On the Confusion and Diffusion Properties of Maiorana–Mcfarland’S and Extended Maiorana–Mcfarland’S Functions

ARTICLE IN PRESS

Journal of Complexity 20 (2004) 182–204 http://www.elsevier.com/locate/jco

On the confusion and diffusion properties of Maiorana–McFarland’s and extended Maiorana–McFarland’s functions

Claude Carlet1 INRIA, Domaine de Voluceau, Rocquencourt, BP 105, 78153 Le Chesnay Cedex, France

Received 12 November 2002; accepted 12 August 2003

Abstract

A practical problem in symmetric cryptography is ﬁnding constructions of Boolean functions leading to reasonably large sets of functions satisfying some desired cryptographic criteria. The main known construction, called Maiorana–McFarland, has been recently extended. Some other constructions exist, but lead to smaller classes of functions. Here, we study more in detail the nonlinearities and the resiliencies of the functions produced by all these constructions. Further we see how to obtain functions satisfying the propagation criterion (among which bent functions) with these methods, and we give a new construction of bent functions based on the extended Maiorana–McFarland’s construction. r 2003 Elsevier Inc. All rights reserved.

Keywords: Cryptography; Stream ciphers; Boolean functions, Nonlinearity; Bent; Resilient

1. Introduction

Boolean functions play a central role in the security of stream ciphers and of block ciphers. The resistance of the cryptosystems to the known attacks can be quantiﬁed through some fundamental parameters of the Boolean functions used in them. This leads to criteria [28,33,42] these cryptographic functions must satisfy. n A Boolean function on n variables is an F2-valued function on F2 ; where n is a positive integer. In practical cryptography, n is often small. But even for small values of n; searching for good cryptographic functions by visiting a nonnegligible part of

E-mail address: [email protected]. 1 Also member of GREYC-Caen and of the University of Paris 8.

C. Carlet / Journal of Complexity 20 (2004) 182–204 183 all Boolean functions on n variables is computationally impossible since their n number 22 is too large if nX6 (for instance, for n ¼ 7; it would need billions of times the age of the universe on a work-station). Thus, we need constructions of Boolean functions satisfying all necessary cryptographic criteria. Before describing the known constructions, we recall what are these cryptographic criteria. The design of conventional cryptographic systems relies on two fundamental principles introduced by Shannon [41]: confusion and diffusion. Diffusion consists in spreading out the influence of a minor modification of the input data over all outputs. Confusion aims at concealing any algebraic structure in the system. It is closely related to the complexity of the involved Boolean functions (but the kind of complexity needed in cryptographic framework is different from what is relevant, for instance, to circuit theory). Two main complexity criteria exist for cryptographic Boolean functions: the algebraic degree and the nonlinearity. They quantify, from two different viewpoints, the difference between the considered Boolean functions and the affine functions (the sums of linear functions and constants—the simplest functions, from cryptographic viewpoint). Any Boolean function f on n variables admits a unique algebraic normal form (ANF): X Y f ðx1; y; xnÞ¼ aI xi; IDf1;y;ng iAI where the aI ’s are in F2 and where the additions are computed in F2 (i.e. modulo 2). We call the algebraic degree of f ; and we denote by df ; the degree of its algebraic normal form (the affine functions are those functions of algebraic degrees at most 1). All cryptographic functions must have high algebraic degrees (see [4,23,25,28,35]). The Hamming weight wHð f Þ of a Boolean function f on n variables is the size of A n its support fx F2 ; f ðxÞ¼1g: The Hamming distance dHð f ; gÞ between two Boolean functions f and g is the Hamming weight of their difference f þ g (this sum is computed modulo 2). The nonlinearity of f is its minimum distance to all affine functions. We denote by Nf the nonlinearity of f : All cryptographic functions must have high nonlinearities to resist the correlation and linear attacks [4,27]. A Boolean function f is called bent if its nonlinearity equals 2nÀ1 À 2n=2À1; which is the maximum possible value (obviously, n must be even). Then, its distance to every affine function equals 2nÀ172n=2À1: This property can also be stated in terms of the discrete Fourier (or Hadamard) transform of f defined on F n as fˆðuÞ¼ P 2 P xÁu n A n f ðxÞðÀ1Þ (where x Á u denotes the usual inner product x Á u ¼ xiui x F2 i¼1 and where the sum is computed in Z, that is, not mod 2). But it is more easily stated f in terms of the Walsh transform of ; thatP is, the Fourier transform of the ‘‘sign’’ f ðxÞ b f ðxÞþxÁu function wf ðxÞ¼ðÀ1Þ ; equal to wf ðuÞ¼ A n ðÀ1Þ : f is bent if and only x F2 b n=2 if wf ðuÞ has constant magnitude 2 (see [26,34]). Indeed, the Hamming distances between any Boolean function f and the affine functions u Á x and u Á x þ 1 are equal nÀ1 1 b nÀ1 1 b to 2 À 2wf ðuÞ and 2 þ 2wf ðuÞ: And we have: nÀ1 1 Nf ¼ 2 À max jwb ðuÞj: ð1Þ 2 A n f u F2 ARTICLE IN PRESS

184 C. Carlet / Journal of Complexity 20 (2004) 182–204

Bent functions have algebraic degrees upper bounded by n=2: They are characterized by the fact that their derivatives Da f ðxÞ¼f ðxÞþf ðx þ aÞ; aa0; are all balanced, i.e. have weight 2nÀ1: Hence, they provide the highest possible level of diffusion. But cryptographic functions themselves must be balanced, so that the systems using them resist statistical attacks [35]. Bent functions are not balanced. The propagation criterion PC, introduced by Bart Preneel [33] and related to the property of diffusion of the cryptosystems using Boolean functions, leads to a hierarchy on Boolean functions whose highest (i.e. nth) level is made of all bent functions, and whose lth levels (lpn À 3ifn is even, lpn À 1ifn is odd) contain balanced functions. The Boolean function f on n variables satisﬁes PCðlÞ (the propagation criterion of degree A n l) if the derivative Da f is balanced for every nonzero a F2 of weight smaller than or equal to l (the weight of a binary word is the number of its nonzero components). To allow diffusion, Boolean functions used in some stream ciphers and in block ciphers must satisfy PCðlÞ with l as large as possible [32,33]. The only known upper bound on the algebraic degrees of general PCðlÞ functions is n À 1: The last (but not least) diffusion criterion considered in this paper is resiliency. It plays a central role in stream ciphers: in the standard model of these ciphers (see [42]), the outputs to n linear feedback shift registers are the inputs of a Boolean function, called combining function. The output to the function produces the keystream, which is then bitwisely xored with the message to produce the cipher. Some divide-and-conquer attacks exist on this method of encryption (see [4,21,22,43]). To resist these attacks, the system must use a combining function whose output distribution probability is unaltered when any m of the inputs are kept constant [43], with m as large as possible. This property, called mth order correlation- immunity [42], is characterized by the set of zero values in the Walsh spectrum [46]: f b ˆ A n is mth order correlation-immune if and only if wf ðuÞ¼0; i.e. fðuÞ¼0; for all u F2 such that 1pwHðuÞpm; where wHðuÞ denotes the Hamming weight of the n-bit vector u: Balanced mth order correlation-immune functions are called m-resilient # A n functions. They are characterized by the fact that wf ðuÞ¼0 for all u F2 such that 0pwHðuÞpm: Siegenthaler’s inequality [42] states that any mth order correlation immune function on n variables has algebraic degree at most n À m; that any m-resilient function (0pmon À 1) has algebraic degree smaller than or equal to n À m À 1 and that any ðn À 1Þ-resilient function has algebraic degree 1. Sarkar and Maitra [37] have shown that the nonlinearity of any m-resilient function (mpn À 2) is divisible by 2mþ1 and is therefore upper bounded by 2nÀ1 À 2mþ1 (see also [44,48]). If a function achieves this bound, then it also achieves Siegenthaler’s bound [44]. More precisely, if f is ÄÅm-resilient and has algebraic degree d; then its nonlinearity is nÀmÀ2 divisible by 2mþ1þ d (see [8,13]) and can therefore be equal to 2nÀ1 À 2mþ1 only if d ¼ n À m À 1: Moreover, if an m-resilient function achieves nonlinearity 2nÀ1 À 2mþ1; then the Walsh spectrum of the function has then three values (such functions are called ‘‘three-valued’’; see [2], or ‘‘plateaued’’, see [47]), these values are 0 and 72mþ2: Indeed, the distances between the function and afﬁne functions being between 2nÀ1 À 2mþ1 and 2nÀ1 þ 2mþ1 they must be equal to 2nÀ1 À 2mþ1; 2nÀ1 and ARTICLE IN PRESS

