IJEM International Journal of Engineering Mathematics 2314-6109 2356-7007 Hindawi Publishing Corporation 937386 10.1155/2014/937386 937386 Research Article On Third-Order Nonlinearity of Biquadratic Monomial Boolean Functions Singh Brajesh Kumar Tenreiro Machado J. A. Department of Mathematics, School of Allied Sciences Graphic Era Hill University Dehradun, Uttarakhand 248002 India gehu.ac.in 2014 142014 2014 30 01 2014 28 02 2014 01 04 2014 2014 Copyright © 2014 Brajesh Kumar Singh. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

The rth-order nonlinearity of Boolean function plays a central role against several known attacks on stream and block ciphers. Because of the fact that its maximum equals the covering radius of the rth-order Reed-Muller code, it also plays an important role in coding theory. The computation of exact value or high lower bound on the rth-order nonlinearity of a Boolean function is very complicated problem, especially when r>1. This paper is concerned with the computation of the lower bounds for third-order nonlinearities of two classes of Boolean functions of the form Tr1nλxd for all x𝔽2n, λ𝔽2n*, where ad=2i+2j+2k+1, where i, j, and   k are integers such that i>j>k1 and n>2i, and bd=23+22+2+1, where is a positive integer such that gcd,𝓃=1 and n>6.

1. Introduction

Boolean functions are the building blocks for the design and the security of symmetric cryptographic systems and for the definition of some kinds of error correcting codes, sequences, and designs. The rth-order nonlinearity, nlr(f), of a Boolean function fn is defined by the minimum Hamming distance of f to RM(r,n)-Reed-Muller code of length 2n and order r(RM(r,n){fn:deg(f)r}). The nonlinearity of f is given by nl(f)=nl1(f) and is related to the immunity of f against best affine approximation attacks  and fast correlation attacks , when f is used as a combiner function or a filter function in a stream cipher. The rth-order nonlinearity is an important parameter, which measures the resistance of the function against various low-order approximation attacks [1, 3, 4]. In cryptographic framework, within a trade-off with the other important criteria, the rth-order nonlinearity must be as large as possible; see . Since, the maximal rth-order nonlinearity of all Boolean functions equals the covering radius of RM(r,n), it also has an application in coding theory. Besides these applications, an interesting connection between the rth-order nonlinearity and the fast algebraic attacks has been introduced, recently in , which claims that a cryptographic Boolean function should have high rth-order nonlinearity to resist the fast algebraic attack.

Unlike nonlinearity there is no efficient algorithm to compute second-order nonlinearities for n>11. The most efficient algorithm is introduced by Fourquet and Tavernier  which works for n11 and up to n=13 for some special functions. Thus, to identify a class of Boolean function with high rth-order nonlinearity, even for r=2, is a very relevant area of research. In 2008, Carlet has devolved a technique to compute rth-order nonlinearity recursively in , and using this technique he has obtained the lower bounds of nonlinearity profiles for functions belonging to several classes of functions: Kasami functions, Welch functions, inverse functions, and so forth. Based on this technique, the lower bound for rth-order nonlinearity, for r2, is obtained for some specific classes of Boolean functions, in many articles; see, for example,  and the references therein. The best known asymptotic upper bound for nl3(f) given by Carlet and Mesnager  is as follows: (1)nl3(f)2n-1-15·(1+2)·2n/2-1+O(n). The classes of Boolean functions for which the lower bound of third nonlinearity is known are inverse functions , Dillon functions , and Kasami functions, f(x)=Tr1n(λx57) . In this paper, we deduce the theoretical lower bounds on third-order nonlinearities of two classes of biquadratic monomial Boolean functions Tr1n(λxd) for all x𝔽2n, where λ𝔽2n* and (a)  d=2i+2j+2k+1, where  i, j, and k are integers such that i>j>k1 and n>2i, and (b)  d=23+22+2+1, where is a positive integer such that gcd(,n)=1 and n>6.

Remainder of the paper is organized as follows. In Section 2 some basic definitions and notations required for the subsequent sections are reviewed. The main results on lower bounds of third-order nonlinearities are presented in Section 3. The numerical compression of our bounds with the previous known results is provided in Section 4. Section 5 is conclusion.

