The lower bounds on the second order nonlinearity of three classes of Boolean functions with high nonlinearity

Information Sciences 179 (2009) 267–278 Contents lists available at ScienceDirect Information Sciences journal homepage: www.elsevier.com/locate/ins...

Download PDF

272KB Sizes 0 Downloads 53 Views

Report

PDF Reader
Full Text

Information Sciences 179 (2009) 267–278

Contents lists available at ScienceDirect

Information Sciences journal homepage: www.elsevier.com/locate/ins

The lower bounds on the second order nonlinearity of three classes of Boolean functions with high nonlinearity q Guanghong Sun a,b,c,*, Chuankun Wu a a b c

The State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, 4# South Fourth Street, Beijing 100190, China The Graduate University of the Chinese Academy of Sciences, Beijing 100049, China College of Sciences, Hohai University, Nanjing 210098, China

a r t i c l e

i n f o

Article history: Received 14 April 2008 Received in revised form 23 September 2008 Accepted 1 October 2008

a b s t r a c t The rth order nonlinearity of Boolean functions is an important cryptographic criterion associated with some attacks on stream and block ciphers. It is also very useful in coding theory, since it is related to the covering radii of Reed–Muller codes. This paper tightens the lower bounds of the second order nonlinearity of three classes of Boolean functions in the form f ðxÞ ¼ trðxd Þ in n variables, where (1) d ¼ 2mþ1 þ 3 and n ¼ 2m, or (2) d ¼ mþ1 2m þ 2 2 þ 1, n ¼ 2m and m is odd, or (3) d ¼ 22r þ 2rþ1 þ 1 and n ¼ 4r. Ó 2008 Elsevier Inc. All rights reserved.

Keywords: Boolean function Cryptography Nonlinearity Derivation Walsh coefﬁcient Reed–Muller code

1. Introduction Boolean functions are the core components in the design of many symmetric key cryptosystems (stream ciphers and block ciphers). A characteristic of Boolean functions, called their nonlinearity proﬁle, plays an important role with respect to the afﬁne approximation attack on the cryptosystems in which such functions are involved. Let f : F 2n # F 2 be an n-variable Boolean function. For every nonnegative integer r 6 n, we denote by nlr ðf Þ the minimum Hamming distance of f and all functions of algebraic degrees at most r (in the case of r ¼ 1, we shall simply write nlðf Þ). In other words, nlr ðf Þ equals the distance from f in its truth table representation to the Reed–Muller code RMðr; nÞ of length 2n and of order r. This distance is called the rth order nonlinearity of f (simply the nonlinearity in the case when r ¼ 1). It is seen by deﬁnition that the maximum rth order nonlinearity of all Boolean functions in n variables equals the covering radius of RMðr; nÞ [9]. The nonlinearity proﬁle of a function f is the sequence of those values nlr ðf Þ for r ranging from 1 to n 1. Unfortunately, so far very little is known about nlr ðf Þ for r > 1. The best known upper bound [7] on nlr ðf Þ has an asymptotic version

nlr ðf Þ ¼ 2n1

pﬃﬃﬃﬃﬃﬃ pﬃﬃﬃ n 15 ð1 þ 2Þr2 22 þ Oðnr2 Þ: 2

q

This work was supported by the Natural Science Foundation of China under Grant No. 60673068. * Corresponding author. Address: The State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, 4# South Fourth Street, Beijing 100190, China. E-mail addresses: [email protected] (G. Sun), [email protected] (C. Wu). 0020-0255/$ - see front matter Ó 2008 Elsevier Inc. All rights reserved. doi:10.1016/j.ins.2008.10.002

268

G. Sun, C. Wu / Information Sciences 179 (2009) 267–278

Computing the rth order nonlinearity of a given Boolean function with algebraic degree strictly greater than r is a difﬁcult task for r > 1. In the case when r ¼ 1, much study has been done, both in theoretical analysis and algorithm implementation, since the nonlinearity is related to the Walsh transform, which can be computed by the algorithm of the fast Fourier transform (FFT). For r > 1, very little is known, even the second order nonlinearity is known only for a few particular functions and for functions in small number of variables. A nice algorithm due to Kabatiansky and Tavernier was improved and implemented by Fourquet and Tavernier [16], Kabatiansky and Tavernier[18] and Dumer et al. [15], which works well for r ¼ 2 and n 6 11 (in some cases, n 6 13). The algorithm can be applied for higher orders of nonlinearity, but it is less efﬁcient except when the function is in very small number of variables. While the exact value of the rth order nonlinearity of a Boolean function is difﬁcult to compute, the lower bounds can be useful. However to ﬁnd a good lower bound is also a quite difﬁcult task, even for the second order nonlinearity. Until recently, there has been only one attempt, by Iwata–Kurosawa [17], to construct functions with lower bounded rth order nonlinearity. However, the lower bound is a small value 2nr3 ðr þ 5Þ, r 6 n 3. A lower bound on the rth order nonlinearity of functions with given algebraic immunity has been studied in [6] and improved in [4]. It gives better results than those of [17] for functions f with good algebraic immunity AIðf Þ, i.e., when AIðf Þ is close to its upper bound d2ne. In this case, the lower bound is roughly equal to

max

AIðfX Þr1 i¼0

AIðfX ! Þr1 nr ;2 ; i i i¼0

n

which is still a small value in many cases. In [5], Carlet deduced the lower bounds of the second order nonlinearity of several classes of Boolean functions, such as t and n odd, or when t ¼ nþ1 and n odd, and the inverse function the Welch function f ðxÞ ¼ trðx2 þ3 Þ, when t ¼ n1 2 2 Pn1 2i 2n 2 Þ. Here trðxÞ denotes the trace function trðxÞ ¼ i¼0 x from F 2n into F 2 . The approach was to study the nonlinf ðxÞ ¼ trðx earity of the derivative of the function f. In this paper, we deduce the lower bounds of the second order nonlinearity of another three classes of Boolean functions, that is, f ðxÞ ¼ trðxd Þ, where (1) d ¼ 2mþ1 þ 3 and n ¼ 2m, or mþ1 (2) d ¼ 2m þ 2 2 þ 1, n ¼ 2m and m is odd, or 2r (3) d ¼ 2 þ 2rþ1 þ 1 and n ¼ 4r. The reason for choosing these three classes of Boolean functions is that they are known to have high nonlinearity [10,19]. More precisely, the following are known from public literatures. mþ1

Let m be an odd integer and n ¼ 2m. Then for d ¼ 2m þ 2 2 þ 1, the Walsh coefﬁcients of the function f ðxÞ ¼ trðxd Þ have only three values 0; 2mþ1 (see [10]). Let m be an odd integer and n ¼ 2m. Then for d ¼ 2mþ1 þ 3, the Walsh coefﬁcients of the function f ðxÞ ¼ trðxd Þ have only three values 0; 2mþ1 (see [10]). 2r rþ1 Let n ¼ 4r and r be odd. Then the function f ðxÞ ¼ trðax2 þ2 þ1 Þ is a bent function for some a 2 F 2n (see [19]). From the relationship between the Walsh coefﬁcients and the nonlinearity of a Boolean function which is introduced later, it is seen that the above three classes of Boolean functions all have high nonlinearity. The rest of the paper is organized as follows: In Section 2, we give some preliminaries that will be needed in the sequel. Section 3 gives the main results, the lower bounds of the second order nonlinearity of three classes of Boolean functions. Section 4 concludes the paper. 2. Preliminaries Let F 2 ¼ f0; 1g be the binary ﬁeld, F n2 be the n-dimensional vector space over F 2 . A mapping from F n2 into F 2 is called a Boolean function in n variables, denoted by f ðx1 ; x2 ; . . . ; xn Þ, or f ðxÞ in brief. Let Bn be the set of all the n-variable Boolean functions. One of the representations of a Boolean function f ðx1 ; x2 ; . . . ; xn Þ is by its truth table, i.e., the vector of all of its outputs which form a binary vector of dimension 2n ,

f ¼ ½f ð0; 0; . . . ; 0Þ; f ð1; 0; . . . ; 0Þ; f ð0; 1; . . . ; 0Þ; f ð1; 1; . . . ; 0Þ; . . . ; f ð1; 1; . . . ; 1Þ: The Hamming weight of a Boolean function f 2 Bn is the number of nonzero coordinates in its truth table, denoted by wt(f). The support of f ðxÞ is deﬁned as the set suppðf Þ ¼ fx 2 F n2 jf ðxÞ ¼ 1g. The Hamming distance dðf ; gÞ between two Boolean functions f ðxÞ and gðxÞ is the number of their different coordinates, which equals the Hamming weight of their sum f þ g, where + denotes the addition on F 2 , i.e., the XOR. We say that a Boolean function f is balanced if its truth table contains an equal number of 1’s and 0’s, that is, if its Hamming weight equals 2n1 . For cryptographic applications, we are more interested in the algebraic properties of Boolean functions. However the truth table of a Boolean function does not give much information about the algebraic complexity of the function. So we need