C. Carlet / Journal of Complexity 20 (2004) 182–204 185

2nÀ1 þ 2mþ1 because of the divisibility result of Sarkar and Maitra. We shall say that an m-resilient function achieves the best possible nonlinearity if its nonlinearity equals 2nÀ1 À 2mþ1: If 2nÀ1 À 2mþ1 is greater than the best possible nonlinearity of all balanced functions (and in particular if it is greater than the best possible nonlinearity of all Boolean functions) then, obviously, this bound can be improved. In the case n is even, the best possible nonlinearity of all Boolean functions being equal to 2nÀ1 À 2n=2À1 and the best possible nonlinearity of all balanced functions being nÀ1 n=2À1 nÀ1 n=2À1 mþ1 smaller than 2 À 2 ; Sarkar and Maitra deduce that Nf p2 À 2 À 2 for every m-resilient function f with mpn=2 À 2: In the case n is odd, they state that mþ1 Nf is smaller than or equal to the highest multiple of 2 which is less than or equal to the best possible nonlinearity of all Boolean functions (which is strictly smaller than 2nÀ1 À 2n=2À1 for every n; it is equal to 2nÀ1 À 2ðnÀ1Þ=2 if np7 and strictly greater if nX15; see [29]). These upper bounds have been improved successively in [8,13]. A n A vector a F2 is called a linear structure for an n-variable function f if the derivative Da f ðxÞ¼f ðxÞþf ðx þ aÞ is constant. Nonlinear cryptographic functions used in block ciphers should have no nonzero linear structure (see [20]). The existence of nonzero linear structures for the functions implemented in stream ciphers could not be used in attacks, yet; but the existence of nonzero linear structures for such functions is a potential risk. High-order resilient functions (resp. high degree PC functions) with high algebraic degrees and high nonlinearities are needed for applications, but designing constructions of Boolean functions meeting these cryptographic criteria is still a crucial challenge nowadays in symmetric cryptography. We observe some imbalance in the knowledge on cryptographic functions. Examples of m-resilient functions achieving the best possible nonlinearities (and thus the best algebraic degrees) have been obtained for small values of n and for every mX0:6n (n being then not limited) [31,36,37,45]. But these examples give very limited numbers of functions (they are often defined recursively or obtained after a computer search) and these functions often have cryptographic weaknesses such as linear structures. Designing constructions leading to large numbers of functions permits to choose, in applications, cryptographic functions satisfying specific constraints. The trivial methods, like variable permutation, of obtaining several Boolean functions from one function f ; apart from the fact that they do not increase sufficiently their numbers, do not permit to achieve such specific constraints if f does not. Constructing large numbers of cryptographic functions makes also more efficient those cryptosystems in which these functions themselves are parts of the secret keys. Obviously, the known ‘‘good’’ Boolean functions on n variables will always be an insignificant proportion of the total number of functions; but the number of n-variable Boolean functions being huge, the number of good functions can however become sufficiently large for including these functions into the keys. The present paper is a contribution to this aim (as well as [12], which has been written later). It has some intersection with [9], but goes further in this direction. ARTICLE IN PRESS

186 C. Carlet / Journal of Complexity 20 (2004) 182–204

2. Remark on the upper bound on the nonlinearities of resilient functions

As noted in [9,14], for mpn=2 À 2; except for small values of n; an upper bound on the nonlinearity of m-resilient functions can be given, which is potentially better than the bounds recalled in the introduction (whatever is the evenness of n). Let us see b more precisely how. Sarkar–Maitra’s divisibility bound shows that wf ðaÞ¼jðaÞÁ 2mþ2 where jðaÞ is integer-valued. But Parseval’s relation X b 2 2n wf ðaÞ¼2 A n a F2

b and the fact that wf ðaÞ is null for every word a of weight pm implies X j2ðaÞ¼22nÀ2mÀ4

a; wHðaÞ4m and thus sffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi 22nÀ2mÀ4 2nÀmÀ2 X P ÀÁ qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi max jjðaÞj m n ¼ P ÀÁ: aAF n n m n 2 2 À i¼0 i n 2 À i¼0 i &’

2nÀmÀ2 n X pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiP J n Thus we have maxaAF jjðaÞj m n (where u denotes the smallest 2 2nÀ i¼0ðÞi integer greater than or equal to u) and this implies: 2 3 6 2nÀmÀ2 7 nÀ1 mþ16qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi7 Nf p2 À 2 6 P ÀÁ7: ð2Þ 6 n m n 7 2 À i¼0 i

When n is even, this number is always less than or equal to 2nÀ1 À 2n=2À1 À 2mþ1 pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi2nÀPmÀ2 (given by Sarkar and Maitra [37]) because m n being strictly greater than 2nÀ i¼0ðÞi 2n=2ÀmÀ2 and 2n=2ÀmÀ2 being an integer, since mpn=2 À 2; the number Jpffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi2nÀPmÀ2 n n=2ÀmÀ2 m n is at least 2 þ 1: And when n increases, the bound above is 2nÀ i¼0ðÞi smaller than 2nÀ1 À 2n=2À1 À 2mþ1 for an increasing number of values of mpn=2 À 2 (but this improvement does not appear when we compare the values we obtain with this bound to the values indicated in the table they give in [37], because the values of n considered in this table are small). When n is odd, it is difficult to say if inequality (2) is better than the bound given by Sarkar and Maitra, because their bound involves a value which is unknown for nX9 (the best possible nonlinearity of all Boolean functions). In any case, this makes (2) better usable than their bound. ARTICLE IN PRESS

C. Carlet / Journal of Complexity 20 (2004) 182–204 187 P ÀÁ m n ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi2nH2ðm=nÞ We know (see [26, p. 310]) that i 0 Xp ; where H2ðxÞ is the so-called ¼ i 8mð1Àn=mÞ ÀÁ 1 binary entropy function Àx log2ðxÞÀð1 À xÞ log2ð1 À xÞ and satisfies H2 2 À x ¼ 1 À 2x2 log e þ oðx2Þ: Thus we have 2 2 3

6 nÀmÀ2 7 nÀ1 mþ16 2 7 Nf p2 À 2 6rffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi7: ð3Þ 6 nH2ðm=nÞ 7 6 2n À pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi2 7 8mð1Àm=nÞ

3. Maiorana–McFarland’s, Dillon’s and Dobbertin’s constructions and their properties

Some constructions of cryptographic functions deﬁne them without needing previously deﬁned cryptographic functions in smaller numbers of variables. These primary constructions lead in practice to wider classes of functions than secondary (i.e. recursive) constructions (recall that the number of Boolean functions in n À 1 variables is only equal to the square root of the number of Boolean functions in n variables). Unfortunately, the known primary constructions of Boolean functions themselves (see [6]) do not lead to very large classes of functions. In fact, only one reasonably large class of Boolean functions is known, whose elements can be analyzed with respect to the cryptographic criteria recalled above.

3.1. Maiorana–McFarland’s construction

3.1.1. The original Maiorana–McFarland’s class It is the set (see [18]) of all the (bent) Boolean functions on the vectorspace n n A 2 F2 ¼fðx; yÞ; x; y F2 g (n even) of the form Xn=2 f ðx; yÞ¼x Á pðyÞþgðyÞ¼ xipiðyÞþgðyÞ; ð4Þ i¼1 n 2 where p is any permutation on F2 ; where p1; y; pn=2 are its coordinate functions, n 2 and where g is any Boolean function on F2 : Notice that f ; considered as a binary vector of length 2n (through its truth-table), can be viewed as the concatenation of n=2 affine functions on F2 : Indeed, if for instance we arrange all binary words of length n in reverse lexicographic order, then the truth-table of f is the concatenation of the n=2 restrictions of f obtained by fixing the value of y and letting x freely range over F2 : These restrictions are affine. It is a simple matter to see that the bijectivity of p is a necessary and sufficient condition for the bentness of f (see relation (6) below). But the generalized version of this construction below will permit us to obtain other bent functions in a similar framework. ARTICLE IN PRESS

188 C. Carlet / Journal of Complexity 20 (2004) 182–204

3.1.2. The (general) Maiorana–McFarland’s class It has been introduced in [1], based on the same principle of concatenating affine functions: let r be an integer such that nXr; denote n À r by s; let g be any Boolean s s r function on F2 and f any mapping from F2 to F2: Then we define the function: Xr A r A s ff;gðx; yÞ¼x Á fðyÞþgðyÞ¼ xifiðyÞþgðyÞ; x F2; y F2; ð5Þ i¼1 where fiðyÞ is the ith coordinate of fðyÞ: This extension has been introduced to produce resilient functions (see below). But we first recall that it can be used to produce functions satisfying the propagation criterion. Propagation criterion: The derivative Dða;bÞðx; yÞ of a function of the form (5) being equal to x Á DbfðyÞþa Á fðy þ bÞþDbgðyÞ; the function satisfies PCðlÞ under the sufficient condition that: A s 1. for every nonzero b F2 of weight smaller than or equal to l and every vector A s À1 A r y F2; the vector DbfðyÞ is nonzero, or equivalently every set f ðuÞ; u F2 either is empty or is a singleton or has minimum distance strictly greater than l; 2. every linear combination of at most l coordinate functions of f is balanced. See [7,24] for descriptions of PC functions using Maiorana–MacFarland’s construction. Bentness: The sufficient conditions above do not permit to obtain new bent functions, since they lead, when l ¼ n; to the functions of the original class of Maiorana–McFarland. Indeed, f has then to be injective, because of condition 1, and uniformly distributed, because of condition 2. But bent functions can be obtained in a more general framework. Astonishingly enough, this observation has never been made before.