2. Preliminaries

Let 𝔽2n be the finite field consisting of 2n elements. The group of units of 𝔽2n, denoted by 𝔽2n*, is a cyclic group consisting of 2n-1 elements. An element α𝔽2n is said to be a primitive element if it is a generator of the multiplicative group 𝔽2n*. A function from 𝔽2n to 𝔽2 is said to be a Boolean function on n variables; the set of such functions is denoted by n. Let and q, where q is a positive integer, denote the ring of integers and integers modulo q, respectively. A cyclotomic coset modulo 2n-1 of s is defined as (2)Cs={s,s2,s22,,s2ns-1}, where ns is the smallest positive integer such that ss2ns(mod2n-1) [17, page 104]. It is a convention to choose the subscript s to be the smallest integer in Cs and refer to it as the coset leader of Cs and ns denotes the size of Cs. The trace function Tr1n:𝔽2n𝔽2 is defined by Tr1n(x)=i=0n-1x2i for all x𝔽2n. The trace representation  of a function fn is (3)f(x)=kΓ(n)Tr1nk(Akxk)+A2n-1x2n-1,x𝔽2n, where Γ(n) is the set of all coset leaders modulo 2n-1 and Ak𝔽2nk, A2n-1𝔽2, for all kΓ(n). A Boolean function is said to be a monomial trace function if its trace representation consists of single trace term. The binary representation of an integer d is (4)d=dm-12m-1+dm-22m-2++d12+d0, where d0,d1,,dm-1{0,1}. The Hamming weight of d is wH(d)=i=0m-1di, where the sum is over . The algebraic degree, denoted by deg(f), of fn, as represented in (3), is the largest positive integer w for which wH(k)=w and Ak0. The support of fn is supp(f)={x𝔽2n:f(x)0}. The weight of f is wH(f)=|{x𝔽2n:f(x)0}|, where |S| is the cardinality of any set S. The Hamming distance between two functions f,   gn is defined by dH(f,g)=|{x𝔽2n:f(x)g(x)}|.

The Walsh-Hadamard transform (WHT) of a Boolean function fn at λ𝔽2n is defined by Wf(λ):=x𝔽2n(-1)f(x)+Tr1n(λx). The nonlinearity of fn in terms of its Walsh-Hadamard spectrum (WHS) is given by (5)nl(f)=2n-1-12maxλ𝔽2n|Wf(λ)|. The set {Wf(λ):λ𝔽2n} is referred to as the WHS of fBn which satisfies the Parseval’s identity: λ𝔽2nWf(λ)2=22n which implies that max{|Wf(λ)|:λ𝔽2n}2n/2, and so nl(f)2n-1-2(n/2)-1. The function fn achieving maximum possible nonlinearity 2n-1-2n/2-1 are said to be bent functions (exists only for even n), were introduced by Rothaus .

The derivative of fn with respect to a𝔽2n is defined by Daf(x)=f(x)+f(x+a) for all x𝔽2n. The second-order derivatives of fn with respect to V=a,b is the Boolean function DVfn which is defined by DVf(x)=DbDaf(x)=f(x)+f(x+a)+f(x+b)+f(x+a+b), where V is two-dimensional subspace of 𝔽2n generated by a and b; for details on higher derivatives, see [5, 11]. The rth-order nonlinearity of fn is defined as (6)nlr(f)=minhRM(r,n)dH(f,h)=2n-1-12maxhRM(r,n)|x𝔽2n(-1)f(x)+h(x)|. The sequence {nlr(f)}r=1n-1 is called the nonlinearity profile of f. Also, nlr(f)nlr-1(f) because RM(r-1,n)RM(r,n). The notion of rth-order bent functions was introduced by Iwata and Kurosawa . A function fn is said to be rth-order bent (for rn-3) if and only if nlr(f)2n-r-3(r+4), for even r, and nlr(f)2n-r-3(r+5), for odd r.

Carlet’s  recursive lower bounds for third-order nonlinearities which we use to compute our bounds, are given below in Propositions 1 and 2.

Proposition 1 (see [<xref ref-type="bibr" rid="B3">11</xref>, Proposition 2]).

Let fn; then nl3(f)(1/4)max{nl(DbDaf):a,b𝔽2n}.

