Advances in Mathematics of Communications doi:10.3934/amc.

2017061
Volume 11, No. 4, 2017, 837–855

THREE BASIC QUESTIONS ON BOOLEAN FUNCTIONS

Claude Carlet
LAGA, Department of Mathematics, University of Paris 8 (and Paris 13 and CNRS)
Saint–Denis cedex 02, France
∗
Serge Feukoua
University of Yaoundé 1
Faculty of Sciences, Department of Mathematics
P.O.BOX 812 Yaoundé, Cameroon

(Communicated by Sihem Mesnager)

Abstract. In a first part of this paper, we investigate those Boolean functions

satisfying two apparently related, but in fact distinct conditions concerning the
algebraic degree:
1. we study those Boolean functions f whose restrictions to all affine hyper-
planes have the same algebraic degree (equal to deg(f ), the algebraic degree of
f ),
2. we study those functions whose derivatives Da f (x) = f (x) + f (x + a),
a 6= 0, have all the same (optimal) algebraic degree deg(f ) − 1.
For determining to which extent these two questions are related, we find
three classes of Boolean functions: the first class satisfies both conditions, the
second class satisfies the first condition but not the second and the third class
satisfies the second condition but not the first. We also give for any fixed
positive integer k and for all integers n, p, s such that p ≥ k + 1, s ≥ k + 1
and n ≥ ps, a class (denoted by Cn,p,s ) of functions whose restrictions to all
k-codimensional affine subspaces of Fn 2 have the same algebraic degree as the
function.
In a second part of the paper, we introduce the notion of second-order-
bent function, whose second order derivatives Da Db f (x) = f (x) + f (x + a) +
f (x + b) + f (x + a + b), a 6= 0, b 6= 0, a 6= b, are all balanced. We exhibit an
example in 3 variables and we prove that second-order-bent functions cannot
exist if n is not congruent with 3 mod 4. We characterize second-order-bent
functions by the Walsh transform, state some of their properties and prove the
non existence of such functions for algebraic degree 3 when n > 3. We leave
open the question whether second-order-bent functions can exist for n larger
than 3.

1. Introduction
Boolean functions are of importance for a variety of applications. They are used
in cryptography, in particular in pseudo-random generators (in stream ciphers), and
in S-boxes (in block ciphers). They are also used to build error correcting codes
like Reed-Muller codes and Kerdock codes (see [3]).
In Section 2, we give some basic definitions and properties on Boolean functions.

2010 Mathematics Subject Classification: 06E30, 94C10, 94A60, 11T71, 05E99.

Key words and phrases: Boolean functions, algebraic degree, hyperplane, derivative, second-
order-bent.
∗ The work of this author was partially supported by the CETIC (Centre Africain d’Excellence

en Technologies de l’Information et la Communication).

837 2017
c AIMS
838 Claude Carlet and Serge Feukoua

Today, many natural questions remain uninvestigated about Boolean functions,

in relation with some well-known properties. For instance, we know that the restric-
tion of a Boolean function to any affine hyperplane has algebraic degree at most
the algebraic degree of the function itself (note that the notion of algebraic degree
of the restriction to a subspace is sound because, since the algebraic degree is an
affine invariant, the choice of a basis of the subspace has not effect on the algebraic
degree). Then a natural question is:
1. Do there exist Boolean functions f whose restrictions to affine hyperplanes
have all the same algebraic degree as f itself?
We also know that derivating a Boolean function (that is, considering Da f (x) =
f (x + a) + f (x) for a 6= 0) decreases its algebraic degree by at least 1. Here again,
it is interesting to study the question:
2 Do there exist Boolean functions f whose derivatives have all optimal algebraic
degree deg(f ) − 1, where deg(f ) is the algebraic degree of f ?
Section 3 is devoted to the study of these two questions and their interaction. We
shall give a class of functions which satisfy 1, give a class of functions more generally
satisfying a version of 1 in which “affine hyperplane” is replaced by “k-codimensional
affine subspace of Fn2 , and exhibit three classes of functions showing that these two
questions have positive answers and are in a way independent. We also characterize
functions which allow answering positively to the second question when the number
of highest degree monomials is at most 3.
Finally, we consider a question which is naturally related to the notion of bent
functions. Recall that bent functions (Boolean or vectorial) are those functions f
such that, for every non zero vector a ∈ F2 , the derivative Da f is balanced. We can
then consider the so-called second-order-bent functions (and more generally the kth-
order-bent functions) which are such that, for any free family (a, b) of two vectors
over F2 , that is, any pair of distinct and nonzero vectors a and b (respectively,
for any free family (a1 , ..., ak ) of k vectors over F2 ), the second order derivative
Da Db f (x) = f (x) + f (x + a) + f (x + b) + f (x + a + b) is balanced (respectively,
the kth- order derivative Da1 ...Dak f is balanced). In Section 4, we study second-
order-bent Boolean functions over Fn2 . We show that these functions have a chance
to exist only when n ≡ 3 [mod 4]. Furthermore, we give their characterization by
the Walsh transform, we give upper and lower bounds on their algebraic degrees.
In particular, we show properties of second-order-bent functions of degree 3 which
imply the non existence of such functions in more than 3 variables. We exhibit
an example of second-order-bent function in 3 variables but the question of their
existence for n larger remains open.

