Boolean Functions for Cryptography and Error
Correcting Codes
Claude Carlet
∗
∗
LAGA, University of Paris 8, France; e-mail: claude.carlet@univ-paris8.fr.
1
Contents
1 Introduction 5
2 Generalities on Boolean functions 8
2.1 Representation of Boolean functions . . . . . . . . . . . . . . 9
2.2 The discrete Fourier transform on pseudo-Boolean and on
Boolean functions . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.2.1 Fourier transform and NNF . . . . . . . . . . . . . . . 31
2.2.2 The size of the support of the Fourier transform and
its relationship with Cayley graphs . . . . . . . . . . . 32
3 Boolean functions and coding 33
3.1 Reed-Muller codes . . . . . . . . . . . . . . . . . . . . . . . . 36
4 Boolean functions and cryptography 42
4.1 Cryptographic criteria for Boolean functions . . . . . . . . . . 47
4.1.1 The algebraic degree . . . . . . . . . . . . . . . . . . . 48
4.1.2 The nonlinearity . . . . . . . . . . . . . . . . . . . . . 50
4.1.3 Balancedness and resiliency . . . . . . . . . . . . . . . 56
4.1.4 Strict avalanche criterion and propagation criterion . . 59
4.1.5 Non-existence of nonzero linear structure . . . . . . . 59
4.1.6 Algebraic immunity . . . . . . . . . . . . . . . . . . . 61
4.1.7 Other criteria . . . . . . . . . . . . . . . . . . . . . . . 65
5 Classes of functions for which restrictions on the possible
values of the weights, Walsh spectra and nonlinearities can
be proved 69
5.1 Affine functions . . . . . . . . . . . . . . . . . . . . . . . . . . 69
5.2 Quadratic functions . . . . . . . . . . . . . . . . . . . . . . . 69
5.3 Indicators of flats . . . . . . . . . . . . . . . . . . . . . . . . . 72
5.4 Normal functions . . . . . . . . . . . . . . . . . . . . . . . . . 72
5.5 Functions admitting partial covering sequences . . . . . . . . 74
5.6 Functions with low univariate degree . . . . . . . . . . . . . . 77
6 Bent functions 78
6.1 The dual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
6.2 Bent functions of low algebraic degrees . . . . . . . . . . . . . 82
6.3 Bound on algebraic degree . . . . . . . . . . . . . . . . . . . . 84
6.4 Constructions . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
6.4.1 Primary constructions . . . . . . . . . . . . . . . . . . 85
2
6.4.2 Secondary constructions . . . . . . . . . . . . . . . . . 91
6.4.3 Decompositions of bent functions . . . . . . . . . . . . 99
6.5 On the number of bent functions . . . . . . . . . . . . . . . . 99
6.6 Characterizations of bent functions . . . . . . . . . . . . . . . 100
6.6.1 characterization through the NNF . . . . . . . . . . . 100
6.6.2 Geometric characterization . . . . . . . . . . . . . . . 101
6.6.3 characterization by second-order covering sequences . 102
6.7 Subclasses: hyper-bent functions . . . . . . . . . . . . . . . . 103
6.8 Superclasses: partially-bent functions, partial bent functions
and plateaued functions . . . . . . . . . . . . . . . . . . . . . 105
6.9 Normal and non-normal bent functions . . . . . . . . . . . . . 109
6.10 Kerdock codes . . . . . . . . . . . . . . . . . . . . . . . . . . 111
6.10.1 Construction of the Kerdock code . . . . . . . . . . . 111
7 Resilient functions 113
7.1 Bound on algebraic degree . . . . . . . . . . . . . . . . . . . . 113
7.2 Bounds on the nonlinearity . . . . . . . . . . . . . . . . . . . 115
7.3 Bound on the maximum correlation with subsets of N . . . . 117
7.4 Relationship with other criteria . . . . . . . . . . . . . . . . . 117
7.5 Constructions . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
7.5.1 Primary constructions . . . . . . . . . . . . . . . . . . 119
7.5.2 Secondary constructions . . . . . . . . . . . . . . . . . 124
7.6 On the number of resilient functions . . . . . . . . . . . . . . 131
8 Functions satisfying the strict avalanche and propagation
criteria 133
8.1 P C(l) criterion . . . . . . . . . . . . . . . . . . . . . . . . . . 133