G. Sun, C. Wu / Information Sciences 179 (2009) 267–278

269

another representation of Boolean functions. A Boolean function f ðxÞ has a unique representation as a multivariate polynomial over F 2 , called the algebraic normal form (ANF), that is

X

f ðx1 ; x2 ; . . . ; xn Þ ¼

aI

Y

I # f1;2;...;ng

xi ;

i2I

where the aI 2 F 2 . The algebraic degree, denoted by degðf Þ, is the number of variables in the highest order term with nonzero coefﬁcient. A Boolean function is afﬁne if it has degree at most 1. The set of all afﬁne functions is denoted by An . Let a; x 2 F n2 , deﬁne their scalar product to be ha; xi ¼ a1 x1 þ a2 x2 þ þ an xn , a; x 2 F n2 . Let f : F n2 # F 2 be a Boolean function, then the function

a 2 F n2 # W f ðaÞ ¼

X

ð1Þf ðxÞþha;xi

x2F n2

is called the Walsh transform of f. Moreover, the values W f ðaÞ for all a 2 F n2 are called the Walsh coefﬁcients of f. It is trivial to deduce that the relation between the nonlinearity and the Walsh coefﬁcients is

nlðf Þ ¼ 2n1

1 max jW f ðaÞj: 2 a2F n2

ð1Þ

P n By Parseval’s equality, a2F n W f ðaÞ2 ¼ 22n , we have nlðf Þ 6 2n1 221 . When the equality holds, we call the Boolean func2 tion a bent function. Obviously, n must be even when the function f is bent. Therefore when n is even, the nonlinearity of bent functions reaches the maximum value, and hence can withstand the linear attack (to be more precise, linear approximation or afﬁne approximation attack) to the most extent [8], and can also well withstand the correlation attack [3,11]. Since there is a natural isomorphic mapping from F n2 to the Galois ﬁeld L ¼ F 2n , for the simplicity of discussion, we will identify the vector space F n2 the same as the Galois ﬁeld L ¼ F 2n . In fact, a vector in F n2 is the coordinates of an element in F 2n when represented by a ﬁxed primitive element. Let m j n and E ¼ F 2m . The function n

tr L=E ðxÞ ¼

m1 X

mi

x2

i¼0

is called a trace function from L to E. If m ¼ 1, namely E ¼ F 2 , we denote trL=E simply by tr which is called the absolute trace function. The trace function has the following properties [20]: (a) trL=E ðax þ byÞ ¼ atrL=E ðxÞ þ btr L=E ðyÞ for all x; y 2 L and a; b 2 E. (b) tr L=E ðxq Þ ¼ trL=E ðxÞ for all x 2 L and q ¼ 2m . (c) Let K be a ﬁnite ﬁeld, F be a ﬁnite extension of K, and E be a ﬁnite extension of F, that is K F E. Then trE=K ðxÞ ¼ trF=K ðtr E=F ðxÞÞ for all x 2 E. As the notion of the Walsh transform refers to a scalar product, it is convenient to choose the isomorphism from F n2 to L ¼ F 2n in such a way that the canonical scalar product h; i in F n2 coincides with the canonical scalar product in L, which is the trace of the product, so we can write

hx; yi ¼

n X

xi yi ¼ trðxyÞ;

x; y 2 L:

i¼1

Therefore the Walsh transform of f : L # F 2 can be written as

W f ðaÞ ¼

X ð1Þf ðxÞ vðaxÞ;

a 2 L;

x2L

where

vðxÞ ¼ ð1ÞtrðxÞ is the canonical additive character on L. We deﬁne the derivative of f in the direction a 2 F n2 , denote by Da f , as

Da f ¼ f ðxÞ þ f ðx þ aÞ: Applying such discrete derivation several times to a function f leads to a higher order derivative

Da1 Dak f ðxÞ ¼

X u2F k2

f xþ

k X i¼1

! ui ai :

270

G. Sun, C. Wu / Information Sciences 179 (2009) 267–278

Note n o P (1) If a1 ; . . . ; ak are not linearly independent, then Da1 Dak f is zero; otherwise, the set x þ ki¼1 ui ai ju 2 F k2 is a k-dimensional ﬂat. (2) Every derivation reduces the algebraic degree of f by at least 1.

3. The lower bounds of the second order nonlinearity of three classes of Boolean functions In this section we study the lower bounds of the second order nonlinearity of Boolean functions in n variables in the form of f ðxÞ ¼ trðxd Þ, where (1) d ¼ 2mþ1 þ 3 and n ¼ 2m, or mþ1 (2) d ¼ 2m þ 2 2 þ 1, n ¼ 2m, and m is odd, or 2r (3) d ¼ 2 þ 2rþ1 þ 1 and n ¼ 4r. These three classes of Boolean functions are known to have high nonlinearity (see [10,19]). However, high nonlinearity i does not guarantee that the second order nonlinearity is also high. For example, bent function f ðxÞ ¼ trðx2 þ1 Þ has the maximum nonlinearity, but it is trivial to verify that the second order nonlinearity of the function is zero. Hence it is interesting to study the lower bounds of the second order nonlinearity of Boolean functions. As far as we know, there are few results about the lower bounds of the second order nonlinearity of Boolean functions. In the following, we will make use of the multivariate method which was introduced by Hans Dobbertin. Recently, the method has often been used in the study of Boolean functions (see [1,2,12–14]). The following lemma is important to prove our conclusions. Lemma 1 [5]. Let f be any n-variable function and r be a positive integer smaller than n. Then we have

nlr ðf Þ P 2n1

1 2

sﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃ ﬃ X nlr1 ðDa f Þ: 22n 2

ð2Þ

a2F n2

By Lemma 1, we obtain the following corollary. Corollary 1. Let f be an n-variable Boolean function and r a positive integer smaller than n. Assume that for some nonnegative integer K and k, we have nlr1 ðDa f Þ P 2n1 K2k for every nonzero a 2 F n2 , then

nlr ðf Þ P 2n1

1 2

qﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃ pﬃﬃﬃﬃ nþk1 ð2n 1ÞK2kþ1 þ 2n 2n1 K 2 2 :

ð3Þ

Below we will deduce the lower bounds of the second order nonlinearity of Boolean functions. By Lemma 1, if we can calculate the lower bound of the nonlinearity of the Boolean function Da f , then it is possible to obtain a lower bound of the second order nonlinearity of f. We consider the following cases. 3.1. When d ¼ 2mþ1 þ 3 and n ¼ 2m Lemma 2. Any derivative, in a nonzero direction, of the function f ðxÞ ¼ trðxd Þ, has nonlinearity satisfying

( nlðDa f Þ P

22m1 2m ; 2

2m1

if a R F 2m ;