s r Proposition 1. Let n ¼ r þ s ðrpsÞ be even. Let f be any mapping from F2 to F2 such A r À1 s that, for every a F2; the set f ðaÞ is an ðn À 2rÞ-dimensional afﬁne subspace of F2: s À1 Let g be any Boolean function on F2 whose restriction to f ðaÞ (viewed as a Boolean nÀ2r À1 function on F2 via an afﬁne isomorphism between f ðaÞ and this vector-space) is A r n bent for every a F2: Then ff;g is bent on F2 :

A r A s Proof. For every Maiorana–McFarland’s function ff;g; every a F2 and every b F2; we have X d r gðyÞþbÁy wff;g ða; bÞ¼2 ðÀ1Þ ; ð6Þ yAfÀ1ðaÞ since every (afﬁne) function x/ff;gðx; yÞþa Á x þ b Á y either is constant (if y a y aa fPð Þ¼ ) or is balanced (if fð Þ ) and contributes then for 0 in the sum ff;gðx;yÞþxÁaþyÁb xAF r;yAF s ðÀ1Þ : Thus ff;g is bent if and only if rpn=2 and P 2 2 gðyÞþbÁy 7 n=2Àr A r A s yAfÀ1ðaÞ ðÀ1Þ ¼ 2 for every a F2 and every b F2: The hypothesis on f and g is a sufﬁcient condition for that. & ARTICLE IN PRESS

C. Carlet / Journal of Complexity 20 (2004) 182–204 189

Notice that this construction is easy to use for generating potentially new bent s functions: the choice of any partition of F2 in ðn À 2rÞ-dimensional flats and of a bent function on each of these flats leads to a bent function. Further (possibly difficult) work has still to be done for proving that some functions constructed this way lie outside all known classes of bent functions. Resiliency: We recall now how Maiorana–McFarland’s construction can be used s to design resilient functions: if every element in fðF2Þ has Hamming weight strictly s greater than k; then ff;g is m-resilient with mXk (in particular, if fðF2Þ does not contain the null vector, then ff;g is balanced). This is a direct consequence of relation (6). Algebraic degree and nonlinearity: The algebraic degree of ff;g is s þ 1 ¼ n À r þ 1 if and only if f has algebraic degree s (i.e. if at least one of its coordinate functions A s has algebraic degree s), which is possible only if k ¼ minfwHðfðyÞÞ; y F2gÀ1 satisfies kpr À 2; since if k ¼ r À 1 then f is constant. Otherwise, the algebraic degree of ff;g is at most s: Thus, if the resilency order m equals k; then the algebraic degree of ff;g reaches Siegenthaler’s bound n À m À 1 if and only if either m ¼ r À 2 and f has algebraic degree s ¼ n À m À 2orm ¼ r À 1 and g has algebraic degree s ¼ n À m À 1: There are cases where m4k (see below) and ways of increasing the degree by modifying the construction (see [36]). Relations (1) and (6) lead straightforwardly to a general lower bound on the nonlinearity of Maiorana–McFarland’s functions (first observed in [39]):

nÀ1 rÀ1 À1 Nf X2 À 2 max jf ðaÞj ð7Þ f;g A r a F2

(where jfÀ1ðaÞj denotes the size of the pre-image fÀ1ðaÞ). This bound is tight if À1 A r f ðaÞ has size at most 2, for every a F2: When f does not have this property, the bound is weak (see [36] for some improvement). A recent upper bound $%qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi nÀ1 rÀ1 À1 N 2 À 2 max A r jf ðaÞj ð8Þ ff;g p a F2 obtained in [9] (and generalized in the present paper, see Theorem 2) strengthens the nÀ1 rÀ1 bound Nff;g p2 À 2 previously obtained in [15,16]. It has led to a characterization of the parameters for which Maiorana–McFarland’s functions ff;g such that nÀ1 kþ1 wHðfðyÞÞ4k for every y and achieving best possible nonlinearity 2 À 2 can exist. nÀ1 qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi2rþs=2À1 The inequality Nf p2 À P implied by relation (8) implies in its turn f;g r r i¼kþ1ðÞi either that r ¼ k þ 1orr ¼ k þ 2: If r ¼ k þ 1 then f is the constant ð1; y; 1Þ and npk þ 3: Either s ¼ 1andgðyÞ is then any function in one variable or s ¼ 2andg is then any function of the form y1y2 þ lðyÞ where l is affine (thus, f is quadratic). If r ¼ k þ 2; then f is injective, npk þ 2 þ log2ðk þ 3Þ; g is any function in n À k À 2 variables and d ff;gp1 þ log2ðk þ 3Þ: ARTICLE IN PRESS

190 C. Carlet / Journal of Complexity 20 (2004) 182–204

A simple example of k-resilient Maiorana–McFarland’s functions such that nÀ1 kþ1 Nff;g ¼ 2 À 2 (and thus achieving Sarkar et al.’s bound) can be given (see [9]) for any rX2s À 1 and for k ¼ r À 2: In [9] is also shown that for every even np10; Sarkar et al.’s bound with m ¼ n=2 À 2 can be achieved by Maiorana–McFarland’s functions. And an example of functions with high nonlinearities but not achieving Sarkar et al.’s bound is given: nÀ1 for every n 1 mod 4; there exist Maiorana–McFarland’s 4 -resilient functions on nÀ1 n nÀ1 2 F2 with nonlinearity equal to 2 À 2 : s Improved resiliency orders: The fact that every element in fðF2Þ has Hamming weight greater than k does not mean that ff;g is only k-resilient. We recall in the next proposition, given in [9] without any proof, two cases where it can be more than k- resilient and we give a proof of this proposition. The ﬁrst case has also been studied by Cusick in [17], but in a more complex way and without looking for the best possible nonlinearity.

Proposition 2. Let ff;g be defined by (5). s 1. Assume that every element in fðF2Þ has Hamming weight strictly greater than k r À1 and that, for every aAF2 of weight k þ 1; either the set f ðaÞ is empty or it has an even size and the restriction of g to this set is balanced. Then ff;g is m-resilient with nÀ1 mXk þ 1: Under this hypothesis, if ff;g achieves the best possible nonlinearity 2 À 2kþ2; then rpk þ 2: If r ¼ k þ 1 then f is the constant ð1; y; 1Þ (and g is balanced ); either s ¼ 2 and g and f are affine or s ¼ 3 and g has nonlinearity 2. If r ¼ k þ 2 then npk þ 4 þ log2ðk þ 3Þ and d f p2 þ log2ðk þ 3Þ: 2. Assume in addition that: A r A a. for every a F2 of weight k þ 1 and every i f1; y; sg; denoting by Hi the linear s À1 hyperplane of equation yi ¼ 0 in F2; either the set f ðaÞ-Hi is empty or it has an even size and the restriction of g to this set is balanced; A r À1 b. for every a F2 of weight k þ 2; either the set f ðaÞ is empty or it has an even size and the restriction of g to this set is balanced. Then ff;g is m-resilient with mXk þ 2: Under this hypothesis, if ff;g achieves the best possible nonlinearity 2nÀ1 À 2kþ3; then rpk þ 3: If r ¼ k þ 1; then 3psp5 and f takes constant value ð1; y; 1Þ: If s ¼ 3 then g and f are affine. If s ¼ 4; then g has nonlinearity 4. If s ¼ 5 then g has nonlinearity 12. If r ¼ k þ 2 then npk þ 6 þ log2ðÀÁk þ 3Þ and d f p3 þ log2ðk þ 3Þ:ÀÁ kþ3 kþ3 If r ¼ k þ 3 then npk þ 5 þ log2ð 2 þ k þ 4Þ and d f p2 þ log2ð 2 þ k þ 4Þ:

A r A s d Proof. 1. For every a F2 of weight at most k and every b F2; we have wff;g ða; bÞ¼ s 0; according to relation (6) and since every element in fðF2Þ has Hamming weight greater than k: The only ordered pairs ða; bÞ we still have to consider, for proving that f is ðk þ 1Þ-resilient, are those such that a has weight k þ 1andb is null. For f;g P r gðyÞ À1 such pairs, we have wd a; b 2 À1 1 : Since either the set f a is ff;g ð Þ¼ yAf ðaÞðÀ Þ ð Þ ARTICLE IN PRESS

