The rth-order nonlinearity of Boolean function plays a central role against several known attacks on stream and block ciphers. Because of the fact that its maximum equals the covering radius of the rth-order Reed-Muller code, it also plays an important role in coding theory. The computation of exact value or high lower bound on the rth-order nonlinearity of a Boolean function is very complicated problem, especially when r>1. This paper is concerned with the computation of the lower bounds for third-order nonlinearities of two classes of Boolean functions of the form Tr1nλxd for all x∈𝔽2n, λ∈𝔽2n*, where ad=2i+2j+2k+1, where i, j, and k are integers such that i>j>k≥1 and n>2i, and bd=23ℓ+22ℓ+2ℓ+1, where ℓ is a positive integer such that gcdℓ,𝓃=1 and n>6.
1. Introduction
Boolean functions are the building blocks for the design and the security of symmetric cryptographic systems and for the definition of some kinds of error correcting codes, sequences, and designs. The rth-order nonlinearity, nlr(f), of a Boolean function f∈ℬn is defined by the minimum Hamming distance of f to RM(r,n)-Reed-Muller code of length 2n and order r(RM(r,n)≔{f∈ℬn:deg(f)≤r}). The nonlinearity of f is given by nl(f)=nl1(f) and is related to the immunity of f against best affine approximation attacks [1] and fast correlation attacks [2], when f is used as a combiner function or a filter function in a stream cipher. The rth-order nonlinearity is an important parameter, which measures the resistance of the function against various low-order approximation attacks [1, 3, 4]. In cryptographic framework, within a trade-off with the other important criteria, the rth-order nonlinearity must be as large as possible; see [5–9]. Since, the maximal rth-order nonlinearity of all Boolean functions equals the covering radius of RM(r,n), it also has an application in coding theory. Besides these applications, an interesting connection between the rth-order nonlinearity and the fast algebraic attacks has been introduced, recently in [9], which claims that a cryptographic Boolean function should have high rth-order nonlinearity to resist the fast algebraic attack.
Unlike nonlinearity there is no efficient algorithm to compute second-order nonlinearities for n>11. The most efficient algorithm is introduced by Fourquet and Tavernier [10] which works for n≤11 and up to n=13 for some special functions. Thus, to identify a class of Boolean function with high rth-order nonlinearity, even for r=2, is a very relevant area of research. In 2008, Carlet has devolved a technique to compute rth-order nonlinearity recursively in [11], and using this technique he has obtained the lower bounds of nonlinearity profiles for functions belonging to several classes of functions: Kasami functions, Welch functions, inverse functions, and so forth. Based on this technique, the lower bound for rth-order nonlinearity, for r≥2, is obtained for some specific classes of Boolean functions, in many articles; see, for example, [11–14] and the references therein. The best known asymptotic upper bound for nl3(f) given by Carlet and Mesnager [15] is as follows:
(1)nl3(f)≤2n-1-15·(1+2)·2n/2-1+O(n).
The classes of Boolean functions for which the lower bound of third nonlinearity is known are inverse functions [11], Dillon functions [16], and Kasami functions, f(x)=Tr1n(λx57) [12]. In this paper, we deduce the theoretical lower bounds on third-order nonlinearities of two classes of biquadratic monomial Boolean functions Tr1n(λxd) for all x∈𝔽2n, where λ∈𝔽2n* and (a) d=2i+2j+2k+1, where i, j, and k are integers such that i>j>k≥1 and n>2i, and (b) d=23ℓ+22ℓ+2ℓ+1, where ℓ is a positive integer such that gcd(ℓ,n)=1 and n>6.
Remainder of the paper is organized as follows. In Section 2 some basic definitions and notations required for the subsequent sections are reviewed. The main results on lower bounds of third-order nonlinearities are presented in Section 3. The numerical compression of our bounds with the previous known results is provided in Section 4. Section 5 is conclusion.