3m 2

2 ; if a 2 F 2m ;

where d ¼ 2mþ1 þ 3 and n ¼ 2m. mþ1

Proof. Since f ðxÞ ¼ trðx2

þ3

Þ, we have

Da f ðxÞ ¼ f ðx þ aÞ þ f ðxÞ ¼ trððx þ aÞ2 ¼ trðx2

mþ1

þ2

mþ1

a þ x2

mþ1

mþ1

þ1 2

a þ x2

þ3

Þ þ trðx2

mþ1

mþ1

a3 þ x3 a2

þ3

mþ1

Þ ¼ trððx2

þ x2 a2

mþ1

þ1

þ2

þ x2

mþ1

þ xa2

þ2

mþ1

a2 þ x2 a2

þ a2

mþ1

þ3

mþ1

þ a2

mþ1

þ2

Þðx þ aÞ þ x2

mþ1

þ3

Þ:

Write gðxÞ ¼ Da f ðxÞ, then we get

gðxÞ þ gðx þ yÞ ¼ trððx2

mþ1

þ y2 a2 ¼ trðx þy

y2 þ x2 y2

mþ1

2mþ1

þ1

þ ya2

2

ðy a þ y

2mþ1 3

mþ1

mþ1

þ2

a

mþ1

þ2

mþ1

Þa þ ðx2

y þ xy2

mþ1

þ y2

mþ1

þ1

mþ1

Þa2 þ y2

a3 þ ðxy2 þ x2 y þ y3 Þa2

Þ

22mþ1 2m

3 2mþ1

a þy a

þ y2

þ ya2 þ y2

2 2mþ1 þ1

þy a

2mþ2

þ ya

a2

mþ2

2mþ1 þ2

Þ:

þ y2

mþ2

a2

2mþ2

m

þ y2 a2

2mþ1

Þ þ y2

mþ1

þ2

a þ y2

mþ1

þ1 2

a

mþ1

Þ

271

G. Sun, C. Wu / Information Sciences 179 (2009) 267–278

In order to compute the nonlinearity of function Da f , we ﬁrst calculate the Walsh coefﬁcients of the derivative of f. In fact, here we compute the square of the Walsh coefﬁcients of Da f .

X

W Da f ðbÞ2 ¼

X

ð1ÞgðxÞþgðzÞþtrððxþzÞbÞ ¼

x;z2F 2n

X

¼

x;y2F 2n

X

ð1ÞtrðL2 ðyÞ Þ

y2F 2n

ð1Þtrðx

2mþ1 L

X

ð1ÞgðxÞþgðxþyÞþtrðbyÞ ¼

ð1Þtrðx

2mþ1 L

1 ðyÞþL2 ðyÞÞ

x;y2F 2n

1 ðyÞÞ

;

x2F 2n

where

L1 ðyÞ ¼ y2 a þ y2 L2 ðyÞ ¼ y

2mþ1 þ2

2mþ1

m

2mþ2

a2 þ ya2 þ y2

aþy

2mþ1 þ1 2

a2

mþ2

2mþ1 3

a þy

mþ2

þ y2

3 2mþ1

a þy a

a2

2mþ2

m

þ y2 a2

2 2mþ1 þ1

þy a

2mþ1

;

2mþ1 þ2

þ ya

þ by:

By the well known fact that

X

2mþ1 L

ð1Þtrðx

1 ðyÞÞ

¼

2n ; L1 ðyÞ ¼ 0; 0;

x2F 2n

else;

we have that

W Da f ðbÞ2 ¼ 2n

X ð1ÞtrðL2 ðyÞÞ ; y2M

where M ¼ fy 2 F 2n jL1 ðyÞ ¼ 0g: It is easy to verify that L2 ðyÞ is a linear function over the set M and M is a vector space over F 2 . Let the dimension of M be k, then we have

W Da f ðbÞ2 ¼ 2nþk

or 0:

Hence we only need to calculate the dimension of M, that is, we only need to calculate the number of the solutions of the linear equation over F 2n ,

L1 ðxÞ ¼ x2 a þ x2 Let us denote y ¼ x 2

2m

2

2mþ1

m

a2 þ xa2 þ x2

2mþ2

a2

mþ2

þ x2

mþ2

a2

2mþ2

m

2mþ1

þ x2 a2

¼ 0:

ð4Þ

2m

and b ¼ a , then Eq. (4) becomes 4

2

x a þ x b þ xa þ x4 b þ y4 a4 þ ya2 ¼ 0:

ð5Þ

m

Raising both sides of Eq. (5) to the 2 power gives 2

4

2

y2 b þ y2 a þ yb þ y4 a4 þ x4 b þ xb ¼ 0:

ð6Þ

Adding Eq. (5) to Eq. (6) gets the following equation: 2

2

2

2

xa2 þ ya2 þ x2 a þ y2 a þ bx þ by þ b x þ b y ¼ 0:

ð7Þ

Squaring Eq. (7), we get the following equation: 2

2

4

4

x2 a4 þ y2 a4 þ x4 a2 þ y4 a2 þ b x4 þ b y4 þ b x2 þ b y2 ¼ 0:

ð8Þ

4

Eliminating the variable y from Eqs. (8) and (5) gives the following equation: 2

4

4

4

2

2

2

2

0 ¼ x2 a8 þ y2 a8 þ x4 a6 þ b x4 a4 þ b x2 a4 þ b y2 a4 þ xa4 þ ya4 þ x2 a3 þ b x4 a2 þ bx a2 þ b xa2 þ b ya2 þ b x2 a 6

3

þ b x4 þ b x2 :

ð9Þ

Eliminating the variable y4 from Eq. (8) and the equation that comes from squaring Eq. (9) gives the equation 4

4

2

8

8

4

6

0 ¼ x2 a20 þ y2 a20 þ b x2 a16 þ b y2 a16 þ x8 a14 þ b x8 a12 þ b x2 a12 þ b y2 a12 þ b x8 a10 þ x2 a10 þ y2 a10 þ b x8 a8 12

2

12

2

8

4

4

10

6

6

þ x4 a8 þ b x2 a8 þ b x2 a8 þ b y2 a8 þ b y2 a8 þ b x8 a6 þ b x2 a6 þ b y2 a6 þ b x8 a4 þ b x2 a4 þ b y2 a4 12

14

8

þ b x8 a2 þ b x8 þ b x4 :

ð10Þ

Eliminating the variable y2 from Eqs. (9) and (10) gives the equation 2

2

2

2

2

2

3

0 ¼ x4 a26 þ b x4 a24 þ xa24 þ ya24 þ x2 a23 þ x8 a22 þ bx a22 þ b xa22 þ b ya22 þ b x2 a21 þ b x8 a20 þ b x2 a20 4

20

þ b xa

4

þ b ya

9

20

4 2 19

þb x a

10

5 2 18

þb x a

6

18

þ b xa

10

6

þ b ya

18

6 2 17

þb x a

10

7 2 16

þb x a 11

8

16

þ b xa 2

8

þ b ya

16

8

þ b x2 a15

12

12

16 8 6

8

þ b x2 a14 þ b xa14 þ xa14 þ b ya14 þ ya14 þ b x2 a13 þ x2 a13 þ b x2 a12 þ bx a12 þ b xa12 þ b ya12 12 2 11

þb x a 8

16 4 10

þb x a 8

13 2 10

þb x a

18

9

14

10

þ b xa

þ b ya6 þ b x2 a5 þ b x8 a4 þ b x2 a4 :

14

þ b ya

10

14 2 9

18 4 8

15 2 8

þ b x a þ b x a þ b x a þ b x a þ b xa6 ð11Þ

272

G. Sun, C. Wu / Information Sciences 179 (2009) 267–278

Eliminating the variable y2 from Eq. (10) and the equation that comes from squaring Eq. (11) gives the following equation: 2