C. Carlet / Journal of Complexity 20 (2004) 182–204 191 empty or the restriction of g to fÀ1ðaÞ takes the same number of times the values 0 and 1 (this is possible thanks to the fact that fÀ1ðaÞ has an even size), this sum is null. Thus ff;g is m-resilient with mXk þ 1: If N ¼ 2nÀ1 À 2kþ2; then according to inequality (8), we must have qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiff;g À1 kÀrþ3 À1 max A r jf ðaÞj 2 ; and thus r k þ 2 since max A r jf ðaÞj is greater than a F2 p p a F2 or equal to 2: À1 s If r ¼ k þ 1; then f takes constant value ð1; y; 1Þ; hence f ð1; y; 1Þ¼F2; nÀ1 kþ2 sp2ðk À r þ 3Þ¼4: Equality Nf ¼ 2 À 2 and relations (1) and (6) imply P f;g gðyÞþbÁy maxbAF s A s ðÀ1Þ ¼ 4: Thus sX2: If s ¼ 2 then g and f are affine. If s ¼ 3; 2 y F2 then g has nonlinearity 2. The case s ¼ 4 is impossible since g; being balanced, cannot be bent. À1 s If r ¼ k þ 2 then max A r jf ðaÞj 4 and therefore 2 is smaller than or equal to 4 a F2 p times the number r þ 1 of all words of weights at least k þ 1 ¼ r À 1; i.e. sp2 þ log2ðr þ 1Þ and thus npk þ 4 þ log2ðk þ 3Þ which implies d f p2 þ log2ðk þ 3Þ because of Siegenthaler’s inequality. 2. To prove that ff;g is m-resilient with mXk þ 2 under the additional hypothesis, the ordered pairs ða; bÞ we still have to consider are those such that a has weight k þ 1 and b has weight 1, and those such that a has weight k b þ 2and isP null. According to relationP (6), the conditionsP a and b are clearly gðyÞþyi gðyÞ gðyÞ sufficient, since A À1 ðÀ1Þ ¼ 2 A À1 ðÀ1Þ À A À1 ðÀ1Þ ¼ P y f ðaÞ y f ðaÞ-Hi y f ðaÞ gðyÞ 2 À1 ðÀ1Þ : yAf ðaÞ-Hi If N ¼ 2nÀ1 À 2kþ3; then according to inequality (8), we must have qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiff;g À1 kÀrþ4 À1 max A r jf ðaÞj 2 ; and thus r k þ 3 since max A r jf ðaÞjX2: a F2 p p a F2 If r ¼ k þ 1; then f takes constant value ð1; y; 1Þ; hence fÀ1ð1; y; 1Þ¼F s; P 2 gðyÞþbÁy sp2ðk À r þ 4Þ¼6 and maxbAF s A s ðÀ1Þ ¼ 8: Thus sX3: If s ¼ 3 then g 2 y F2 and f are affine. If s ¼ 4; then g has nonlinearity 4. If s ¼ 5 then g has nonlinearity 12. The case s ¼ 6 is impossible since g; being balanced, cannot be bent. À1 s If r ¼ k þ 2 then max A r jf ðaÞj 16 and therefore 2 is smaller than or equal to a F2 p 16 times the number r þ 1 of all words of weights at least r À 1; i.e. sp4 þ log2ðr þ 1Þ and thus npk þ 6 þ log2ðk þ 3Þ which implies d f p3 þ log2ðk þ 3Þ because of Siegenthaler’s inequality. À1 s If r ¼ k þ 3 then maxaAF r jf ðaÞjp4 and therefore 2 is smaller than or equal to 4 ÀÁ2 times the number r r 1 of all words of weights at least r 2; i.e. s 2 ÀÁ rÀ2 þ þ ÀÁ À p þ log r r 1 and thus n k 5 log kþ3 k 4 which implies df 2 2ðÀÁ2 þ þ Þ p þ þ 2ð 2 þ þ Þ p þ kþ3 & log2ð 2 þ k þ 4Þ because of Siegenthaler’s inequality.

A r Remark. More generally, assume that for every vector a F2 whose Hamming weight wHðaÞ is smaller than or equal to some integer l; either the set Ea is empty or ARTICLE IN PRESS

192 C. Carlet / Journal of Complexity 20 (2004) 182–204

A s for every b F2 of weight at most l À wHðaÞ; the restriction of gðyÞþy Á b to Ea is balanced, then, ff;g is l-resilient.

In [9] is given a way of obtaining Maiorana–McFarland’s functions satisfying the hypothesis of Proposition 2 and having high nonlinearities. But the results of Proposition 2 show that except in extreme cases, Maiorana– McFarland’s functions cannot reach Sarkar–Maitra’s bound. This is not astonish- ing, because Maiorana–McFarland’s construction is general whereas the functions achieving Sarkar–Maitra’s bound are often peculiar. A different way of modifying Maiorana-McFarland’s construction has been introduced in [30].

3.2. Dillon’s construction

n 2 In [18] is introduced by J. Dillon the class of bent functions called PSap: F2 is identified to the Galois field F n ; PSap is the set of all the functions of the form 22 n 2 22À x x f ðx; yÞ¼gðxy Þ (i.e. gðyÞ with y ¼ 0ifx ¼ 0ory ¼ 0) where g is a balanced Boolean function on F n (Dillon also assumes that gð0Þ¼0 but it is not necessary). 22 The idea of this construction is used in [16] to obtain a construction of resilient functions: let k and r be non-negative integers and nXr; denote n À r by s; the vector r space F2 is identified to the Galois field F2r : Let g be any Boolean function on F2r and s s r A r A f an F2-linear mapping from F2 to F2 ; set a F2 and b F2 such that, for every y in s Ã F2 and every z in F2r ; a þ fðyÞ is nonzero and f ðzÞþb has weight greater than k; where fÃ is the adjoint of f: Then the function x s f ðx; yÞ¼g þ b Á y; where xAF r ; yAF ð9Þ a þ fðyÞ 2 2 is m-resilient with mXk: The algebraic degree of f is difficult to study but can be optimal. Similar bounds on the nonlinearities of these functions can be proved as for Maiorana–McFarland’s functions: qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi nÀ1 sÀ1 À1 nÀ1 sÀ1 ÃÀ1 2 À 2 max jf ðbÞjpNf p2 À 2 maxaAF s jf ðaÞj: A s 2 b F2 Indeed, we have, for every aa0andb (see [6]) X b s trðauzÞþgðzÞ wf ða; bÞ¼2 ðÀ1Þ : À1 fÃ ðbþvÞ A z a The same computations as in the proof of Proposition 2 give the desired inequalities. It then follows similar observations as for Maiorana–McFarland’s construction (with the restriction that fÃ is linear) on the ability of the functions of the form (5) to have nonlinearities near Sarkar–Maitra’s bound. But this class has few elements (since f is linear). ARTICLE IN PRESS

C. Carlet / Journal of Complexity 20 (2004) 182–204 193

3.3. Dobbertin’s construction

In [19], Hans Dobbertin studies an interesting method for modifying bent functions into balanced functions with high nonlinearities (see also [40]). He observes n that all known bent functions on F2 (n even) are affinely equivalent to functions A n=2 A n=2 n=2 f ðx; yÞ; x F2 ; y F2 such that f ðx; 0Þ is constant on F2 (recall that two n functions f and g on F2 are called affinely equivalent if there exists a linear n n isomorphism L from F2 to F2 and a vector a such that f ðxÞ¼gðLðxÞþaÞ for every A n input x F2 ; the functions have then the same algebraic degree and the same nonlinearity, but they may have different orders of resiliency and different degrees of propagation criterion). He calls normal the functions which, up to affine equivalence, n=2 are constant on the set F2 Âf0g: A nonnormal bent function has been found only recently (see [3]). n=2 Let f be null (for instance) on F2 Âf0g and let g be any balanced function on n=2 F2 ; then the function hðx; yÞ¼f ðx; yÞþd0ðyÞgðxÞ; where d0 is the Dirac symbol (d0ðyÞ¼1 if and only if y ¼ 0) is balanced. Moreover: b b b b whða; bÞ¼0ifa ¼ 0 and whða; bÞ¼wf ða; bÞþwgðaÞ otherwise: ð10Þ If n0p13 is odd and n ¼ 2kn0; then the best known (but perhaps not the best possible) nonlinearity that can be obtained by using Dobbertin’s method is 2nÀ1 À 2n=2À1 À k 2n=4À1 À ? À 2n=2 À1 À 2ðn0À1Þ=2: Indeed, for every odd n0; there exists a balanced n0 n0À1 ðn0À1Þ=2 (quadratic) function on F2 with nonlinearity 2 À 2 and no balanced function with better nonlinearity is known, since n0p13: Unfortunately, we have the following:

Proposition 3. Dobbertin’s construction cannot produce m-resilient functions with m40; and it cannot produce functions satisfying PCðlÞ with lXn=2:

Proof. The function h above cannot be m-resilient with m40 according to relation b 7 n=2 (10), since wgðaÞ should equal 2 for every word a of weight 1, and g being a n=2 b function defined on F2 ; there cannot exist two different values of a such that wgðaÞ equals 72n=2: The function h cannot satisfy PCðlÞ with lXn=2 either since it is shown in [7] that a n function h on F2 satisfies PCðlÞ if and only if for every vector u of weight at least n l and every vector v: À X b 2 nþwHðuÞ wh ðw þ vÞ¼2 ; ð11Þ w% u where w%u means that the support of vector u includes the support of vector w: This condition cannot be satisfied here if lXn=2: if u is for instance the vector with the first n=2 coordinates equal to 0 and with the last n=2 coordinates equal to 1, and if b 2 v ¼ 0; we have wh ðwÞ¼0 for every w%u; according to relation (10), and relation (11) cannot be satisfied. & ARTICLE IN PRESS

194 C. Carlet / Journal of Complexity 20 (2004) 182–204

3.4. Remark on the numbers of constructed functions

The class of bent functions produced by the original Maiorana–McFarland’s construction (resp. the class of balanced or resilient functions produced by the Maiorana–McFarland’s construction) is far the widest class, compared to the classes obtained with the other usual constructions. The number of bent functions of 2n=2 pffiffiffiffiffiffiffiffi n=2 2n=2 2n=2þ1 n=2 the form (4) equals ð2 Þ! Â 2 and is asymptotically equivalent to e 2 according to Stirling’s formula, while the only other important construction of n=2 2n=2 E22 ffiffiffiffiffiffiffiffiþ1=2 bent functions, PSap; leads only to n=2À1 p functions. And the situation of 2 p2n=2 resilient functions is still more explicit. However, the number of provably bent, balanced or resilient Maiorana–McFarland’s functions seems negligible with respect to the total number of functions with the same properties. For bent functions, this is only a conjecture, since the number of bent functions is unknown (only an upper bound exists [11]). For balanced functions, it can be checked: for every positive integer r; the number of balanced Maiorana–McFarland’s functions nÀr obtained by choosing f such that fðyÞa0 for every y equals ð2rþ1 À 2Þ2 and is 2nÀ1 X smaller thanÀÁ or equal to 2 since r 1: It is quite negligible with respect to the n 2nþ1=2 number 2 E2pffiffiffiffiffi of all balanced functions on F n: The number of k-resilient 2nÀ1 p2n 2 Maiorana–McFarland’shi functions obtained by choosing f such that wHðfðyÞÞ4k P ÀÁ2nÀr 2r 2r for every y equals 2 i¼kþ1 i and is probably also very small compared to the number of all k-resilient functions. But this number is unknown. Three complementary upper bounds on the number of all k-resilient functions improve upon all previous bounds [10,11,38]. However, they are probably still far from the real number.

4. The extended Maiorana–McFarland’s class

The restrictions of Maiorana–McFarland’s functions obtained by fixing y in their input being affine, there is a risk that this be used in future attacks. It is important, when designing cryptographic functions, to anticipate possible new attacks (this is what Rothaus did when introducing the notion of nonlinearity by studying bent functions; the linear attack was not known yet). Also, Maiorana– McFarland’s functions have high divisibilities of their Fourier and Walsh spectra, and there is also a risk that this property be used in attacks, as it is used in [5] to attack block ciphers. For this reason, a construction was proposed in [9]. The functions it produces are concatenations of quadratic functions (i.e. functions which are either affine or of algebraic degree 2) instead of, just, affine functions. This makes them harder to study than Maiorana– McFarland’s functions but they are more numerous and have not the same drawback. ARTICLE IN PRESS

C. Carlet / Journal of Complexity 20 (2004) 182–204 195

4.1. Deﬁnition and Walsh spectrum

ÄÅDeﬁnition 1. Let n and r be positive integers such that ron: Denote the integer part r s t y 2 by t and n À r by s: Let c be a mapping from F2 to F2 and let c1; ; ct be its s r coordinate functions. Let f be a mapping from F2 to F2 and let f1; y; fr be its s coordinate functions. Let g be a Boolean function on F2: The function fc;f;g is n r s deﬁned on F2 ¼ F2 Â F2 as

Xt fc;f;gðx; yÞ¼ x2iÀ1x2iciðyÞþx Á fðyÞþgðyÞ i¼1 Xt Xr A r A s ¼ x2iÀ1x2iciðyÞþ xifiðyÞþgðyÞ; x F2; y F2: i¼1 j¼1

Maiorana–McFarland’s functions correspond to the case where c is the null mapping. The following theorem is proved in [9].

A r Theorem 1. Let fc;f;g be deﬁned as in Deﬁnition 1. Then for every a F2 and every A s b F2 we have P X t r w c y ðf ðyÞþa2i 1Þðf ðyÞþa2iÞþgðyÞþyÁb d À Hð ð ÞÞ i¼1 2iÀ1 À 2i wfc;f;g ða; bÞ¼ 2 ðÀ1Þ ; yAEa

À1 where Ea is the superset of f ðaÞ equal if r is even to

A s fy F2=8ipt; ciðyÞ¼0 )ðf2iÀ1ðyÞ¼a2iÀ1 and f2iðyÞ¼a2iÞg; and if r is odd to &'& 8i t; c ðyÞ¼0 )ðf ðyÞ¼a and f ðyÞ¼a Þ A s p i 2iÀ1 2iÀ1 2i 2i y F2= : frðyÞ¼ar

Remark. For every yAF s; denote by J the set of indices equal to j 2t=c y 2 y f p Jj nð Þ¼ ÆÇ 2 0 if r is even and to j 2t=c y 0 r if r is odd (where j denotes the g f p Jj nð Þ¼ g,f g 2 2 j A r smallest integer greater than or equal to 2); then, for every a F2; the set Ea equals À1 A s a f ðaÞ if and only if, for every y F2 such that fðyÞ a; the vectors obtained from fðyÞ and from a after erasing the coordinates whose indices lie outside Jy are still different. ARTICLE IN PRESS

196 C. Carlet / Journal of Complexity 20 (2004) 182–204

4.2. Cryptographic properties of the constructed functions

In this section, we study the behavior of the functions fc;f;g with respect to the cryptographic criteria.

4.2.1. Algebraic degree Let fc;f;g be deﬁned as in Deﬁnition 1. The algebraic degree of fc;f;g clearly equals maxð2 þ d c1; y; 2 þ d ct; 1 þ d f1; y; 1 þ d fr; d gÞ: It is upper bounded by 2 þ s:

4.2.2. Nonlinearity The next theorem was given in [9] without proof. It generalizes to the extended Maiorana–McFarland’s functions the bounds proved in [9] for Maiorana– McFarland’s functions

Theorem 2. Let fc;f;g be defined as in Definition 1. Denote by M the maximum weight A s 0 of cðyÞ; y F2; and by M its minimum weight. Then the nonlinearity Nfc;f;g of fc;f;g satisfies X 0 nÀ1 rÀM À1 nÀ1 rÀwHðcðyÞÞÀ1 2 À 2 max jEajp 2 À max 2 pNf aAF r aAF r c;f;g 2 2 yAE qXffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffia nÀ1 p 2 À max 22rÀ2wHðcðyÞÞÀ2 aAF r yAEa 2 pffiffiffiffiffiffiffiffi nÀ1 rÀMÀ1 2 À 2 max A r jE j p a F2 a where jEaj denotes the size of the set Ea defined in Theorem 1.

A r A s Proof. According to Theorem 1,P for every a F2 and every b F2; we have P t rÀwHðcðyÞÞ ðf2iÀ1ðyÞþa2iÀ1Þðf2iðyÞþa2iÞþgðyÞþyÁb wd ða; bÞ¼ A 2 ðÀ1Þ i¼1 : Thus we have fc;f;g y Ea P 0 rÀwHðcðyÞÞ rÀM maxaAF r; bAF s jwd ða; bÞjpmaxaAF r A 2 p2 maxaAF r jEaj and, ac- 2 2 fc;f;g 2 y Ea P 2 nÀ1 rÀw ðcðyÞÞÀ1 nÀ1 cording to relation (1) we deduce N X2 À max A r 2 H X2 À fc;f;g a F2 yAEa rÀM0À1 2 max A r jE j: a F2 a s s For every real-valued function h on F2 and for every subset E of F2; the sum ! X X 2 hðyÞðÀ1ÞyÁb A s yAE b F2 equals: 0 1 X X X hðyÞhðzÞ@ ðÀ1ÞbÁðyþzÞA ¼ 2s h2ðyÞ y;zAE A s yAE b F2 P bÁðyþzÞ (indeed, A s ðÀ1Þ is null if yaz). b F2 ARTICLE IN PRESS

