The lower bounds on the second order nonlinearity of three classes of Boolean functions with high nonlinearity

Abstract

The rth order nonlinearity of Boolean functions is an important cryptographic criterion associated with some attacks on stream and block ciphers. It is also very useful in coding theory, since it is related to the covering radii of Reed–Muller codes. This paper tightens the lower bounds of the second order nonlinearity of three classes of Boolean functions in the form $f(x)=\mathit{tr}(x^d)$ in n variables, where (1) $d=2^{m+1}+3$ and $n=2m$, or (2) $d=2^m+2^{\frac{m+1}{2}}+1$, $n=2m$ and m is odd, or (3) $d=2^{2r}+2^{r+1}+1$ and $n=4r$.

Introduction

Boolean functions are the core components in the design of many symmetric key cryptosystems (stream ciphers and block ciphers). A characteristic of Boolean functions, called their nonlinearity profile, plays an important role with respect to the affine approximation attack on the cryptosystems in which such functions are involved. Let $f:F_{2^n}\mapsto F_2$ be an n-variable Boolean function. For every nonnegative integer $r⩽n$, we denote by ${\mathit{nl}}_r(f)$ the minimum Hamming distance of f and all functions of algebraic degrees at most r (in the case of $r=1$, we shall simply write $\mathit{nl}(f)$). In other words, ${\mathit{nl}}_r(f)$ equals the distance from f in its truth table representation to the Reed–Muller code $\mathit{RM}(r\text{,}n)$ of length $2^n$ and of order r. This distance is called the rth order nonlinearity of f (simply the nonlinearity in the case when $r=1$). It is seen by definition that the maximum rth order nonlinearity of all Boolean functions in n variables equals the covering radius of $\mathit{RM}(r\text{,}n)$ [9]. The nonlinearity profile of a function f is the sequence of those values ${\mathit{nl}}_r(f)$ for r ranging from 1 to $n-1$. Unfortunately, so far very little is known about ${\mathit{nl}}_r(f)$ for $r>1$. The best known upper bound [7] on ${\mathit{nl}}_r(f)$ has an asymptotic version

$${\mathit{nl}}_r(f)=2^{n-1}-\frac{\sqrt{15}}{2}·(1+\sqrt{2}{)}^{r-2}·2^{\frac{n}{2}}+O(n^{r-2})\text{.}$$

Computing the rth order nonlinearity of a given Boolean function with algebraic degree strictly greater than r is a difficult task for $r>1$. In the case when $r=1$, much study has been done, both in theoretical analysis and algorithm implementation, since the nonlinearity is related to the Walsh transform, which can be computed by the algorithm of the fast Fourier transform (FFT). For $r>1$, very little is known, even the second order nonlinearity is known only for a few particular functions and for functions in small number of variables. A nice algorithm due to Kabatiansky and Tavernier was improved and implemented by Fourquet and Tavernier [16], Kabatiansky and Tavernier[18] and Dumer et al. [15], which works well for $r=2$ and $n⩽11$ (in some cases, $n⩽13$). The algorithm can be applied for higher orders of nonlinearity, but it is less efficient except when the function is in very small number of variables.

While the exact value of the rth order nonlinearity of a Boolean function is difficult to compute, the lower bounds can be useful. However to find a good lower bound is also a quite difficult task, even for the second order nonlinearity. Until recently, there has been only one attempt, by Iwata–Kurosawa [17], to construct functions with lower bounded rth order nonlinearity. However, the lower bound is a small value $2^{n-r-3}(r+5)$, $r⩽n-3$. A lower bound on the rth order nonlinearity of functions with given algebraic immunity has been studied in [6] and improved in [4]. It gives better results than those of [17] for functions f with good algebraic immunity $\mathit{AI}(f)$, i.e., when $\mathit{AI}(f)$ is close to its upper bound $\lceil \frac{n}{2}\rceil$. In this case, the lower bound is roughly equal to

$$\max \left(\sum _{i=0}^{\mathit{AI}(f)-r-1}\left(\begin{array}{c}\hfill n\hfill \\ \hfill i\hfill \end{array}\right)\text{,}2\sum _{i=0}^{\mathit{AI}(f)-r-1}\left(\begin{array}{c}\hfill n-r\hfill \\ \hfill i\hfill \end{array}\right)\right)\text{,}$$

which is still a small value in many cases.

In [5], Carlet deduced the lower bounds of the second order nonlinearity of several classes of Boolean functions, such as the Welch function $f(x)=\mathit{tr}(x^{2^t+3})$, when $t=\frac{n-1}{2}$ and n odd, or when $t=\frac{n+1}{2}$ and n odd, and the inverse function $f(x)=\mathit{tr}(x^{2^n-2})$. Here $\mathit{tr}(x)$ denotes the trace function $\mathit{tr}(x)={\sum }_{i=0}^{n-1}{x}^{2^i}$ from $F_{2^n}$ into $F_2$. The approach was to study the nonlinearity of the derivative of the function f.

In this paper, we deduce the lower bounds of the second order nonlinearity of another three classes of Boolean functions, that is, $f(x)=\mathit{tr}(x^d)$, where

• $d=2^{m+1}+3$ and $n=2m$, or

• $d=2^m+2^{\frac{m+1}{2}}+1$, $n=2m$ and m is odd, or

• $d=2^{2r}+2^{r+1}+1$ and $n=4r$.

The reason for choosing these three classes of Boolean functions is that they are known to have high nonlinearity [10], [19]. More precisely, the following are known from public literatures.

• Let m be an odd integer and $n=2m$. Then for $d=2^m+2^{\frac{m+1}{2}}+1$, the Walsh coefficients of the function $f(x)=\mathit{tr}(x^d)$ have only three values $0\text{,}\pm 2^{m+1}$ (see [10]).

• Let m be an odd integer and $n=2m$. Then for $d=2^{m+1}+3$, the Walsh coefficients of the function $f(x)=\mathit{tr}(x^d)$ have only three values $0\text{,}\pm 2^{m+1}$ (see [10]).

• Let $n=4r$ and r be odd. Then the function $f(x)=\mathit{tr}(\alpha x^{2^{2r}+2^{r+1}+1})$ is a bent function for some $\alpha \in F_{2^n}$ (see [19]).

From the relationship between the Walsh coefficients and the nonlinearity of a Boolean function which is introduced later, it is seen that the above three classes of Boolean functions all have high nonlinearity.

The rest of the paper is organized as follows: In Section 2, we give some preliminaries that will be needed in the sequel. Section 3 gives the main results, the lower bounds of the second order nonlinearity of three classes of Boolean functions. Section 4 concludes the paper.