2. Preliminaries
Let 𝔽2n be the finite field consisting of 2n elements. The group of units of 𝔽2n, denoted by 𝔽2n*, is a cyclic group consisting of 2n-1 elements. An element α∈𝔽2n is said to be a primitive element if it is a generator of the multiplicative group 𝔽2n*. A function from 𝔽2n to 𝔽2 is said to be a Boolean function on n variables; the set of such functions is denoted by ℬn. Let ℤ and ℤq, where q is a positive integer, denote the ring of integers and integers modulo q, respectively. A cyclotomic coset modulo 2n-1 of s∈ℤ is defined as
(2)Cs={s,s2,s22,…,s2ns-1},
where ns is the smallest positive integer such that s≡s2ns(mod2n-1) [17, page 104]. It is a convention to choose the subscript s to be the smallest integer in Cs and refer to it as the coset leader of Cs and ns denotes the size of Cs. The trace function Tr1n:𝔽2n→𝔽2 is defined by Tr1n(x)=∑i=0n-1x2i for all x∈𝔽2n. The trace representation [18] of a function f∈ℬn is
(3)f(x)=∑k∈Γ(n)Tr1nk(Akxk)+A2n-1x2n-1,∀x∈𝔽2n,
where Γ(n) is the set of all coset leaders modulo 2n-1 and Ak∈𝔽2nk, A2n-1∈𝔽2, for all k∈Γ(n). A Boolean function is said to be a monomial trace function if its trace representation consists of single trace term. The binary representation of an integer d∈ℤ is
(4)d=dm-12m-1+dm-22m-2+⋯+d12+d0,
where d0,d1,…,dm-1∈{0,1}. The Hamming weight of d is wH(d)=∑i=0m-1di, where the sum is over ℤ. The algebraic degree, denoted by deg(f), of f∈ℬn, as represented in (3), is the largest positive integer w for which wH(k)=w and Ak≠0. The support of f∈ℬn is supp(f)={x∈𝔽2n:f(x)≠0}. The weight of f is wH(f)=|{x∈𝔽2n:f(x)≠0}|, where |S| is the cardinality of any set S. The Hamming distance between two functions f, g∈ℬn is defined by dH(f,g)=|{x∈𝔽2n:f(x)≠g(x)}|.
The Walsh-Hadamard transform (WHT) of a Boolean function f∈ℬn at λ∈𝔽2n is defined by Wf(λ):=∑x∈𝔽2n(-1)f(x)+Tr1n(λx). The nonlinearity of f∈ℬn in terms of its Walsh-Hadamard spectrum (WHS) is given by
(5)nl(f)=2n-1-12maxλ∈𝔽2n|Wf(λ)|.
The set {Wf(λ):λ∈𝔽2n} is referred to as the WHS of f∈Bn which satisfies the Parseval’s identity: ∑λ∈𝔽2nWf(λ)2=22n which implies that max{|Wf(λ)|:λ∈𝔽2n}≥2n/2, and so nl(f)≤2n-1-2(n/2)-1. The function f∈ℬn achieving maximum possible nonlinearity 2n-1-2n/2-1 are said to be bent functions (exists only for even n), were introduced by Rothaus [19].
The derivative of f∈ℬn with respect to a∈𝔽2n is defined by Daf(x)=f(x)+f(x+a) for all x∈𝔽2n. The second-order derivatives of f∈ℬn with respect to V=〈a,b〉 is the Boolean function DVf∈ℬn which is defined by DVf(x)=DbDaf(x)=f(x)+f(x+a)+f(x+b)+f(x+a+b), where V is two-dimensional subspace of 𝔽2n generated by a and b; for details on higher derivatives, see [5, 11]. The rth-order nonlinearity of f∈ℬn is defined as
(6)nlr(f)=minh∈RM(r,n)dH(f,h)=2n-1-12maxh∈RM(r,n)|∑x∈𝔽2n(-1)f(x)+h(x)|.
The sequence {nlr(f)}r=1n-1 is called the nonlinearity profile of f. Also, nlr(f)≤nlr-1(f) because RM(r-1,n)⊂RM(r,n). The notion of rth-order bent functions was introduced by Iwata and Kurosawa [4]. A function f∈ℬn is said to be rth-order bent (for r≤n-3) if and only if nlr(f)≥2n-r-3(r+4), for even r, and nlr(f)≥2n-r-3(r+5), for odd r.
Carlet’s [11] recursive lower bounds for third-order nonlinearities which we use to compute our bounds, are given below in Propositions 1 and 2.
Proposition 1 (see [11, Proposition 2]).