C. Carlet / Journal of Complexity 20 (2004) 182–204 197

The maximum of a set of values being always greater than or equal to its mean, we P 2 P yÁb 2 deduce maxbAF s yAE hðyÞðÀ1Þ X yAE h ðyÞ and therefore here 2 P X t rÀw ðcðyÞÞ ðf ðyÞþa2iÀ1Þðf ðyÞþa2iÞþgðyÞþyÁb max 2 H ðÀ1Þ i¼1 2iÀ1 2i bAF s 2 yAE qXffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffia pffiffiffiffiffiffiffiffi 2rÀ2w ðcðyÞÞ rÀM X 2 H X2 jEaj: yAEa Hence qXffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi pffiffiffiffiffiffiffiffi d 2rÀ2wHðcðyÞÞ rÀM maxaAF r;bAF s jwf ða; bÞjX max 2 X2 maxaAF r jEaj: 2 2 c;f;g A r yAEa 2 a F2 qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiP nÀ1 1 2rÀ2w ðcðyÞÞ Hence, Nf is upper bounded by 2 À maxaAF r j A 2 H j and thus c;f;g pffiffiffiffiffiffiffiffi 2 2 y Ea nÀ1 rÀMÀ1 by 2 À 2 max A r jE j: & a F2 a

Remark. The left and the right handsides of the inequality of Theorem 2 are similar to the same inequalities for Maiorana–McFarland’s functions. The additional division, by respectively 2M0 and 2M ; contributes to increase the nonlinearity. But the À1 replacement of max A r jf ðaÞj by max A r jE j contributes to reduce it (the value a F2 a F2 a À1 of max A r jE j can obviously be much greater than max A r jf ðaÞj). It is difficult a F2 a a F2 to determine whether the combined actions of these two modifications result in a reduction or an increase of the nonlinearity. The mean of jEaj is upper bounded by 2M À1 2 max A r jf ðaÞj but it is difficult to bound max A r jE j: a F2 a F2 a

4.2.3. Balancedness and resiliency The following theorem was proved in [9].

Theorem 3. Let fc;f;g be defined as in Definition 1 and let k be a nonnegative integer. If for every vector a of weight smaller than or equal to k we have Ea ¼ | then fc;f;g is m- resilient with mXk: For every yAF s; denote by I the set of indices equal to: j 2t=c y 0 and 2 y f p Jj nð Þ¼ 2 fjðyÞ¼1g if r is even, or if r is odd and if frðyÞ¼0; j 2t=c y 0 and f y 1 r if r is odd and f y 1: f p Jj nð Þ¼ jð Þ¼ g,f g rð Þ¼ 2 A r A sufficient condition for the fact that Ea is empty for all a F2 such that wHðaÞpkis A s that, for every y F2; Iy has size strictly greater than k (then fc;f;g is m-resilient with A s mXk; in particular, if for every y F2; the set Iy is not empty, then fc;f;g is balanced ).

The proof of this theorem is a direct consequence of the fact that for every yAEa and every index jAIy; we have aj ¼ 1: In the case of Maiorana–McFarland’s functions, the condition of Theorem 3 s reduces to the fact that every element in fðF2Þ has Hamming weight strictly greater ARTICLE IN PRESS

198 C. Carlet / Journal of Complexity 20 (2004) 182–204 than k; since all coordinate functions of c are null. It can be translated similarly in the general case.

Corollary 1. Let fc;f;g be deﬁned as in Deﬁnition 1 and let k be a non-negative s r integer. Consider the mapping F from F2 to F2 whose jth coordinate function for j 2t equals the product of the Boolean functions f and 1 c and p j þ Jj n 2 whose rth coordinate function equals fr if r is odd. If the image of every element s in F2 by F has Hamming weight strictly greater than k; then fc;f;g is m-resilient with mXk: s In particular, if the image of every element in F2 by F is nonzero, then fc;f;g is balanced.

Remark

* The Maiorana–McFarland’s function fF;g : ðx; yÞ/x Á FðyÞþgðyÞ is naturally s associated to fc;f;g: If the image of every element in F2 by F has Hamming weight X strictly greater than k; then fF;g is also m-resilient( with m k: Notice that we have aj ¼1)c j ðyÞ¼0andfj ðyÞ¼1¼aj ; J n À1 2 yAF ðaÞ if and only if for every jp2t: and frðyÞ¼ aj ¼0)c j ðyÞ¼1orfj ðyÞ¼0¼aj J n 2 ar if r is odd. On the other hand, we have yAEa if and only if for every jp2t; c y 1orf y a ; and f y a if r is odd. Thus, FÀ1 a DE : But Jj nð Þ¼ jð Þ¼ j rð Þ¼ r ð Þ a 2 FÀ1 a is in general not included in fÀ1 a (take a 0; c y 1 and f y ð Þ ð Þ j ¼ Jj nð Þ¼ jð Þ¼ 2 1 for some j; then we can have yAFÀ1ðaÞ and yefÀ1ðaÞ). And fÀ1ðaÞ is in general not included in FÀ1 a either (take a 1; c y 1 and f y 1 for some j; ð Þ j ¼ Jj nð Þ¼ jð Þ¼ 2 then we can have yeFÀ1ðaÞ and yAfÀ1ðaÞ). * Starting from some provably m-resilient Maiorana–McFarland’s function ff;g; it 0 is sometimes possible to ﬁnd a mapping c and a function g suchP that fcÀÁ;f;g0 is s r r ðm þ 1Þ-resilient: assume for instance that mor=2 À 1 and that 2 p i¼mþ1 i ; let s A r A r f be injective from F2 to fx F2; wHðxÞ4mg; for any word x F2 of weight m þ 1; there exists i such that x2iÀ1 ¼ x2i ¼ 0; since m þ 1or=2; for every such 0 word x; choose x obtained from x by changing to 1 either x2iÀ1 or x2i or both and 0 s À1 À1 0 assume that x belongs to fðF2Þ; take then ci3f ðxÞ¼1 and ci3f ðx Þ¼1: A r 0 Then for every a F2 of weight m þ 1; the set Ea has 2 elements and there exists g such that the Walsh transform of fc;f;g0 takes null value at ða; 0Þ: Thus, fc;f;g0 is ðm þ 1Þ-resilient.

Restrictions on functions achieving Sarkar–Maitra’s bound: It is difﬁcult to characterize those functions fc;f;g which achieve Sarkar–Maitra’s bound. But we can prove some necessary conditions. ARTICLE IN PRESS

C. Carlet / Journal of Complexity 20 (2004) 182–204 199

Proposition 4. Let fc;f;g be deﬁned as in Deﬁnition 1. Assume that Ea is empty A r for all a F2 such that wHðaÞpk: If fc;f;g achieves the best possible nonlinearity 2nÀ1 À 2kþ1; then k þ 1prpk þ M þ 2; where M denotes the maximum weight of cðyÞ: If r ¼ k þ 1 then fc;f;g is a Maiorana–McFarland ’s function. 2kÀ2rþ2Mþ4 If k þ 2prpPk þ MÀÁþ 2; then Ea has size at most 2 for every a and nþrÀ2kÀ2MÀ4 r r 2 p i¼kþ1 i :

a| Proof. The property rXk þ 1 isq obviousffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi since there must exist a such that Ea : If nÀ1 kþ1 kÀrþMþ2 N ¼ 2 À 2 ; we have max A r jE j 2 ; according to Theorem 2 fc;f;g a F2 a p and hence r k þ M þ 2 since max A r jE jX1: p a F2 a If r ¼ k þ 1; then it is a simple matter to see that c takes null value and that f takes constant value ð1; y; 1Þ: Then fc;f;g is a Maiorana–McFarland’s function and has been studied in [9]. If k þ 2prpk þ M þ 2; then, Ea having sizeP 0 if wHÀÁðaÞpk and size at most 2kÀ2rþ2Mþ4 s 2kÀ2rþ2Mþ4 r r & 2 otherwise, we deduce 2 p2 i¼kþ1 i :

Methods for constructing highly nonlinear resilient functions from Deﬁnition 1: A r À1 If for any a F2; the set Ea equals f ðaÞ (i.e. is minimal) and if every element in fðF sÞ has Hamming weight strictly greater than k then f and f are both at least 2 c;f;g Pf;g r s r gðyÞþbÁy k-resilient. Since, for every aAF and bAF ; wdða; bÞ equals 2 À1 ðÀ1Þ P 2 2 ff;g yAf ðaÞ rÀwHðcðyÞÞ gðyÞþyÁb and wd a; b equals À1 2 1 ; the nonlinearity of f can be fc;f;g ð Þ yAf ðaÞ ðÀ Þ c;f;g smaller than that of ff;g:

A r Let k be some positive integer. Assume that for every vector a F2 whose Hamming weight wHðaÞ is smaller than or equal to k; either the set Ea is empty A s or for everyP b F2 of weight at most k À wHðaÞ; the restriction to Ea of the t function i¼1 ðf2iÀ1ðyÞþa2iÀ1Þðf2iðyÞþa2iÞþgðyÞþy Á b is balanced (for example, the restriction of f to Ea is constant and the restriction of g þ b Á y to Ea is balanced). Assume also that cðyÞ has constant weight on Ea: Then, according to Theorem 1, fc;f;g is k-resilient. Moreover, if every non-empty set Ea is a ﬂat and if, for some l; every jEaj such restriction achieves nonlinearity greater than or equal to 2 À l (we nÀ1 rÀM0 nÀ1 assume this value is achieved for some a) then 2 À 2 lpNfc;f;g p2 À 2rÀM l; where M (resp. M0) is the maximum (resp. minimum) weight A s of cðyÞ; y F2: In [9] is described another method and examples of functions achieving good trade-offs between resiliency and nonlinearity are also given: 3 for any n ¼ 2m with m odd, there exists fc;f;g balanced with nonlinearity 2nÀ1 À 2n=2À1 À 2ðn=2À1Þ=2: This is the best known nonlinearity for these parameters. ARTICLE IN PRESS

200 C. Carlet / Journal of Complexity 20 (2004) 182–204 P 3 k n=2À2 2n=2À2 for every n even, let k be such that i¼0 i p 5 : Then there exists nÀ1 n=2À1 n=2À2 fc;f;g k-resilient with nonlinearity 2 À 2 À 2 : Such characteristics were not obtained in [31,36,37,45].