8.1.1 Characterizations . . . . . . . . . . . . . . . . . . . . . 133
8.1.2 Constructions . . . . . . . . . . . . . . . . . . . . . . . 134
8.2 P C(l) of order k and EP C(l) of order k criteria . . . . . . . 134
9 Algebraic immune functions 135
9.1 General properties of the algebraic immunity and its relation-
ship with some other criteria . . . . . . . . . . . . . . . . . . 136
9.1.1 Algebraic immunity of random functions . . . . . . . . 136
9.1.2 Algebraic immunity of monomial functions . . . . . . 136
9.1.3 Functions in odd numbers of variables with optimal
algebraic immunity . . . . . . . . . . . . . . . . . . . . 136
9.1.4 Relationship between normality and algebraic immunity137
3
9.1.5 Relationship between algebraic immunity, weight and
nonlinearity . . . . . . . . . . . . . . . . . . . . . . . . 138
9.2 The problem of finding functions achieving high algebraic im-
munity and high nonlinearity . . . . . . . . . . . . . . . . . . 139
9.3 The functions with high algebraic immunity found so far and
their parameters . . . . . . . . . . . . . . . . . . . . . . . . . 139
10 Symmetric functions 143
10.1 Representation . . . . . . . . . . . . . . . . . . . . . . . . . . 143
10.2 Fourier and Walsh transforms . . . . . . . . . . . . . . . . . . 145
10.3 Nonlinearity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
10.4 Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
10.5 Algebraic immunity . . . . . . . . . . . . . . . . . . . . . . . 148
10.6 The super-classes of rotation symmetric and Matriochka sym-
metric functions . . . . . . . . . . . . . . . . . . . . . . . . . 149
4
1 Introduction
A fundamental objective of cryptography is to enable two persons to commu-
nicate over an insecure channel (a public channel such as internet) in such
a way that any other person is unable to recover their message (called the
plaintext) from what is sent in its place over the channel (the ciphertext).
The transformation of the plaintext into the ciphertext is called encryption,
or enciphering. Encryption-decryption is the most ancient cryptographic
activity (ciphers already existed four centuries B. C.) but its nature has
deeply changed with the invention of computers, because the cryptanalysis
(the activity of the third person, the eavesdropper, who aims at recovering
the message) can use their power.
The encryption algorithm takes as input the plaintext and an encryption
key K
E
, and it outputs the ciphertext. If the encryption key is secret, then
we speak of conventional cryptography, of private key cryptography or of
symmetric cryptography. In practice, the principle of conventional cryptog-
raphy relies on the sharing of a private key between the sender of a message
(often called Alice in cryptography) and its receiver (often called Bob). If,
on the contrary, the encryption key is public, then we speak of public key
cryptography. Public key cryptography appeared in the literature in the late
seventies.
The decryption (or deciphering) algorithm takes as input the ciphertext and
a secret
1
decryption key K
D
. It outputs the plaintext.
-
Decryption
- -
Encryption
plaintext ciphertext
plaintext
public
channel
K
E
K
D
bb
Public key cryptography is preferable to conventional cryptography, since
it allows to securely communicate without having previously shared keys in
a secure way: every person who wants to receive secret messages can keep
secret a decryption key and publish an encryption key; if n persons want to
secretly communicate pairwise using a public key cryptosystem, they need n
1
According to principles already stated in 1883 by A. Kerckhoffs [212], who cited a still
more ancient manuscript by R. du Carlet [50], only the secret keys must be kept secret –
the confidentiality should not rely on the secrecy of the encryption method – and a cipher
cannot be considered secure if it can be decrypted by the designer himself.
5