16

8

10

32

16

32

2

4

0 ¼ a12 ða20 þ a10 þ b a8 þ b a4 þ b a2 þ b Þða32 þ b Þx16 þ a12 ða16 þ b Þða44 þ a14 þ b a12 þ b a12 þ b a10 6

8

10

12

14

2

8

4

32

16

20

þ b a8 þ b a6 þ b a4 þ b a2 þ b Þx8 þ a16 ða2 þ b Þða8 þ b Þða40 þ a20 þ b a16 þ b a8 þ b a4 þ b Þx4 ; 4

8

16

ð12Þ

4

which is an equation in x ; x , and x . Let x be replaced by x, and denote Eq. (12) as PðxÞ ¼ 0. Then PðxÞ ¼ 0 must be an equation in x; x2 , and x4 , that is, 2

16

8

10

32

16

32

2

4

0 ¼ a12 ða20 þ a10 þ b a8 þ b a4 þ b a2 þ b Þða32 þ b Þx4 þ a12 ða16 þ b Þða44 þ a14 þ b a12 þ b a12 þ b a10 6

8

10

12

14

2

8

4

32

16

20

þ b a8 þ b a6 þ b a4 þ b a2 þ b Þx2 þ a16 ða2 þ b Þða8 þ b Þða40 þ a20 þ b a16 þ b a8 þ b a4 þ b Þx:

ð13Þ

We consider the following two cases. Case 1 When PðxÞ does not equal the constant zero, the degree of PðxÞ must be either 4, or 2, or 1. This means that k 6 2, so we have

W Da f ðbÞ2 6 2nþ2 ; n

hence jW Da f ðbÞj 6 22þ1 . Therefore by Eq. (1) we have

nlðDa f Þ ¼ 2n1

n 1 max jW Da f ðbÞj P 2n1 22 : 2 b2F 2n

2

16

8

10

32

Case 2. When PðxÞ equals the constant zero, we must have a12 ða20 þ a10 þ b a8 þ b a4 þ b a2 þ b Þða32 þ b Þ ¼ 0, that is, 32 3 2 3 2 a12 ða þ bÞ10 ða32 þ b Þð1 þ a5 þ a2 b þ a4 b þ a3 b Þ2 ¼ 0. Therefore, we have a ¼ b or 1 þ a5 þ a2 b þ a4 b þ a3 b ¼ 0. However, 5 2 3 4 3 2 it is easy to verify that 1 þ a þ a b þ a b þ a b –0. Otherwise, we have the system of the two equations 3 2 5 2 4 3 1 þ a5 þ a2 b þ a4 b þ a3 b ¼ 0 and 1 þ b þ b a3 þ b a þ b a2 ¼ 0. Eliminating a from the above the system gives the contradiction 1 ¼ 0. Therefore we obtain a ¼ b. In this case, Eq. (5) becomes the equation ðx þ yÞ þ ðx þ yÞ4 a2 ¼ 0, that is, m mþ2 ¼ 0 whose number of the solutions is at most 2mþ2 . Hence k 6 m þ 2 and x þ a2 x4 þ x2 þ a2 x2

W Da f ðbÞ2 6 2nþmþ2 ; nþm þ1 2

hence jW Da f ðbÞj 6 2

. Therefore by Eq. (1) we have

nþm 1 nlðDa f Þ ¼ 2n1 max jW Da f ðbÞj P 2n1 2 2 : 2 b2F 2n

Therefore Lemma 2 holds. h Theorem 1. Let f ðxÞ ¼ trðxd Þ, where d ¼ 2mþ1 þ 3 and n ¼ 2m. Then we have

nl2 ðf Þ P 22m1

1 2

qﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃ 5m 3m 2 2 þ1 þ 23mþ1 22m 2 2 þ1 :

Proof. By Lemmas 1 and 2, we get the following:

nl2 ðf Þ P 2n1

1 2

qﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃ sﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃ ﬃ X nþm n 1 22n 2ð2m 1Þð2n1 2 2 Þ 2ð2n 2m Þð2n1 22 Þ nlðDa f Þ P 2n1 22n 2 2 n a2F 2

qﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃ 5m 3m 1 ¼ 22m1 2 2 þ1 þ 23mþ1 22m 2 2 þ1 : 2 Hence the conclusion of the theorem follows. h When n ¼ 4, the above lower bound gives nl2 ðf Þ P 2, while the exact value of the second order nonlinearity of f is 2. This means that the lower bound in Theorem 1 is tight. When n ¼ 6, the above lower bound gives nl2 ðf Þ P 17, and the exact value of the second order nonlinearity of f is 20. In this case the lower bound is close. 3.2. When d ¼ 2m þ 2

mþ1 2

þ 1, n ¼ 2m and m is odd

Lemma 3. Any derivative, in a nonzero direction, of the function f ðxÞ ¼ trðxd Þ, has nonlinearity satisfying

( nlðDa f Þ P m

22m1 2m ; 2

mþ1 2

where d ¼ 2 þ 2

2m1

if a R F 2m ;

3m 2

2 ; if a 2 F 2m ;

þ 1, n ¼ 2m and m is odd.

273

G. Sun, C. Wu / Information Sciences 179 (2009) 267–278

Proof. Let r ¼ mþ1 , then we have m ¼ 2r 1, n ¼ 4r 2, and d ¼ 22r1 þ 2r þ 1. Since f ðxÞ ¼ trðx2 2

Da f ðxÞ ¼ f ðx þ aÞ þ f ðxÞ ¼ trððx þ aÞ2 ¼ trððx ¼ trðx

2

2r1

þ2

22r1 þ2r

r

þx

2

aþx

2r1

2

r

m

r

2

mþ1 þ2 2 þ1

2

a þx a

22r1 þ1 2r

a þx

2r1

Þ þ trðx2 22r1 þ2r

þa

22r1 2r þ1

a

þx

m

mþ1 þ2 2 þ1

2r1

2r

a

þ2

mþ1 2 þ1

Þ, we have

Þ

Þðx þ aÞ þ x2

2r þ1 22r1

m

þ2r þ1

22r1 þ1

þx a

Þ

þ xa2

2r1

þ2r

þ a2

2r1

þ2r þ1

Þ:

Write gðxÞ ¼ Da f ðxÞ, then we have

gðxÞ þ gðx þ yÞ ¼ trððx2 þ y2 ¼ trðx

2r1

2r1

2r1

r

þ y2

r

2r1

þ2r

Þa þ ðx2

r

r

23r2 2r1

2r

þ ya þ ya

22r1 þ1 2r

22r1 2r þ1

2r

ðy a þ y

22r1 þ2r

2r

r

2r1

2r1

a2 þ1 þ ðxy2 þ x2 y þ y2 þ1 Þa2

22r1

þ ðy

r

y2 þ x2 y2

aþy

22r1 þ1

þy a

a

a þy

22r1 þ2r

þ ya

r

2r1

þ y2 a 2

23r1

a

2r1

y þ xy2 23r1

þy

þ1

þ y2

2r1

þ ya2

þ1

2r1

þ2r

2r1 23r2

aþy

a

Þa2

r

Þ

Þ

2r þ1 22r1

þy

a

ÞÞ:

Now we calculate the Walsh coefﬁcients of the derivative of f. In fact, here we compute the square of the Walsh coefﬁcients of Da f

X

W Da f ðbÞ2 ¼

x;z2F

X

¼

X

ð1ÞgðxÞþgðzÞþtrððxþzÞbÞ ¼

2n

ð1ÞgðxÞþgðxþyÞþtrðbyÞ ¼

x;y2F 2n

ð1ÞtrðL2 ðyÞ Þ

y2F 2n

X

ð1Þ

2r1 trðx2 L

X

ð1Þtrðx

22r1 L

1 ðyÞþL2 ðyÞÞ

x;y2F 2n

1 ðyÞÞ

;

x2F 2n

where r

3r2

L1 ðyÞ ¼ y2 a þ y2 L2 ðyÞ ¼ y

2r1

2

r

þ2

r1

r

a2

aþy

þ ya2 þ ya2

2r1

2

þ1 2

r

a þy

2

2r1

3r1

þ y2

r

2 þ1

a

3r1

a þ y2 a2

3r2

2r1

r1

2r

r

2 þ1 2

þy

a

;