4.2.4. Propagation criterion A r A s Let us compute the derivatives of fc;f;g: For every a F2 and every b F2; we have

Dða;bÞfc;f;gðx; yÞ Xt Xt ¼ x2iÀ1x2iDbciðyÞþ ða2iÀ1x2i þ x2iÀ1a2i þ a2iÀ1a2iÞciðy þ bÞ i¼1 i¼1

þ x Á DbfðyÞþa Á fðy þ bÞþDbgðyÞ:

Thus, Dða;bÞfc;f;gðx; yÞ belongs to the extended Maiorana–McFarland’s class and has the form fDbc;Ca;b;ha;b ðx; yÞ where for every ipt; the ð2i À 1Þth coordinate function of Ca;b equals a2iciðy þ bÞþDbf2iÀ1ðyÞ; its ð2iÞthP coordinate function equals t a2iÀ1ciðy þ bÞþDbf2iðyÞ; and where ha;bðyÞ¼ i¼1a2iÀ1a2iciðy þ bÞþa Á fðy þ bÞþDbgðyÞ: We deduce from Corollary 1:

A r s Proposition 5. Let fc;f;g be defined as in Definition 1. For every ða; bÞ F2 Â F2; denote s r by Fa;b the function from F2 to F2 whose ð2i À 1Þth coordinate for ipt equals the product of the Boolean functions a2iciðy þ bÞþDbf2iÀ1ðyÞ and DbciðyÞþ1; whose ð2iÞth coordinate function equals the product of the Boolean functions a2iÀ1ciðy þ bÞþDbf2iðyÞ and DbciðyÞþ1 and whose rth coordinate function equals DbfrðyÞ if r is s odd. If, for every ða; bÞ of weight at most l; the image of every element in F2 by Fa;b is nonzero, then fc;f;g satisfies PCðlÞ:

4.2.5. Plateaued and bent functions Let fc;f;g be defined as in Definition 1. According to Theorem 1, if Ea has size 0 or 1 (respectively 0 or 2) for every a and if c has constant weight, then fc;f;g is plateaued (i.e. has a Walsh spectrum with three values, 0 and 7l). In particular, if Ea has size 1 for every a and if for some integer k; taking r ¼ A s n=2 þ k and s ¼ n=2 À k; we have wHðcðyÞÞ ¼ k for every y F2; then fc;f;g is bent. This condition is satisfied by every function of the form

x1x2 þ ? þ x2kÀ1x2k þ x Á fðyÞþgðyÞ; ð12Þ

A s/ where the mapping f ¼ðf1; y; frÞ is such that the mapping y F2 ðf2kþ1ðyÞ; y; frðyÞÞ is one to one. It is also possible to design bent functions from the extended Maiorana– McFarland’s class with nonconstant mappings c: ARTICLE IN PRESS

C. Carlet / Journal of Complexity 20 (2004) 182–204 201

A new construction of bent functions: Take (for instance) r even (thus s ¼ r À 2k is r also even). Let ðFjÞ1pjp2s be a partition of F2; where the Fj’s are ﬂats of the form A r j A fx F2; xi ¼ ui ; 8i Ijg; where Ij is a subset of f1; y; ng of size s (thus, each Fj has rÀs size 2 ) such that 2i À 1AIj32iAIj for every i (this is possible since s is even) and j Ij A s s where the vector u belongs to F2 : For every y F2; choose injectively j ¼ 1; y; 2 ; then, for every ipr=2; set ciðyÞ¼0if2i À 1AIj (and 2iAIj), and set ciðyÞ¼1 otherwise; choose fðyÞ in Fj: Then for every function g; the function fc;f;g is such À1 that Ea has size 1 for every a: Indeed, Ea is the singleton ff ðaÞg because the condition ‘‘ciðyÞ¼0 ) f2iÀ1ðyÞ¼a2iÀ1 and f2iðyÞ¼a2i’’ implies that fðyÞ¼a; r A s since ðFjÞ1pjp2s is a partition of F2: We have also wHðcðyÞÞ ¼ k for every y F2: Thus fc;f;g is bent.

A way of obtaining such a partition ðFjÞ1pjp2s is by taking the Fj’s equal to the 2k cosets of fð0; y; 0Þg Â F2 : The set Ij is then independent of j; this would lead to functions linearly equivalent to the functions (12). But, starting from this simple partition, we can modify it to obtain a partition such that Ij depends on j: For j1 j2 j3 j4 instance, choose j1; j2; j3 and j4 such that the vectors u ; u ; u and u coincide in s À 2 coordinates (F ¼ Fj1 ,Fj2 ,Fj3 ,Fj4 is then a ﬂat); choose two indices 2i0 À 1 A and 2i0 greater than s and replace Fj1 ; Fj2 ; Fj3 and Fj4 respectively by fx F; x2i0À1 ¼ A A 0andx2i0 ¼ 0g; fx F; x2i0À1 ¼ 0andx2i0 ¼ 1g; fx F; x2i0À1 ¼ 1 and x2i0 ¼ 0g; A fx F; x2i0À1 ¼ 1andx2i0 ¼ 1g: This does not change the property of ðFjÞ1pjp2s of being a partition but it changes Ij1 ; Ij2 ; Ij3 and Ij4 : It remains to be proven that new bent functions can be obtained through this construction. But in any case, this method of construction is new.

References

[1] P. Camion, C. Carlet, P. Charpin, N. Sendrier, On correlation-immune functions, Advances in Cryptology: Crypto ’91, Proceedings, Lecture Notes in Computer Science, Vol. 576, Springer, Berlin, 1991, pp. 86–100. [2] A. Canteaut, C. Carlet, P. Charpin, C. Fontaine, On cryptographic properties of the cosets of Rð1; mÞ; IEEE Trans. Inform. Theory 47 (4) (2001) 1494–1513. [3] A. Canteaut, M. Daum, H. Dobbertin, G. Leander, Normal and non normal bent functions, Proceedings of the Workshop on Coding and Cryptography, Versailles, France, 2003, pp. 91–100. [4] A. Canteaut, M. Trabbia, Improved fast correlation attacks using parity-check equations of weight 4 and 5, Advances in Cryptology—EUROCRYPT 2000, Lecture Notes in Computer Science, Vol. 1807, Springer, Berlin, 2000, pp. 573–588. [5] A. Canteaut, M. Videau, Degree of composition of highly nonlinear functions and applications to higher order differential cryptanalysis, Advances in Cryptology, EUROCRYPT2002, Lecture Notes in Computer Science, Vol. 2332, Springer, Berlin, 2002, pp. 518–533. [6] C. Carlet, More correlation-immune and resilient functions over Galois ﬁelds and Galois rings, Advances in Cryptology, EUROCRYPT’97, Lecture Notes in Computer Science, Vol. 1233, Springer, Berlin, 1997, pp. 422–433. [7] C. Carlet, On cryptographic propagation criteria for Boolean functions, Information and Computation, Vol. 151, Academic Press, New York, 1999, pp. 32–56. ARTICLE IN PRESS