Proposition 2 (see [<xref ref-type="bibr" rid="B3">11</xref>, Equation <inline-formula><mml:math xmlns:mml="http://www.w3.org/1998/Math/MathML" id="M156"><mml:mo stretchy="false">(</mml:mo><mml:mn>1</mml:mn><mml:mo stretchy="false">)</mml:mo></mml:math></inline-formula>]).

Proposition 3 (see [<xref ref-type="bibr" rid="B16">17</xref>, Chapter 15, Corollary 13] (<italic>McEliece’s theorem</italic>)).

The rth-order nonlinearities of a Boolean function fn with algebraic degree d are divisible by 2n/d-1, where u denotes the ceiling of u (the smallest integer greater than or equal to u).

Proposition 4 (see [<xref ref-type="bibr" rid="B1">20</xref>, Corollary 1]).

Let L(x)=i=0vcix2ik be a linearized polynomial over 𝔽2n, where v, k are positive integers such that gcd(n,k)=1. Then zeroes of the linearized polynomial L(x) in 𝔽2n are at most 2v.

The result in Proposition 4 above was introduced by Bracken et al. . The bilinear form  associated with a quadratic Boolean function fn is defined by B(x,y):=f(0)+f(x)+f(y)+f(x+y) and the kernel, f of B(x,y) is the subspace of 𝔽2n defined by (8)f={x𝔽2n:B(x,y)=0  y𝔽2n}. An element cf is called a linear structure of f. Next, if V is a vector space over a field 𝔽q of characteristic 2 and Q:V𝔽q a quadratic form, then dim(V) and dim(Q) have the same parity . The distribution of the WHT values of a quadratic Boolean function fn is given in the following theorem which claims that the weight distribution of the values in the WHS of f depends only on the dimension k of f.

Theorem 5 (see [<xref ref-type="bibr" rid="B16">17</xref>, <xref ref-type="bibr" rid="B2">21</xref>]).

Let fn be a quadratic Boolean function and k=dim(f), where f is defined in (8); then the weight distribution of the WHT values of f is given by (9)Wf(λ)={0,2n-2n-k  times,2(n+k)/2,2n-k-1+(-1)f(0)2(n-k-2)/2  times,-2(n+k)/2,2n-k-1-(-1)f(0)2(n-k-2)/2  times.

3. Main Results

In this section, using Carlet’s recursive technique , the theoretical lower bounds for third-order nonlinearities of two general classes of monomial Boolean functions of degree 4 are obtained.

Theorem 6.

Let fλ(x)=Tr1n(λx2i+2j+2k+1), for all x𝔽2n, where λ𝔽2n* and  i, j, and k are integers such that i>j>k1 and n>2i. Then (10)nl3(fλ){2n-3-2(n+2i-6)/2,ifn=0mod2,2n-3-2(n+2i-7)/2,ifn=1mod2. In particular, if gcd(j-k,n)=1, then (11)nl3(fλ){2n-1-12(2n-1)2(3n+2i)/2+2n+1-2(n+2i+2)/2,hhhhhhhhhhhhhhhhhhhhhhhhifn=0mod2,2n-1-12(2n-1)2(3n+2i-1)/2+2n+1-2(n+2i+1)/2,hhhhhhhhhhhhhhhhhhhhhhhhifn=1mod2.

Proof.

