807, pp.485–506, Bruges (Brugge), Belgium, May 2000. [20] Z.X. Wan, ed., Geometry of Classical Groups over Finite Fields, Chartwell-Bratt Ltd., Bromley, 1993.

Xiangyong Zeng was born in Hubei Province, China, on November 18, 1973. He received his B.S. degree from Hubei University in 1995, and received his M.S. and Ph.D. degrees from Beijing Normal University in 1998 and 2002, respectively. He is with the Faculty of Mathematica and Computer Science, Hubei University. His research interests include sequence and cryptography.

Lei Hu received his B.S. and M.S. degrees from Peking University in 1988 and 1991, respectively, and received his Ph.D. degree from the Chinese Academy of Sciences in 1994. Since 2002, he has been a professor at the Graduate School of Chinese Academy of Sciences. His research interests include sequence, elliptic curve and cryptography.