Let f∈ℬn; then nl3(f)≥(1/4)max{nl(DbDaf):a,b∈𝔽2n}.
Proposition 2 (see [11, Equation (1)]).
Let f∈ℬn. Then
(7)nl3(f)≥2n-1-12∑a∈𝔽2n22n-2∑b∈𝔽2nnl(DaDbf).
Proposition 3 (see [17, Chapter 15, Corollary 13] (McEliece’s theorem)).
The rth-order nonlinearities of a Boolean function f∈ℬn with algebraic degree d are divisible by 2⌈n/d⌉-1, where ⌈u⌉ denotes the ceiling of u (the smallest integer greater than or equal to u).
Proposition 4 (see [20, Corollary 1]).
Let L(x)=∑i=0vcix2ik be a linearized polynomial over 𝔽2n, where v, k are positive integers such that gcd(n,k)=1. Then zeroes of the linearized polynomial L(x) in 𝔽2n are at most 2v.
The result in Proposition 4 above was introduced by Bracken et al. [20]. The bilinear form [17] associated with a quadratic Boolean function f∈ℬn is defined by B(x,y):=f(0)+f(x)+f(y)+f(x+y) and the kernel, ℰf of B(x,y) is the subspace of 𝔽2n defined by
(8)ℰf={x∈𝔽2n:B(x,y)=0∀y∈𝔽2n}.
An element c∈ℰf is called a linear structure of f. Next, if V is a vector space over a field 𝔽q of characteristic 2 and Q:V→𝔽q a quadratic form, then dim(V) and dim(ℰQ) have the same parity [21]. The distribution of the WHT values of a quadratic Boolean function f∈ℬn is given in the following theorem which claims that the weight distribution of the values in the WHS of f depends only on the dimension k of ℰf.
Theorem 5 (see [17, 21]).
Let f∈ℬn be a quadratic Boolean function and k=dim(ℰf), where ℰf is defined in (8); then the weight distribution of the WHT values of f is given by
(9)Wf(λ)={0,2n-2n-ktimes,2(n+k)/2,2n-k-1+(-1)f(0)2(n-k-2)/2times,-2(n+k)/2,2n-k-1-(-1)f(0)2(n-k-2)/2times.
3. Main Results
In this section, using Carlet’s recursive technique [11], the theoretical lower bounds for third-order nonlinearities of two general classes of monomial Boolean functions of degree 4 are obtained.
Theorem 6.
Let fλ(x)=Tr1n(λx2i+2j+2k+1), for all x∈𝔽2n, where λ∈𝔽2n* and i, j, and k are integers such that i>j>k≥1 and n>2i. Then
(10)nl3(fλ)≥{2n-3-2(n+2i-6)/2,ifn=0mod2,2n-3-2(n+2i-7)/2,ifn=1mod2.
In particular, if gcd(j-k,n)=1, then
(11)nl3(fλ)≥{2n-1-12(2n-1)2(3n+2i)/2+2n+1-2(n+2i+2)/2,hhhhhhhhhhhhhhhhhhhhhhhhifn=0mod2,2n-1-12(2n-1)2(3n+2i-1)/2+2n+1-2(n+2i+1)/2,hhhhhhhhhhhhhhhhhhhhhhhhifn=1mod2.
Proof.
Derivative of fλ with respect to a∈𝔽2n* is
(12)Dafλ(x)=fλ(x+a)+fλ(x)=Tr1n(λ(x+a)2i+2j+2k+1)+Tr1n(λx2i+2j+2k+1)=Tr1n(λ(ax2i+2j+2k+a2ix2j+2k+1hhhhhhhh+a2jx2i+2k+1+a2kx2i+2j+1))+q(x),
where q is quadratic. The second derivative DbDafλ with respect to a,b∈𝔽2n*, where a≠b, is
(13)DbDafλ(x)=fλ(x+a+b)+fλ(x+a)+fλ(x+b)+fλ(x)=Tr1n(λ(x+a+b)2i+2j+2k+1)+Tr1n(λ(x+b)2i+2j+2k+1)+Tr1n(λ(x+a)2i+2j+2k+1)+Tr1n(λx2i+2j+2k+1)=l(x)+Tr1n(λ((ab2k+a2kb)x2i+2jhhhhhhhhhhhhhhh+(ab2j+a2jb)x2i+2khhhhhhhhhhhhhhh+(ab2i+a2ib)x2j+2khhhhhhhhhhhhhhh+(a2jb2k+a2kb2j)x2i+1hhhhhhhhhhhhhhh+(a2ib2k+a2kb2i)x2j+1hhhhhhhhhhhhhhh+(a2ib2j+a2jb2i)x2k+1)),
where l is an affine function. If DbDafλ is quadratic, then the WHS of DbDafλ is equivalent to the WHS of the function hλ obtained by removing l from DbDafλ:
(14)hλ(x)=Tr1n(λ((ab2k+a2kb)x2i+2j+(ab2j+a2jb)x2i+2khhhhhhhhhh+(a2jb2k+a2kb2j)x2i+1+(ab2i+a2ib)x2j+2khhhhhhhhhh+(a2ib2k+a2kb2i)x2j+1hhhhhhhhhh+(a2ib2j+a2jb2i)x2k+1)).