Derivative of fλ with respect to a𝔽2n* is (12)Dafλ(x)=fλ(x+a)+fλ(x)=Tr1n(λ(x+a)2i+2j+2k+1)  +Tr1n(λx2i+2j+2k+1)=Tr1n(λ(ax2i+2j+2k+a2ix2j+2k+1hhhhhhhh+  a2jx2i+2k+1+a2kx2i+2j+1))+q(x), where q is quadratic. The second derivative DbDafλ with respect to a,b𝔽2n*, where ab, is (13)DbDafλ(x)=fλ(x+a+b)+fλ(x+a)+fλ(x+b)+fλ(x)=Tr1n(λ(x+a+b)2i+2j+2k+1)+Tr1n(λ(x+b)2i+2j+2k+1)+Tr1n(λ(x+a)2i+2j+2k+1)+Tr1n(λx2i+2j+2k+1)=l(x)+Tr1n(λ((ab2k+a2kb)x2i+2jhhhhhhhhhhhhhhh+(ab2j+a2jb)x2i+2khhhhhhhhhhhhhhh+(ab2i+a2ib)x2j+2khhhhhhhhhhhhhhh+(a2jb2k+a2kb2j)x2i+1hhhhhhhhhhhhhhh+(a2ib2k+a2kb2i)x2j+1hhhhhhhhhhhhhhh+(a2ib2j+a2jb2i)x2k+1)), where l is an affine function. If DbDafλ is quadratic, then the WHS of DbDafλ is equivalent to the WHS of the function hλ obtained by removing l from DbDafλ: (14)hλ(x)=Tr1n(λ((ab2k+a2kb)x2i+2j+(ab2j+a2jb)x2i+2khhhhhhhhhh+(a2jb2k+a2kb2j)x2i+1+(ab2i+a2ib)x2j+2khhhhhhhhhh+(a2ib2k+a2kb2i)x2j+1hhhhhhhhhh+(a2ib2j+a2jb2i)x2k+1)). Further, hλ={x𝔽2n:B(x,y)=0 for all y𝔽2n}, where B(x,y) is the bilinear form associated with hλ. Now, using x2n=x, y2n=y, and Tr1n(x2i)=Tr1n(x), for all x,y𝔽2n, we compute B(x,y) as follows (15)B(x,y)=hλ(0)+hλ(x)+hλ(y)+hλ(x+y)=Tr1n(λ(y2i((ab2k+a2kb)x2j+(ab2j+a2jb)x2khhhhhhhhhhh+(a2jb2k+a2kb2j)x)hhhhhhhh+y2j((ab2k+a2kb)x2i+(ab2i+a2ib)x2khhhhhhhhhhhhh+(a2ib2k+a2kb2i)x)hhhhhhhh+y2k((ab2j+a2jb)x2i+(ab2i+a2ib)x2jhhhhhhhhhhhhh+(a2ib2j+a2jb2i)x)hhhhhhhh+y((a2jb2k+a2kb2j)x2ihhhhhhhhhhhh+(a2ib2k+a2kb2i)x2jhhhhhhhhhhh+(a2ib2j+a2jb2i)x2k)))=Tr1n(yP(x)), where (16)P(x)=(λ(ab2k+a2kb)x2j+λ(ab2j+a2jb)x2khhhh+λ(a2jb2k+a2kb2j)x)2n-i+(λ(ab2j+a2jb)x2ihhhhh+  λ(ab2i+a2ib)x2j+λ(a2ib2j+a2jb2i)x)2n-j+(λ(ab2j+a2jb)x2i+λ(ab2i+a2ib)x2jhhhhh+  λ(a2ib2j+a2jb2i)x)2n-k+λ(a2jb2k+a2kb2j)x2i+λ(a2ib2k+a2kb2i)x2j+λ(a2ib2j+a2jb2i)x2k. Therefore, (17)hλ={x𝔽2n:P(x)=0=P(x)2i}. Let L(λ,a,b)(x)=P(x)2i. Using x2n=x, y2n=y, a2n=a, b2n=b, and λ2n=λ, for all x,y,a,b,λ𝔽2n, we have (18)L(λ,a,b)(x)=(P(x))2i=λ((ab2j+a2jb)x2khhhhh+(ab2k+a2kb)x2jhhhhh+(a2jb2k+a2kb2j)x)+λ2i((a2i+jb2i+k+a2i+kb2i+j)x22ihhhhhhhhh+(a2i+kb22i+a22ib2i+k)x2i+jhhhhhhhhh+(a22ib2i+j+a2i+jb22i)x2i+k)+λ2i-j((a2i-jb2i+a2ib2i-j)x22i-jhhhhhhhhhhh+(a2i-jb22i-j+a22i-jb2i-j)x2ihhhhhhhhhh+(a22i-jb2i+a2ib22i-j)x2i-j)+λ2i-k((a2i-kb2i+j-k+a2i+j-kb2i-k)x22i-khhhhhhhhhh+(a2i-kb22i-k+a22i-kb2i-k)x2i+j-khhhhhhhhhh+(a22i-kb2i+j-k+a2i+j-kb22i-k)x2i-k). The coefficient of x in L(λ,a,b)(x) is zero if and only if a2jb2k+a2kb2j=0; that is, a2j-kb+ab2j-k=0 which implies that ba𝔽2j-k. Therefore, for every 0a,  b𝔽2n such that ba𝔽2j-k, the degree of linearized polynomial, L(λ,a,b), in x is at most 22i; this implies that the dimension of the kernel DbDafλ associated with DbDafλ is k(a,b)2i if n is even; otherwise k(a,b)2i-1. The WHT of DbDafλ at μ𝔽2n is (19)WDbDafλ(μ){2(n+2i)/2,ifn=0mod2,2(n+2i-1)/2,ifn=1mod2. Therefore, (20)nl(DbDafλ)={2n-1-2(n+2i-2)/2,ifn=0mod2,2n-1-2(n+2i-3)/2,ifn=1mod2. Using Proposition 1, we have (21)nl3(fλ){2n-3-2(n+2i-6)/2,ifn=0mod2,2n-3-2(n+2i-7)/2,ifn=1mod2. In particular, if gcd(j-k,n)=1, we have k(a,b)2i if n is even; otherwise k(a,b)2i-1 for all a,b𝔽2n such that a0 and ba𝔽2. Therefore, (20) holds for all a,b𝔽2n such that a0 and ba𝔽2.