202 C. Carlet / Journal of Complexity 20 (2004) 182–204

[8] C. Carlet, On the coset weight divisibility and nonlinearity of resilient and correlation-immune functions, Proceedings of SETA’01 (Sequences and their Applications 2001), Discrete Mathematics and Theoretical Computer Science, Springer, Berlin, 2001, pp. 131–144. [9] C. Carlet, A larger class of cryptographic Boolean functions via a study of the Maiorana–McFarland construction, Advances in Cryptology—CRYPT0 2002, Lecture Notes in Computer Science, Vol. 2442, Springer, Berlin, 2002, pp. 549–564. [10] C. Carlet, A. Gouget, An upper bound on the number of m-resilient Boolean functions, Proceedings of ASIACRYPT 2002, New Zealand, 2002. [11] C. Carlet, A. Klapper, Upper bounds on the numbers of resilient functions and of bent functions, Proceedings of the 23rd Symposium on Information Theory in the Benelux, Louvain-La-Neuve, Belgium, 2002. [12] C. Carlet, E. Prouff, On plateaued functions and their constructions. Proceedings of Fast Software Encryption 2003, Lecture Notes in Computer Science, 2887, Springer, Berlin, pp. 54–73. [13] C. Carlet, P. Sarkar, Spectral domain analysis of correlation immune and resilient Boolean functions, Finite ﬁelds Appl. 8 (2002) 120–130. [14] P. Charpin, E. Pasalic, On propagations characteristics of resilient functions, in: K. Nyberg, H.M. Heys (Eds.), Advances in Cryptology-SAC 2002, St. John’s, Newfoundland, Canada, Lecture Notes in Computer Science 2595, Springer 2003, pp. 175–195. [15] S. Chee, S. Lee, K. Kim, D. Kim, Correlation immune functions with controllable nonlinearity, ETRI J. 19 (4) (1997) 389–401. [16] S. Chee, S. Lee, D. Lee, S.H. Sung, On the correlation immune functions and their nonlinearity, Proceedings of Asiacrypt’96, Lecture Notes in Computer Science, Vol. 1163, Springer, Berlin, 1997, pp. 232–243. [17] T.W. Cusick, On constructing balanced correlation immune functions, Proceedings of SETA’98 (Sequences and their Applications 1998), Discrete Mathematics and Theoretical Computer Science, Springer, Berlin, 1999, pp. 184–190. [18] J.F. Dillon, Elementary Hadamard difference sets, Ph.D. Thesis, University of Maryland, 1974. [19] H. Dobbertin, Construction of bent functions and balanced Boolean functions with high nonlinearity, Fast Software Encryption (Proceedings of the 1994 Leuven Workshop on Crypto- graphic Algorithms), Lecture Notes in Computer Science, Vol. 1008, Springer, Berlin, 1995, pp. 61–74. [20] J.H. Evertse, Linear structures in block ciphers, in: Advances in Cryptology—EUROCRYPT’87, Lecture Notes in Computer Science, Vol. 304, Springer, Berlin, 1988, pp. 249–266. [21] T. Johansson, F. Jo¨nsson, Improved fast correlation attack on stream ciphers via convolutional codes, Advances in Cryptology—EUROCRYPT’99, Lecture Notes in Computer Science, Vol. 1592, Springer, Berlin, 1999, pp. 347–362. [22] T. Johansson, F. Jo¨nsson, Fast correlation attacks based on turbo code techniques, Advances in Cryptology—CRYPTO’99, Lecture Notes in Computer Science, Vol. 1666, Springer, Berlin, 1999, pp. 181–197. [23] L.R. Knudsen, Truncated and higher order differentials, Fast Software Encryption, Second International Workshop, Lecture Notes in Computer Science, Vol. 1008, Springer, Berlin, 1995, pp. 196–211. [24] K. Kurosawa, T. Satoh, Design of SAC=PCðcÞ of order k Boolean functions and three other cryptographic criteria, Advances in Cryptology, EUROCRYPT’97, Lecture Notes in Computer Science, Vol. 1233, Springer, Berlin, 1997, pp. 434–449. [25] X. Lai, Higher order derivatives and differential cryptanalysis, in: R. Blahut (Ed.), Proceedings of the Symposium on Communication, Coding and Cryptography, in honor of J.L. Massey on the occasion of his 60th birthday, Kluwer Academic Publishers, 1994. [26] F.J. Mac Williams, N.J. Sloane, The Theory of Error-correcting Codes, North-Holland, Amsterdam, 1977. [27] M. Matsui, Linear cryptanalysis method for DES cipher, Advances in Cryptology— EUROCRYPT’93, Lecture Notes in Computer Science, Vol. 765, Springer, Berlin, 1994, pp. 386–397. ARTICLE IN PRESS

C. Carlet / Journal of Complexity 20 (2004) 182–204 203

[28] W. Meier, O. Staffelbach, Nonlinearity criteria for Cryptographic Functions, Advances in Cryptology, EUROCRYPT’89, Lecture Notes in Computer Science, Vol. 434, Springer, Berlin, 1990, pp. 549–562. [29] N.J. Patterson, D.H. Wiedemann, The covering radius of the ½215; 16 Reed-Muller code is at least 16276, IEEE Trans. Inform. Theory IT-29 (1983) 354–356. [30] E. Pasalic, S. Maitra, A Maiorana–McFarland type construction for resilient Boolean functions on n n n variables (n even) with nonlinearity 42nÀ1 À 22 þ 22À2; Proceedings of the Workshop on Coding and Cryptography, Versailles, France, 2003, pp. 365–374. [31] E. Pasalic, S. Maitra, T. Johansson, P. Sarkar, New constructions of resilient functions and correlation immune Boolean functions achieving upper bound on nonlinearity, Proceedings of the Workshop on Coding and Cryptography, Paris, France, 2001, pp. 425–434. [32] B. Preneel, R. Govaerts, J. Vandevalle, Boolean functions satisfying higher order propagation criteria, Advances in Cryptology, EUROCRYPT’91, Lecture Notes in Computer Sciences, Vol. 547, Springer, Berlin, 1991, pp. 141–152. [33] B. Preneel, W. Van Leekwijck, L. Van Linden, R. Govaerts, J. Vandevalle, Propagation characteristics of Boolean functions, Advances in Cryptology, EUROCRYPT’90, Lecture Notes in Computer Sciences, Vol. 473, Springer, Berlin, 1991, pp. 161–173. [34] O.S. Rothaus, On bent functions, J. Combin. Theory A 20 (1976) 300–305. [35] R.A. Rueppel, Analysis and design of stream ciphers, Com. and Contr. Eng. Series, Berlin, Heidelberg, NY, London, Paris, Tokyo, 1986. [36] P. Sarkar, S. Maitra, Construction of nonlinear Boolean functions with important cryptographic properties. Advances in Cryptology—EUROCRYPT 2000, Lecture Notes in Computer Science, Vol. 1807, Springer, Berlin, 2000, pp. 485–506. [37] P. Sarkar, S. Maitra, Nonlinearity bounds and constructions of resilient Boolean functions, in: M. Bellare (Ed.), CRYPTO 2000, Lecture Notes in Computer Science, Vol. 1880, Springer, Berlin, 2000, pp. 515–532. [38] M. Schneider, A note on the construction and upper bounds of correlation-immune functions, Sixth IMA Conference, Cirencester, Great Britain, 1997, pp. 295–306. [39] J. Seberry, X.M. Zhang, Y. Zheng, On constructions and nonlinearity of correlation immune Boolean functions, Advances in Cryptology—EUROCRYPT’93, Lecture Notes in Computer Science, Vol. 765, Springer, Berlin, 1994, pp. 181–199. [40] J. Seberry, X.M. Zhang, Y. Zheng, Nonlinearly balanced Boolean functions and their propagation characteristics, Advances in Cryptology—CRYPTO’93, Santa Barbara, USA, 1994, pp. 49–60. [41] C.E. Shannon, Communication theory of secrecy systems, Bell System Tech. J. 28 (1949) 656–715. [42] T. Siegenthaler, Correlation-immunity of nonlinear combining functions for cryptographic applications, IEEE Trans Inform. Theory IT-30 (5) (1984) 776–780. [43] T. Siegenthaler, Decrypting a class of stream ciphers using ciphertext only, IEEE Trans. Comput. C-34 (1) (1985) 81–85. [44] Y.V. Tarannikov, On resilient Boolean functions with maximum possible nonlinearity, Proceedings of INDOCRYPT 2000, Lecture Notes in Computer Science, Vol. 1977, 2000, pp. 19–30. [45] Y.V. Tarannikov, New constructions of resilient Boolean functions with maximum nonlinearity, Proceedings of FSE 2001, Eighth International Workshop, FSE 2001, Lecture Notes in Computer Science, Vol. 2355, Springer, Berlin 2001, pp. 66-77. [46] Xiao Guo-Zhen, J.L. Massey, A spectral characterization of correlation-immune combining functions, IEEE Trans. Inform. Theory IT 34 (3) (1988) 569–571. [47] Y. Zheng, X.M. Zhang, Plateaued functions, Advances in Cryptology—ICICS’99, Lecture Notes in Computer Science, Vol. 1726, Springer, Heidelberg, 1999, pp. 284–300. [48] Y. Zheng, X.-M. Zhang, Improved upper bound on the nonlinearity of high order correlation immune functions, Proceedings of Selected Areas in Cryptography 2000, Lecture Notes in Computer Science, Vol. 2012, Springer, Berlin, 2001, pp. 262–274. ARTICLE IN PRESS

204 C. Carlet / Journal of Complexity 20 (2004) 182–204