Further, ℰhλ={x∈𝔽2n:B(x,y)=0 for all y∈𝔽2n}, where B(x,y) is the bilinear form associated with hλ. Now, using x2n=x, y2n=y, and Tr1n(x2i)=Tr1n(x), for all x,y∈𝔽2n, we compute B(x,y) as follows
(15)B(x,y)=hλ(0)+hλ(x)+hλ(y)+hλ(x+y)=Tr1n(λ(y2i((ab2k+a2kb)x2j+(ab2j+a2jb)x2khhhhhhhhhhh+(a2jb2k+a2kb2j)x)hhhhhhhh+y2j((ab2k+a2kb)x2i+(ab2i+a2ib)x2khhhhhhhhhhhhh+(a2ib2k+a2kb2i)x)hhhhhhhh+y2k((ab2j+a2jb)x2i+(ab2i+a2ib)x2jhhhhhhhhhhhhh+(a2ib2j+a2jb2i)x)hhhhhhhh+y((a2jb2k+a2kb2j)x2ihhhhhhhhhhhh+(a2ib2k+a2kb2i)x2jhhhhhhhhhhh+(a2ib2j+a2jb2i)x2k)))=Tr1n(yP(x)),
where
(16)P(x)=(λ(ab2k+a2kb)x2j+λ(ab2j+a2jb)x2khhhh+λ(a2jb2k+a2kb2j)x)2n-i+(λ(ab2j+a2jb)x2ihhhhh+λ(ab2i+a2ib)x2j+λ(a2ib2j+a2jb2i)x)2n-j+(λ(ab2j+a2jb)x2i+λ(ab2i+a2ib)x2jhhhhh+λ(a2ib2j+a2jb2i)x)2n-k+λ(a2jb2k+a2kb2j)x2i+λ(a2ib2k+a2kb2i)x2j+λ(a2ib2j+a2jb2i)x2k.
Therefore,
(17)ℰhλ={x∈𝔽2n:P(x)=0=P(x)2i}.
Let L(λ,a,b)(x)=P(x)2i. Using x2n=x, y2n=y, a2n=a, b2n=b, and λ2n=λ, for all x,y,a,b,λ∈𝔽2n, we have
(18)L(λ,a,b)(x)=(P(x))2i=λ((ab2j+a2jb)x2khhhhh+(ab2k+a2kb)x2jhhhhh+(a2jb2k+a2kb2j)x)+λ2i((a2i+jb2i+k+a2i+kb2i+j)x22ihhhhhhhhh+(a2i+kb22i+a22ib2i+k)x2i+jhhhhhhhhh+(a22ib2i+j+a2i+jb22i)x2i+k)+λ2i-j((a2i-jb2i+a2ib2i-j)x22i-jhhhhhhhhhhh+(a2i-jb22i-j+a22i-jb2i-j)x2ihhhhhhhhhh+(a22i-jb2i+a2ib22i-j)x2i-j)+λ2i-k((a2i-kb2i+j-k+a2i+j-kb2i-k)x22i-khhhhhhhhhh+(a2i-kb22i-k+a22i-kb2i-k)x2i+j-khhhhhhhhhh+(a22i-kb2i+j-k+a2i+j-kb22i-k)x2i-k).