þ y a2

2r1

þ1

þ ya2

2r1

þ2r

þ by:

By the well known fact that

X

22r1 L ðyÞÞ 1

ð1Þtrðx

¼

2n ; L1 ðyÞ ¼ 0; 0;

x2F 2n

else;

we have that

X ð1ÞtrðL2 ðyÞÞ ;

W Da f ðbÞ2 ¼ 2n

y2M

where M ¼ fy 2 F 2n jL1 ðyÞ ¼ 0g: It is easy to verify that L2 ðyÞ is a linear function over the set M and M is a vector space over F 2 . Let the dimension of M be k, then we have

W Da f ðbÞ2 ¼ 2nþk

or 0:

Hence we only need to calculate the dimension of M, that is, we only need to calculate the number of the solutions of the linear equation over the F 2n , r

L1 ðxÞ ¼ x2 a þ x2

3r2

a2

r

r1

r

3r1

þ xa2 þ xa2

r

r

þ x2 r

3r1

r1

a þ x2 a2 2

r

3r2

¼ 0:

ð14Þ

r

Let us denote y ¼ x2 , z ¼ y2 , s ¼ z2 and b ¼ a2 , c ¼ b , d ¼ c2 , then raising both sides of Eq. (14) to the 4 power becomes 2

4

2

y4 a4 þ sb þ x4 b þ x4 d þ s2 a4 þ y2 d ¼ 0:

ð15Þ

Raising both sides of Eq. (15) to the 2r1 power gives the following equation: 2

2

z2 b þ x2 c þ y2 c2 þ y2 a4 þ x4 b þ za2 ¼ 0:

ð16Þ

Raising both sides of Eq. (16) to the 2r power gives the equation 2

4

2

s2 c2 þ y2 d þ z2 d þ z2 b þ y4 c2 þ sb ¼ 0: Raising both sides of Eq. (17) to the 2 4

2

4

2

2

2

r1

ð17Þ

power gives the equation

x d þ za þ sa þ sc þ z d þ x c ¼ 0:

ð18Þ

274

G. Sun, C. Wu / Information Sciences 179 (2009) 267–278

In Eqs. (15)–(18), replacing y2 with y and x2 with x gives the following equations, respectively, 2

4

2

y2 a4 þ sb þ x2 b þ x2 d þ s2 a4 þ yd ¼ 0; 2 2

2

2 2

4

ð19Þ

2

z b þ xc þ yc þ ya þ x b þ za ¼ 0; 2

4

ð20Þ

2

s2 c2 þ yd þ z2 d þ z2 b þ y2 c2 þ sb ¼ 0

ð21Þ

x2 d þ za2 þ sa4 þ sc2 þ z2 d þ xc ¼ 0:

ð22Þ

and

Eliminating s2 from Eqs. (19) and (21) gives the following equation: 4

2

2

4

4

2

2

0 ¼ b z2 a4 þ d z2 a4 þ b sa4 þ dya þ b c2 x2 þ c2 d x2 þ b c2 s þ c2 dy:

ð23Þ

Eliminating s from Eqs. (22) and (23) gives the equation 4

2

8

2

4

2

2

2

4

2

2

2

2

0 ¼ b z2 a8 þ d z2 a8 þ dya þ b za6 þ b c2 x2 a4 þ c2 d x2 a4 þ b dx a4 þ b c2 z2 a4 þ c2 d z2 a4 þ b dz a4 þ b cxa4 2

4

2

2

2

2

2

2

þ b c2 za2 þ b c4 x2 þ c4 d x2 þ b c2 dx þ b c2 dz þ b c3 x þ c4 dy:

ð24Þ

Squaring Eq. (22) gives the equation 2

2

s2 a8 þ z2 a4 þ d x4 þ d z4 þ c4 s2 þ c2 x2 ¼ 0:

ð25Þ

Eliminating s2 from Eqs. (21) and (25) gives the equation 4

2

2

8

2

2

4

2

2

0 ¼ c2 y2 a8 þ b z2 a8 þ d z2 a8 þ b sa8 þ dya þ c2 z2 a4 þ c2 d x4 þ c2 d z4 þ c4 x2 þ c6 y2 þ b c4 z2 þ c4 d z2 þ b c4 s 4

þ c dy:

ð26Þ

Eliminating s from Eqs. (23) and (26) gives the equation 2

6

2

2

2

6

2

2

2

2

2

2

2

0 ¼ b c2 y2 a12 þ b c2 x2 a8 þ b c2 d x2 a8 þ b c4 y2 a8 þ b c2 z2 a8 þ b c2 z2 a8 þ b c2 d z2 a8 þ b c2 d x4 a4 þ b c2 d z4 a4 2

2

2

2

2

2

2

6

2

2

2

2

6

þ b c4 x2 a4 þ b c6 y2 a4 þ b c4 z2 a4 þ b c4 d x4 þ b c4 d z4 þ b c6 x2 þ b c6 x2 þ b c6 d x2 þ b c8 y2 þ b c6 z2 2 6 2 2

þb c d z :

ð27Þ

Eliminating z2 from Eqs. (20) and (24) gives the equation 4

2

4

2

6

2 2

2

4

4

4

2

2

6

0 ¼ b ya12 þ d ya12 þ b za10 þ d za10 þ b x2 a8 þ b d x2 a8 þ cd xa8 þ b cxa8 þ b za6 þ b c2 za6 þ c2 d za6 þ b dza 4 3

3 2

4

2

4

4 4

4 2

4 2

2 2

2

6 4 2

2 4 2 2

4 3

þ b c xa4 þ c d xa4 þ b cxa4 þ b cdxa þ b c ya4 þ c d ya4 þ b c za2 þ b c dza þ b c x þ b c d x þ b c x 2

þ b c3 dx:

ð28Þ

4

Eliminating z from Eq. (27) and the equation that comes from squaring Eq. (20) gives the equation 6

2

2

10

6

2

6

2

2

10

6

6

2

0 ¼ b c2 y2 a12 þ b c2 d y2 a12 þ b c2 x2 a8 þ b c2 d x2 a8 þ b c4 y2 a8 þ b c4 d y2 a8 þ b c2 z2 a8 þ b c2 z2 a8 þ b c2 d z2 a8 2

2

6

2

2

6

2

2

6

2

2

10

6

þ b c2 d z2 a8 þ b c4 x2 a4 þ b c4 d x2 a4 þ b c6 y2 a4 þ b c6 d y2 a4 þ b c4 z2 a4 þ b c4 d z2 a4 þ b c6 x2 þ b c6 x2 6 6 2 2

2 6 2 2

6 8 2

2 8 2 2

10 6 2

6 6 2 2

þb c d x þb c d x þb c y þb c d y þb c z þb c d z :

ð29Þ

Eliminating z2 from Eqs. (20) and (29) gives the equation 8

4

2

10

6

6

2

2

2

10

6

6

2

0 ¼ b c2 y2 a12 þ b c2 d y2 a12 þ b c2 ya12 þ b c2 ya12 þ b c2 d ya12 þ b c2 d ya12 þ b c2 za10 þ b c2 za10 þ b c2 d za10 2 2 2

þ b c d za

10

10 4

8 2 2 8

4 2 2 2 8

8 4 2 8

4 4 2 2 8

10 3

6 3

6 3 2

2

6

2

2

8

4

2

8

2 3 2

þ b c x a þ b c d x a þ b c y a þ b c d y a þ b c xa þ b c xa þ b c d xa þ b c d xa8 6