Using Proposition 2, we have the following.

When n=0mod2, (22)nl3(fλ)2n-1-12(2n-1)22n-2(2n-2)(2n-1-2(n+2i-2)/2)=2n-1-12(2n-1)2(3n+2i)/2+2n+1-2(n+2i+2)/2.

When n=1mod2, (23)nl3(fλ)2n-1-12(2n-1)22n-2(2n-2)(2n-1-2(n+2i-3)/2)=2n-1-12(2n-1)2(3n+2i-1)/2+2n+1-2(n+2i+1)/2.

Theorem 7.

Let gλ(x)=Tr1n(λx23+22+2+1), for all x𝔽2n and λ𝔽2n*, where is a positive integer such that gcd(,n)=1 and n>6. Then (24)nl3(gλ){2n-1-12(2n-1)2(3n+6)/2+2n+1-2(n+8)/2,hhhhhhhhhhhhhhhhhhhifn=0mod2,2n-1-12(2n-1)2(3n+5)/2+2n+1-2(n+7)/2,hhhhhhhhhhhhhhhhhhhifn=1mod2.

Proof.

The proof is similar to that of Theorem 6 up to (18). Here the kernel of B(x,y) associated with DbDagλ is ={x𝔽2n:P(x)=0=L(λ,a,b)(x)}, where L(λ,a,b)(x) is obtained by replacing i,  j, and k in (18) by 3, 2, and , respectively: (25)L(λ,a,b)(x)=P(x)23=λ23((a25b24+a24b25)x26hhhhhhh+(a24b26+a26b24)x25hhhhhhh+(a26b25+a25b26)x24)+λ2((a2b23+a23b2)x24hhhhhhhh+(a2b24+a24b2)x23hhhhhhhh+(a24b23+a23b24)x2)+λ22((a22b24+a24b22)x25hhhhhhhh+(a22b25+a25b22)x24hhhhhhhh+(a25b24+a24b25)x22)+λ(ab22+a22b)x2+λ(ab2+a2b)x22+λ(a22b2+a2b22)x. The coefficient of x in L(λ,a,b)(x) is zero if and only if a22b2+a2b22=0; that is, a2b+ab2=0. Moreover, gcd(,n)=1 and so, by Proposition 4, ba𝔽2. The polynomial L(λ,a,b)(x) as represented in (25) is of the form i=06cix2i and so, again by Proposition 4, the equation L(λ,a,b)(x)=0 has at most 26 roots for all a,b𝔽2n such that a0 and ba𝔽2. This implies that k(a,b)6 if n is even; otherwise k(a,b)5. The WHT of DbDagλ at μ𝔽2n is (26)WDbDagλ(μ){2(n+6)/2,ifn=0mod2,2(n+5)/2,ifn=1mod2. Therefore, (27)nl(DbDagλ){2n-1-2(n+4)/2,ifn=0mod2,2n-1-2(n+3)/2,ifn=1mod2.

Using Proposition 1, we have (28)nl3(gλ){2n-3-2n/2,ifn=0mod2,2n-3-2(n-1)/2,ifn=1mod2.