The coefficient of x in L(λ,a,b)(x) is zero if and only if a2jb2k+a2kb2j=0; that is, a2j-kb+ab2j-k=0 which implies that b∈a𝔽2j-k. Therefore, for every 0≠a, b∈𝔽2n such that b∉a𝔽2j-k, the degree of linearized polynomial, L(λ,a,b), in x is at most 22i; this implies that the dimension of the kernel ℰDbDafλ associated with DbDafλ is k(a,b)≤2i if n is even; otherwise k(a,b)≤2i-1. The WHT of DbDafλ at μ∈𝔽2n is
(19)WDbDafλ(μ)≤{2(n+2i)/2,ifn=0mod2,2(n+2i-1)/2,ifn=1mod2.
Therefore,
(20)nl(DbDafλ)={2n-1-2(n+2i-2)/2,ifn=0mod2,2n-1-2(n+2i-3)/2,ifn=1mod2.
Using Proposition 1, we have
(21)nl3(fλ)≥{2n-3-2(n+2i-6)/2,ifn=0mod2,2n-3-2(n+2i-7)/2,ifn=1mod2.
In particular, if gcd(j-k,n)=1, we have k(a,b)≤2i if n is even; otherwise k(a,b)≤2i-1 for all a,b∈𝔽2n such that a≠0 and b∉a𝔽2. Therefore, (20) holds for all a,b∈𝔽2n such that a≠0 and b∉a𝔽2.
Using Proposition 2, we have the following.
When n=0mod2,
(22)nl3(fλ)≥2n-1-12(2n-1)22n-2(2n-2)(2n-1-2(n+2i-2)/2)=2n-1-12(2n-1)2(3n+2i)/2+2n+1-2(n+2i+2)/2.
When n=1mod2,
(23)nl3(fλ)≥2n-1-12(2n-1)22n-2(2n-2)(2n-1-2(n+2i-3)/2)=2n-1-12(2n-1)2(3n+2i-1)/2+2n+1-2(n+2i+1)/2.
Theorem 7.
Let gλ(x)=Tr1n(λx23ℓ+22ℓ+2ℓ+1), for all x∈𝔽2n and λ∈𝔽2n*, where ℓ is a positive integer such that gcd(ℓ,n)=1 and n>6. Then
(24)nl3(gλ)≥{2n-1-12(2n-1)2(3n+6)/2+2n+1-2(n+8)/2,hhhhhhhhhhhhhhhhhhhifn=0mod2,2n-1-12(2n-1)2(3n+5)/2+2n+1-2(n+7)/2,hhhhhhhhhhhhhhhhhhhifn=1mod2.
Proof.
The proof is similar to that of Theorem 6 up to (18). Here the kernel of B(x,y) associated with DbDagλ is ℰ={x∈𝔽2n:P(x)=0=L(λ,a,b)(x)}, where L(λ,a,b)(x) is obtained by replacing i, j, and k in (18) by 3ℓ, 2ℓ, and ℓ, respectively:
(25)L(λ,a,b)(x)=P(x)23ℓ=λ23ℓ((a25ℓb24ℓ+a24ℓb25ℓ)x26ℓhhhhhhh+(a24ℓb26ℓ+a26ℓb24ℓ)x25ℓhhhhhhh+(a26ℓb25ℓ+a25ℓb26ℓ)x24ℓ)+λ2ℓ((a2ℓb23ℓ+a23ℓb2ℓ)x24ℓhhhhhhhh+(a2ℓb24ℓ+a24ℓb2ℓ)x23ℓhhhhhhhh+(a24ℓb23ℓ+a23ℓb24ℓ)x2ℓ)+λ22ℓ((a22ℓb24ℓ+a24ℓb22ℓ)x25ℓhhhhhhhh+(a22ℓb25ℓ+a25ℓb22ℓ)x24ℓhhhhhhhh+(a25ℓb24ℓ+a24ℓb25ℓ)x22ℓ)+λ(ab22ℓ+a22ℓb)x2ℓ+λ(ab2ℓ+a2ℓb)x22ℓ+λ(a22ℓb2ℓ+a2ℓb22ℓ)x.