8

6

2

8

2

10

þ b c ya8 þ b c4 d ya8 þ b c4 za6 þ b c4 d za6 þ b c6 y2 a4 þ b c6 d y2 a4 þ b c5 xa4 þ b c5 d xa4 þ b c6 ya4 6

6

6 7 2

10 8

2

2

2

10

6

2

8

4

2

8

4

2

10

þ b c6 ya4 þ b c6 d ya4 þ b c6 d ya4 þ b c6 za2 þ b c6 d za2 þ b c6 x2 þ b c6 d x2 þ b c8 y2 þ b c8 d y2 þ b c7 x 6 8 2

þ b c d x þ b c y þ b c d y:

ð30Þ

Eliminating z2 from Eq. (20) and the equation that comes from squaring Eq. (28) gives the following equation: 10

2 4

8

4

8

4

10

2 4

4

8

4

0 ¼ b y2 a24 þ b d y2 a24 þ b ya24 þ d ya24 þ b za22 þ d za22 þ b x2 a20 þ b d x2 a20 þ cd xa20 þ b cxa20 þ c2 d ya20 8

14

6 4

2

4

10

8

8

4

4 2

8

þ b c2 ya20 þ b x4 a16 þ b d x4 a16 þ b c2 d x2 a16 þ b c2 x2 a16 þ b ya16 þ b c4 ya16 þ c4 d ya16 þ b d ya16 þ b za14 8 4

þ b c za 4

2

14

6

2

14

8

12

þ c d za

12

þ b cd xa

4 4

þ b cxa 10

4 2

14

8 6

12

þ b d za

þ b c ya 2

10 2 12

þb x a 6 4

þ c d ya

12

4

8

10 4 2 12

þb c x a 8 2

þ b c ya

12

4

2 4 4 2 12

þb c d x a 4 2 2

þ b c d ya 2

12

6 2 2 12

þb d x a 10 6 2 8

8 5

12

þ b c xa

2 6 4 2 8

5 4

12

þ c d xa 10

þ b c x a þ b c d x a þ b c2 x2 a8

8

4

6 8 4 4

10 6 2

2

10

6

2

þ b c2 d x2 a8 þ b c8 y2 a8 þ b c8 d y2 a8 þ b c4 ya8 þ b c4 d ya8 þ b c4 za6 þ b c4 d za6 þ b c4 x2 a4 þ b c4 d x2 a4 8 5

4 5 2

8 6

4 6 2

14 8 4

6 6 2 2

þ b c xa4 þ b c d xa4 þ b c ya4 þ b c d ya4 þ b c x þ b c d x þ b c x þ b c d x :

ð31Þ

275

G. Sun, C. Wu / Information Sciences 179 (2009) 267–278

Because the following expressions are very lengthy, we only give main steps to calculate the number of the solutions of the equation, L1 ðxÞ ¼ 0. In fact, the following expressions can be veriﬁed by Mathematica 6.0 easily as what we did. Eliminating z from Eqs. (30) and (28) gives the equation E1 in x2 , y and y2 . Eliminating z from Eqs. (28) and (31) gives the equation E2 in x2 , x4 , y and y2 . Eliminating y2 from equation E1 and equation E2 gives the equation E3 in x2 , x4 and y. Eliminating y2 from equation E2 and the equation that comes from squaring equation E3 gives the equation E4 in x2 , x4 , x8 and y. Eliminating y from equation E3 and equation E4 gives the equation PðxÞ ¼ 0 in x2 , x4 and x8 . Let x2 be replaced by x in PðxÞ ¼ 0. Then PðxÞ ¼ 0 is an equation in x, x2 and x4 . Similar to Theorem 1, we consider two cases: when PðxÞ 0 and when PðxÞX0. When PðxÞ is not constant zero, the degree of PðxÞ must be either 4, or 2, or 1. This means that k 6 2, so we have

W Da f ðbÞ2 6 2nþ2 ; n

hence jW Da f ðbÞj 6 22þ1 . Therefore by Eq. (1) we have

nlðDa f Þ ¼ 2n1

n 1 max jW Da f ðbÞj P 2n1 22 : 2 b2F 2n m

2r

2

When PðxÞ equals constant zero, we have a ¼ a2 . In this case, Eq. (15) becomes y4 a4 þ y2 b þ y2 ber of the solutions is at most 22rþ1 ¼ 2mþ2 . Hence k 6 m þ 2 and we have

2rþ1

a4 þ y2 d ¼ 0 whose num-

W Da f ðbÞ2 6 2nþmþ2 ; nþm þ1 2

hence jW Da f ðbÞj 6 2

nlðDa f Þ ¼ 2n1

. Therefore by Eq. (1) we have

nþm 1 max jW Da f ðbÞj P 2n1 2 2 : 2 b2F 2n

and hence the conclusion of Lemma 3 follows. h mþ1 2

Theorem 2. Let f ðxÞ ¼ trðxd Þ, where d ¼ 2m þ 2

þ 1, n ¼ 2m and m is odd. Then we have

qﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃ 5m 3m 1 2 2 þ1 þ 23mþ1 22m 2 2 þ1 : nl2 ðf Þ P 22m1 2 Proof. By Lemmas 1 and 3, we have

nl2 ðf Þ P 2n1

1 2

qﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃ sﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃ ﬃ X nþm n 1 nlðDa f Þ P 2n1 22n 2 22n 2ð2m 1Þð2n1 2 2 Þ 2ð2n 2m Þð2n1 22 Þ 2 a2F n 2

qﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃ 5m 3m 2 2 þ1 þ 23mþ1 22m 2 2 þ1 :

1 ¼ 22m1 2

When n ¼ 6, the above lower bound gives nl2 ðf Þ P 17, while the exact value of the second order nonlinearity of f is 20. We have not been able to ﬁnd a case when the lower bound is the same as the exact number, so we can only claim that the lower bound in Theorem 2 is close. 3.3. When d ¼ 22r þ 2rþ1 þ 1 and n ¼ 4r Lemma 4. Any derivative, in a nonzero direction, of the function f ðxÞ ¼ trðxd Þ, has nonlinearity satisfying

( nlðDa f Þ P

24r1 22rþ1 ; if a R F 22r ; 24r1 23r ;

ifa 2 F 22r ;

where d ¼ 22r þ 2rþ1 þ 1 and n ¼ 4r. 2r

Proof. Since f ðxÞ ¼ trðx2

þ2rþ1 þ1

Þ, we have

Da f ðxÞ ¼ f ðx þ aÞ þ f ðxÞ ¼ trððx þ aÞ2 ¼ trððx ¼ trðx

22r þ2rþ1

22r þ2rþ1

22r

2rþ1

þx a

aþx

þx

22r þ1 2rþ1

a

2r

þ2rþ1 þ1

2rþ1 22r

2r

Þ þ trðx2 22r þ2rþ1

a

þa

22r

2rþ1 þ1

þx a

þx

þ2rþ1 þ1

Þ

Þðx þ aÞ þ x2

2rþ1 þ1 22r

a

þx

2r

þ2rþ1 þ1

2rþ1 22r þ1

a

Þ

þ xa2

2r

þ2rþ1

þ a2

2r

þ2rþ1 þ1

Þ:

276

G. Sun, C. Wu / Information Sciences 179 (2009) 267–278

Write gðxÞ ¼ Da f ðxÞ, then we have 2r

gðxÞ þ gðx þ yÞ ¼ trððx2 y2 þ y2

rþ1

þ1

22r

rþ1

rþ1

2r

2rþ1

rþ1

2r

rþ1

Þa2 þ y2 a2 aþy

¼ trðx ðy þ y2

2r

þ x2 y 2 þ y 2

þ1 22r

a

2r

a

rþ1

þ y2 a2

2r

þ ya2

þ1

23r1 2r1

þ2rþ1

2r

2r

2rþ1

þ ya

2r

þ ya2

þ1

2r

Þa þ ðx2 y þ xy2 þ y2 þ2rþ1

þ1

Þa2

rþ1

2r

þ y2 a2

rþ1

þ1

rþ1

rþ1

þ ðx2 y þ xy2

Þ

þ ya2

þ2rþ1

2r

3rþ1

r1

þ y2 a2

3r1

3rþ1

þ y2

aÞ þ ðy2

2r

þ2rþ1

a þ y2

2r

þ1 2rþ1

a

2r

þ y2 a2

rþ1

þ1

ÞÞ:

In order to compute the nonlinearity of function Da f , we ﬁrst calculate the Walsh coefﬁcients of the derivative of f. In fact, here we compute the square of the Walsh coefﬁcients of Da f .