Using Proposition 2, we have the following.

When n=0mod2, (29)nl3(gλ)2n-1-12(2n-1)22n-2(2n-2)(2n-1-2(n+4)/2)=2n-1-12(2n-1)2(3n+6)/2+2n+1-2(n+8)/2.

When n=1mod2, (30)nl3(gλ)2n-1-12(2n-1)22n-2(2n-2)(2n-1-2(n+3)/2)=2n-1-12(2n-1)2(3n+5)/2+2n+1-2(n+7)/2.

Remark 8.

Let fn be a biquadratic Boolean function. If there exists at least elements a,b𝔽2n such that DbDaf is quadratic, then nl3(f)2n-4. This result follows from Proposition 1 and the fact that the nonlinearity of any quadratic function in n is at least 2n-2 [11, 22].

4. Comparison

The theoretical lower bounds for third-order nonlinearities obtained by using Theorem 6 for i=3,4,5 and j,  k are taken in such a way that gcd(j-k,n)=1 and reported in Tables 1 and 2. The bounds are compared with the general bounds for third-order nonlinearity: nl3(f)2n-4, for any biquadratic Boolean function. It is evident that the bounds for i=3,4 are efficiently large and decrease with increasing the value of i. It is to be noted that Class (a) is the more general class of biquadratic monomial Boolean functions containing several classes of highly nonlinear Boolean functions. In particular, for i=5,  j=4, and  k=3 Class (a) coincides with Kasami functions of algebraic degree 4.

The lower bounds on the third-order nonlinearities obtained by Theorem 6 for odd n and i=3,4,5.

n
7 9 11 13 15 17 19
i = 3 11 75 415 2047 9493 42361 184199
i = 4 41 330 1660 8191 37979 169457
i = 5 163 1200 6642 32767 151923
General bounds 8 32 128 512 2048 8192 32768

The lower bounds on the third-order nonlinearities obtained by Theorem 6 for even n and i=3,4,5.

n
8 10 12 14 16 18 20
i = 3 21 150 830 4094 18988 84726 368407
i = 4 82 560 3321 16283 75960 338919
i = 5 326 2400 13284 65535 303849
General bounds 16 64 256 1024 4096 16384 65536

The theoretical bounds for third-order nonlinearities obtained by using Theorem 7 and Proposition 3 are compared with known classes of functions [4, 11, 12] and reported in Tables 3 and 4. It is to be noted that the lower bounds for third-order nonlinearities of the inverse functions (nl3(finv)2n-1-2(7n-2)/8) are larger than that of the Dillon functions (nl3(fdillon)2n-1-27n/8) for all n. Thus, it is demonstrated that the lower bound obtained by Theorem 7 is better than the bounds obtained by Gode and Gangopadhyay  for Kasami functions: Tr(λx57), Iwata and Kurosawa’s general bound  for all n>8. Also these bounds are improved upon Carlet’s  bound for inverse function when n is odd, or n=8,12, and equal for the rest of values of even n.

Comparison of the value of lower bounds on third-order nonlinearities obtained by Theorem 6 with the bound obtained in [4, 11, 12] for odd n.

n Theorem 6     
7 12 8 16 6
9 76 64 60
11 416 240 256 360
13 2048 992 1024 1864
15 9496 4096 8872
17 42368 16256 16384 40272
19 184208 65280 65536 177168

Comparison of the value of lower bounds on third-order nonlinearities obtained by Theorem 6 with the bound obtained in [4, 11, 12] for even n.

n Theorem 6   
8 22 28 32 20
10 152 120 128 152
12 832 512 828
14 4096 2016 2048 4096
16 18992 8192 18992
18 84736 32768 84736
20 368416 130816 131072 368416
5. Conclusion

In this paper, using recursive approach introduced in , we have computed the lower bounds of third-order nonlinearities of two general classes of biquadratic monomial Boolean functions. It is demonstrated that in some cases our bounds are better than the bounds obtained previously.

Conflict of Interests

The author declares that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

The author would like to thank the anonymous referees for their time, effort, and extensive comments on the revision of the paper which improve the quality of the presentation of the paper. The work is supported by Council of Scientific and Industrial Research, New Delhi, India.