The coefficient of x in L(λ,a,b)(x) is zero if and only if a22ℓb2ℓ+a2ℓb22ℓ=0; that is, a2ℓb+ab2ℓ=0. Moreover, gcd(ℓ,n)=1 and so, by Proposition 4, b∈a𝔽2. The polynomial L(λ,a,b)(x) as represented in (25) is of the form ∑i=06cix2iℓ and so, again by Proposition 4, the equation L(λ,a,b)(x)=0 has at most 26 roots for all a,b∈𝔽2n such that a≠0 and b∉a𝔽2. This implies that k(a,b)≤6 if n is even; otherwise k(a,b)≤5. The WHT of DbDagλ at μ∈𝔽2n is
(26)WDbDagλ(μ)≤{2(n+6)/2,ifn=0mod2,2(n+5)/2,ifn=1mod2.
Therefore,
(27)nl(DbDagλ)≥{2n-1-2(n+4)/2,ifn=0mod2,2n-1-2(n+3)/2,ifn=1mod2.
Using Proposition 1, we have
(28)nl3(gλ)≥{2n-3-2n/2,ifn=0mod2,2n-3-2(n-1)/2,ifn=1mod2.
Using Proposition 2, we have the following.
When n=0mod2,
(29)nl3(gλ)≥2n-1-12(2n-1)22n-2(2n-2)(2n-1-2(n+4)/2)=2n-1-12(2n-1)2(3n+6)/2+2n+1-2(n+8)/2.
When n=1mod2,
(30)nl3(gλ)≥2n-1-12(2n-1)22n-2(2n-2)(2n-1-2(n+3)/2)=2n-1-12(2n-1)2(3n+5)/2+2n+1-2(n+7)/2.
Remark 8.
Let f∈ℬn be a biquadratic Boolean function. If there exists at least elements a,b∈𝔽2n such that DbDaf is quadratic, then nl3(f)≥2n-4. This result follows from Proposition 1 and the fact that the nonlinearity of any quadratic function in ℬn is at least 2n-2 [11, 22].
4. Comparison
The theoretical lower bounds for third-order nonlinearities obtained by using Theorem 6 for i=3,4,5 and j, k are taken in such a way that gcd(j-k,n)=1 and reported in Tables 1 and 2. The bounds are compared with the general bounds for third-order nonlinearity: nl3(f)≥2n-4, for any biquadratic Boolean function. It is evident that the bounds for i=3,4 are efficiently large and decrease with increasing the value of i. It is to be noted that Class (a) is the more general class of biquadratic monomial Boolean functions containing several classes of highly nonlinear Boolean functions. In particular, for i=5, j=4, and k=3 Class (a) coincides with Kasami functions of algebraic degree 4.
The lower bounds on the third-order nonlinearities obtained by Theorem 6 for odd n and i=3,4,5.
n
7
9
11
13
15
17
19
i=3
11
75
415
2047
9493
42361
184199
i=4
—
41
330
1660
8191
37979
169457
i=5
—
—
163
1200
6642
32767
151923
General bounds
8
32
128
512
2048
8192
32768
The lower bounds on the third-order nonlinearities obtained by Theorem 6 for even n and i=3,4,5.
n
8
10
12
14
16
18
20
i=3
21
150
830
4094
18988
84726
368407
i=4
—
82
560
3321
16283
75960
338919
i=5
—
—
326
2400
13284
65535
303849
General bounds
16
64
256
1024
4096
16384
65536
The theoretical bounds for third-order nonlinearities obtained by using Theorem 7 and Proposition 3 are compared with known classes of functions [4, 11, 12] and reported in Tables 3 and 4. It is to be noted that the lower bounds for third-order nonlinearities of the inverse functions (nl3(finv)≥2n-1-2(7n-2)/8) are larger than that of the Dillon functions (nl3(fdillon)≥2n-1-27n/8) for all n. Thus, it is demonstrated that the lower bound obtained by Theorem 7 is better than the bounds obtained by Gode and Gangopadhyay [12] for Kasami functions: Tr(λx57), Iwata and Kurosawa’s general bound [4] for all n>8. Also these bounds are improved upon Carlet’s [11] bound for inverse function when n is odd, or n=8,12, and equal for the rest of values of even n.