X

W Da f ðbÞ2 ¼

x;z2F

2n

X

¼

X

ð1ÞgðxÞþgðzÞþtrððxþzÞbÞ ¼

ð1ÞgðxÞþgðxþyÞþtrðbyÞ ¼

x;y2F 2n

ð1ÞtrðL2 ðyÞ Þ

y2F 2n

X

ð1Þtrðx

22r L

X

ð1Þtrðx

22r L

1 ðyÞþL2 ðyÞÞ

x;y2F 2n

1 ðyÞÞ

;

x2F 2n

where

L1 ðyÞ ¼ y2

rþ1

a þ y2

22r þ2rþ1

L2 ðyÞ ¼ y

3r1

a2

r1

rþ1

þ ya2

22r þ1 2rþ1

aþy

a

þ ya2

22r

3rþ1

2rþ1 þ1

þy a

þ y2

r1

3r1

a2

2rþ1 þ1 22r

þy

a

þ y2

3rþ1

a;

2rþ1 22r þ1

þy

þ ya2

a

2r

þ2rþ1

þ by:

By the well known fact that

X

22r L

ð1Þtrðx

1 ðyÞÞ

¼

2n ; L1 ðyÞ ¼ 0; 0;

x2F 2n

else;

we have that

W Da f ðbÞ2 ¼ 2n

X ð1ÞtrðL2 ðyÞÞ ; y2M

where M ¼ fy 2 F 2n jL1 ðyÞ ¼ 0g: It is easy to verify that L2 ðyÞ is a linear function over the set M and M is a vector space over F 2 . Let the dimension of M be k, then we have

W Da f ðbÞ2 ¼ 2nþk

or 0:

Hence we only need to calculate the dimension of M, that is, we only need to calculate the number of the solutions of the linear equation over the F 2n , rþ1

3r1

L1 ðxÞ ¼ x2 a þ x2 2r

a2

r1

rþ1

2r

2r

Let us denote y ¼ x , z ¼ y , s ¼ z 4

4 2

4

3rþ1

þ xa2

þ xa2

r1

3r1

þ x2 a 2

þ x2

2r

2r

3rþ1

a ¼ 0:

ð32Þ

2r

and b ¼ a , c ¼ b , d ¼ c , then squaring Eq. (32) becomes the equation

2

y a þ sb þ ðb þ d Þx þ yd þ s4 a2 ¼ 0:

ð33Þ

r

Raising both sides of Eq. (33) to the 2 power gives the equation 2

2

z4 b þ xc þ ðc4 þ a4 Þy2 þ za þ x4 b ¼ 0:

ð34Þ

r

Raising both sides of Eq. (34) to the 2 power gives the equation 4

4

s4 c2 þ yd þ ðd þ b Þz2 þ sb þ y4 c2 ¼ 0:

ð35Þ

r

Raising both sides of Eq. (35) to the 2 power gives the equation 2

2

x4 d þ za þ ða4 þ c4 Þs2 þ xc þ z4 d ¼ 0:

ð36Þ

4

Eliminating s from Eqs. (33) and (35) gives the following equation: 4

4

4

4

c2 x2 b þ a2 z2 b þ a2 sb þ c2 sb þ c2 d x2 þ a2 d z2 þ a2 dy þ c2 dy ¼ 0:

ð37Þ

Squaring Eq. (37) gives the equation 8

8

2

2

8

8

2

2

c4 x4 b þ a4 z4 b þ a4 s2 b þ c4 s2 b þ c4 d x4 þ a4 d z4 þ a4 d y2 þ c4 d y2 ¼ 0:

ð38Þ

Eliminating s2 from Eqs. (36) and (38) gives the equation 8

8

2

2

8

8

2 2

8

8

2 2

0 ¼ b z4 a8 þ d z4 a8 þ d y2 a8 þ b za5 þ c4 d x4 a4 þ b c4 x4 a4 þ b d x4 a4 þ c4 d z4 a4 þ b c4 z4 a4 þ b d z4 a4 2

2

8

8

2

2

2

2

2

2

þ b cxa4 þ b c4 za þ b c8 x4 þ c8 d x4 þ b c4 d x4 þ b c4 d z4 þ c8 d y2 þ b c5 x:

ð39Þ

277

G. Sun, C. Wu / Information Sciences 179 (2009) 267–278

Squaring Eq. (36) gives the equation 4

4

s4 a8 þ z2 a2 þ d x8 þ d z8 þ c8 s4 þ c2 x2 ¼ 0:

ð40Þ

4

Eliminating s from Eqs. (35) and (40) gives the equation 4

4

8

8

4

4

4

4

0 ¼ y4 c10 þ b z2 c8 þ d z2 c8 þ bsc þ dyc þ x2 c4 þ d x8 c2 þ d z8 c2 þ a8 y4 c2 þ a2 z2 c2 þ a8 b z2 þ a8 d z2 þ a8 bs þ a8 dy:

ð41Þ

Eliminating s from Eqs. (37) and (41) gives the equation 4

4

5

4

5

4

2

4

4

4

0 ¼ by c12 þ a2 by c10 þ b x2 c10 þ bd x2 c10 þ b z2 c10 þ bd z2 c10 þ bx c6 þ bd x8 c4 þ bd z8 c4 þ a8 by c4 2

2

4

4

4

5

4

5

4

þ a2 bx c4 þ a2 bz c4 þ a2 bd x8 c2 þ a2 bd z8 c2 þ a10 by c2 þ a8 b x2 c2 þ a8 bd x2 c2 þ a8 b z2 c2 þ a8 bd z2 c2 2

þ a4 bz c2 :

ð42Þ

Eliminating z4 from Eqs. (34) and (39) gives the equation 8

8

8

8

10

2 8

8

8

2

4

8

4

8

0 ¼ b y2 a12 þ d y2 a12 þ b za9 þ d za9 þ b x4 a8 þ b d x4 a8 þ cd xa8 þ b cxa8 þ c4 d za5 þ b za5 þ b c4 za5 2 2

8

8

8

8

2

4

2

2

10

þ b d za5 þ b c8 y2 a4 þ c8 d y2 a4 þ c5 d xa4 þ b c5 xa4 þ b cd xa4 þ b cxa4 þ b c4 za þ b c4 d za þ b c8 x4 2

8

4

2

2

þ b c8 d x4 þ b c5 x þ b c5 d x:

ð43Þ

Because the following expressions are very lengthy, we only give main steps to calculate the number of the solutions of the equation, L1 ðxÞ ¼ 0. As in the case of Lemma 3, the following expressions have been veriﬁed using Mathematica 6.0. Eliminating z8 from Eq. (42) and the equation that comes from squaring Eq. (39) gives the equation E1 in x2 , x8 , y4 and z2 . Eliminating z4 from Eq. (39) and the equation that comes from raising the both sides of the Eq. (43) to the 4 power gives the equation E2 in x, x4 , x16 , y2 , y8 and z. Eliminating z2 from equation E1 and the equation that comes from squaring Eq. (43) gives the equation E3 in x2 , x8 and y4 . Eliminating z from equation E2 and Eq. (43) gives the equation E4 in x, x4 , x16 , y2 and y8 . Eliminating y8 from equation E4 and the equation that comes from squaring equation E3 gives the equation E5 in x, x4 , x16 and y2 . Eliminating y4 from Equation E3 and the equation coming from squaring equation E5 gives the equation PðxÞ ¼ 0 in x2 , x8 and x32 . Let x2 be replaced by x in PðxÞ ¼ 0, then PðxÞ is an equation in x, x4 and x16 . When PðxÞ is not equal to the constant zero, the degree of PðxÞ must be either 16, or 4, or 1. This means that k 6 4, so we have

W Da f ðbÞ2 6 2nþ4 ; n

hence jW Da f ðbÞj 6 22þ2 . Therefore by Eq. (1) we have

nlðDa f Þ ¼ 2n1

n 1 max jW Da f ðbÞj P 2n1 22þ1 : 2 b2F 2n

When PðxÞ equals to constant zero, we have b ¼ d, that is, a 2 F 22r . In this case, Eq. (33) becomes 2r 2rþ2 yd þ y4 a2 þ y2 b þ y2 a2 ¼ 0 whose number of the solutions is at most 22rþ2 . Hence k 6 2r þ 2 and we have

W Da f ðbÞ2 6 2nþ2rþ2 ; hence jW Da f ðbÞj 6 23rþ1 . By Eq. (1) we have

nlðDa f Þ ¼ 2n1

1 max jW Da f ðbÞj P 2n1 23r : 2 b2F 2n

Hence the conclusion of Lemma 4 follows. h Theorem 3. Let f ðxÞ ¼ trðxd Þ, where d ¼ 22r þ 2rþ1 þ 1 and n ¼ 4r. Then we have

nl2 ðf Þ P 24r1

1 2

qﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃ 25rþ1 þ 26rþ2 23rþ1 3 24r :

Proof. By Lemmas 1 and 4, we have

nl2 ðf Þ P 2n1

1 2

qﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃ sﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃ ﬃ X n 1 22n 2ð22r 1Þð2n1 23r Þ 2ð2n 22r Þð2n1 22þ1 Þ nlðDa f Þ P 2n1 22n 2 2 a2F n 2

¼2

4r1

1 2

qﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃﬃ 25rþ1 þ 26rþ2 23rþ1 3 24r :

278

G. Sun, C. Wu / Information Sciences 179 (2009) 267–278

Obviously, when n ¼ 4, the algebraic degree of the functions deﬁned in Theorem 3 is 2, so their second order nonlinearity is 0. In this case, our lower bound is also 0 and hence the lower bound is tight when n ¼ 4. 4. Concluding remarks In the paper, we deduced the lower bounds of the second order nonlinearity of three classes of Boolean functions by studying the lower bound of the nonlinearity of the derivative of the functions. The results show that second order nonlinearity of these three classes of Boolean functions is also high, given that their nonlinearity is known to be high as well. It is seen from the following table that our lower bounds are better than those of Iwata–Kurosawa. It is noted that, since the algebraic degree of our considered functions is 3, the algebraic immunity hence is at most 3. In this case, the lower bounds cannot be obtained by the relation between algebraic immunity and the rth order nonlinearity as studied in [6,4]. n

4

6

8

10

12

14

16

18

20

Iwata–Kurosawa’s bounds Bounds of Theorems 1, 2 Bound of Theorem 3

N/A 2 0

14 17 N/A

56 84 62

224 386 N/A

896 1689 1525

3584 7172 N/A

14,336 29,877 28,615

57,344 122,888 N/A

229,376 501,129 491,277

It is noted that our results come from heavy computation on individual cases. We attempted to simplify the process and it was difﬁcult. It leaves as an open problem as whether there is a general method to deduce the lower bounds of rth order nonlinearity of more classes of Boolean functions. Acknowledgment The authors would like to thank the anonymous referees for their valuable comments that improved the paper. References [1] L. Budaghyan, C. Carlet, G. Leander, A class of quadratic APN binomials inequivalent to power functions. Available at . [2] L. Budaghyan, C. Carlet, G. Leander, Another class of quadratic APN binomials over F 2n : the case n divisible by 4. Available at: . [3] A. Canteaut, M. Trabbia, Improved fast correlation attacks using parity-check equations of weight 4 and 5, in: Advances in Cryptology – Eurocrypt 2000, LNCS, vol. 1807, Springer-Verlag, 2000, pp. 573–588. [4] C. Carlet, On the higher order nonlinearities of algebraic immune functions, in: Advances in Cryptology – CRYPTO 2006, LNCS, vol. 4117, SpringerVerlag, 2006, pp. 584–601. [5] C. Carlet, Recursive lower bounds on the nonlinearity proﬁle of Boolean functions and their applications, IEEE Trans. Inform. Theory 54 (3) (2008) 1262–1272. [6] C. Carlet, D. Dalai, K. Gupta, S. Maitra, Algebraic immunity for cryptographically signiﬁcant Boolean functions: analysis and construction, IEEE Trans. Inform. Theory 52 (7) (2006) 3105–3121. [7] C. Carlet, S. Mesnager, Improving the upper bounds on the covering radii of binary Reed–Muller codes, IEEE Trans. Inform. Theory 53 (1) (2007) 162– 173. [8] F. Chabaud, S. Vaudenay, Links between differential and linear cryptanalysis, in: Advances in Cryptology – EUROCRYPT’94, LNCS, vol. 950, SpringerVerlag, 1995, pp. 356–365. [9] G. Cohen, I. Honkala, S. Litsyn, A. Lobstein, Covering Codes, North-Holland, Amsterdam, The Netherlands, 1977. [10] T.W. Cusick, H. Dobbertin, Some new three-valued crosscorrelation functions for binary m-sequences, IEEE Trans. Inform. Theory 42 (4) (1996) 1238– 1240. [11] C. Ding, G. Xiao, W. Shan, in: The Stability Theory of Stream Ciphers, LNCS, vol. 561, Springer-Verlag, 1991. [12] H. Dobbertin, Almost perfect nonlinear power functions on GFð2n Þ: a new case for n divisible by 5, in: Finite Fields and Applications (Augsburg, 1999), Springer-Verlag, Berlin, Germany, 2001, pp. 113–121. [13] H. Dobbertin, Uniformly representable permutation polynomials, in: T. Helleseth, P.V. Kumar, K. Yang (Eds.), The Proceedings of Sequences and Their Applications - SETA01, Springer, London, 2002, pp. 1–22. [14] H. Dobbertin, G. Leander, A. Canteaut, C. Carlet, P. Felke, P. Gaborit, Construction of bent functions via Niho power functions, J. Comb. Theory, Ser. A 113 (2006) 779–798. [15] I. Dumer, G. Kabatiansky, C. Tavernier, List decoding of Reed–Muller codes up to the Johnson bound with almost linear complexity, in: Proceedings of the IEEE International Symposium on Information Theory, Seattle, WA, July 2006, pp. 138–142. [16] R. Fourquet, C. Tavernier, List decoding of second order Reed–Muller and its covering radius implications, in: Proceedings of the WCC 2007, Versailles, France, April 2007, pp. 147–156. [17] T. Iwata, K. Kurosawa, Probabilistic higher order differential attack and higher order bent functions, in: Proceedings of the ASIACRYPT’99, LNCS, vol. 1716, Springer-Verlag, Berlin, Germany, 1999, pp. 62–74. [18] G. Kabatiansky, C. Tavernier, List decoding of second order Reed–Muller codes, in: Proceedings of the eighth International Symposium on Communication Theory and Applications, Ambelside, UK, July 2005. [19] G. Leander, Monomial bent functions, IEEE Trans. Inform. Theory 52 (2) (2006) 738–743. [20] R. Lidl, H. Niederreiter, Finite Fields, Addison-Wesley, 1983.

The lower bounds on the second order nonlinearity of three classes of Boolean functions with high nonlinearity

The lower bounds on the second order nonlinearity of three classes of Boolean functions with high nonlinearity

Recommend Documents