Comparison of the value of lower bounds on third-order nonlinearities obtained by Theorem 6 with the bound obtained in [4, 11, 12] for odd n.
n
Theorem 6
[12]
[4]
[11]
7
12
8
16
6
9
76
—
64
60
11
416
240
256
360
13
2048
992
1024
1864
15
9496
—
4096
8872
17
42368
16256
16384
40272
19
184208
65280
65536
177168
Comparison of the value of lower bounds on third-order nonlinearities obtained by Theorem 6 with the bound obtained in [4, 11, 12] for even n.
n
Theorem 6
[12]
[4]
[11]
8
22
28
32
20
10
152
120
128
152
12
832
—
512
828
14
4096
2016
2048
4096
16
18992
—
8192
18992
18
84736
—
32768
84736
20
368416
130816
131072
368416
5. Conclusion
In this paper, using recursive approach introduced in [11], we have computed the lower bounds of third-order nonlinearities of two general classes of biquadratic monomial Boolean functions. It is demonstrated that in some cases our bounds are better than the bounds obtained previously.
Conflict of Interests
The author declares that there is no conflict of interests regarding the publication of this paper.
Acknowledgments
The author would like to thank the anonymous referees for their time, effort, and extensive comments on the revision of the paper which improve the quality of the presentation of the paper. The work is supported by Council of Scientific and Industrial Research, New Delhi, India.
GolicJ.Fast low order approximation of cryptographic functions19961070Springer268282Lecture Notes in Computer ScienceMeierW.StaffelbachO.Nonlinearity criteria for cryptographic functions1990434Springer549562Lecture Notes in Computer ScienceCourtoisN.Higher order correlation attacks, XL algorithm and cryptanalysis of Toyocrypt20022587Springer182199Lecture Notes in Computer ScienceIwataT.KurosawaK.Probabilistic higher order differential attack and higher order bent functions19991716Springer6274Lecture Notes in Computer ScienceCarletC.CramaY.HammerP.Boolean functions for cryptography and error correcting codes2010chapter of the monographCambridge University Press257397DingC.XiaoG.ShanW.1991561SpringerLecture Notes in Computer ScienceKnudsenL.RobshawM.Non-linear approximations in linear cryptanalysis19961070Springer224236Lecture Notes in Computer ScienceShimoyamaT.KanekoT.Quadratic relation of S-box and its application to the linear attack of full round DES19981462Springer200211Lecture Notes in Computer ScienceWangQ.JohanssonT.A note on fast algebraic attacks and higher order nonlinearities201165844044142-s2.0-7996080616810.1007/978-3-642-21518-6_28FourquetR.TavernierC.An improved list decoding algorithm for the second order Reed-Muller codes and its applications2008491–33233402-s2.0-5134916483510.1007/s10623-008-9184-8CarletC.Recursive lower bounds on the nonlinearity profile of Boolean functions and their applications2008543126212722-s2.0-4094913469410.1109/TIT.2007.915704GodeR.GangopadhyayS.Third-order nonlinearities of a subclass of Kasami functions20102169832-s2.0-8005258658010.1007/s12095-009-0017-zGangopadhyayS.SinghB. K.On second-order nonlinearities of some 𝒟0 type bent functions20121143-42712852-s2.0-8486019988710.3233/FI-2012-628SinghB. K.On second-order nonlinearity and maximum algebraic immunity of some bent functions in 𝒫𝒮+201410.1007/s12190-014-0752-yCarletC.MesnagerS.Improving the upper bounds on the covering radii of binary Reed-Muller codes20075311621732-s2.0-3384606576810.1109/TIT.2006.887494CarletC.More vectorial Boolean functions with unbounded nonlinearity profile2011226125912692-s2.0-8005276339910.1142/S0129054111008696MacWilliamsF. J.SloaneN. J. A.1977Amsterdam, The NetherlandsNorth-HollandGolombS. W.GongG.2005Cambridge University PressRothausO. S.On “bent” functions19762033003052-s2.0-47849098280BrackenC.ByrneE.MarkinN.McGuireG.Determining the nonlinearity of a new family of APN functions200748517279Lecture Notes in Computer Science2-s2.0-38349011295CanteautA.CharpinP.KyureghyanG. M.A new class of monomial bent functions20081412212412-s2.0-3754901176710.1016/j.ffa.2007.02.004SeberryJ.ZhangX. M.ZhengY.Relationships among nonlinearity criteria1995950Springer376388Lecture Notes in Computer Science