2. Preliminaries and state of the art

In this document, Fn2 denotes the vector space over the field F2 of all binary
vectors of length n. We call Boolean function on Fn2 , or n-variable Boolean function,
every function from Fn2 to F2 . The set of all Boolean functions on Fn2 is denoted
n n
by 2F2 (or Bn ). There is a bijective correspondence between the set 2F2 and the
2 2
quotient group F2 [x1 , ..., x2 ]/(x1 + x1 , ..., xn + xn ); a Boolean function can then be
seen as an element of this quotient group (see e.g. [3]). This representation is called
the Algebraic Normal Form (in brief, ANF) of the Boolean function. Note that every
coordinate xi in the ANF appears with exponent at most 1, because every bit in F2
is its own square. The algebraic degree of a Boolean function f , denoted by deg(f ),
Advances in Mathematics of Communications Volume 11, No. 4 (2017), 837–855
 Three basic questions on Boolean functions 839

is the degree of its ANF (see [7]). Those functions of algebraic degree at most 2
(resp. at most 3) are called quadratic (resp. cubic). McEliece’s theorem [8] states
that the weights of all n-variable Boolean functions of algebraic degrees at most r
n n−1
are divisible by 2d r e−1 = 2b r c (where due denotes the smallest integer greater
than or equal to u and buc denotes the integer part). For every binary vector x ∈ Fn2 ,
the Hamming weight wH (x) of x being the number of its non zero coordinates (i.e.
the size of the set {i ∈ N/xi 6= 0}, called the support of x, where N denotes the set
{1, ..., n}), the Hamming weight wH (f ) of a Boolean function f on Fn2 is also the
size of the support of the function, i.e. of the set {x ∈ Fn2 /f (x) = 1}. Furthermore,
a Boolean function f over Fn2 is called balanced if its Hamming weight equals 2n−1 .
Let us give the following definitions and propositions, useful to understand our
subject:
Definition 1. Let f be an n-variable Boolean function and let a and b be any
vector in Fn2 . We call derivative of f in the direction of b the Boolean function Db f
defined by Db f (x) = f (x) + f (x + b). Therefore the second-order derivative of f
in the direction of {a, b} is the Boolean function Db Da f defined by Db Da f (x) =
f (x) + f (x + a) + f (x + b) + f (x + a + b).
In [7], P. Langevin and P. Solé give the following proposition:
Proposition 1. Let E be a vector space of finite dimension over the finite field F2
and let f be a Boolean function from E into F2 . Then
∀v ∈ E, deg(Dv f ) ≤ deg(f ) − 1 and ∃u ∈ E, deg(Du f ) = deg(f ) − 1.
Moreover, in [12], Salagean gives a way to characterize the “fast points” of a
Boolean function, where “fast points” are defined as follows:
Definition 2. Let f : Fn2 → F2 be a non-constant Boolean function in n variables
and a ∈ Fn2 \{0}. We call “a” a fast point for f if Da f = 0 or deg(Da f ) < deg(f )−1.
The author counts the number of functions with fast point but the method for
counting does not give a way to construct functions with at least one fast point or
with no fast point. In this paper, we shall investigate the Boolean functions on Fn2
with no fast point. In [6], where is recalled the
Pderivation of a Boolean function f
in the direction of a subspace S: DS f (x) = s∈S f (x + s), the authors study a
particular affine invariant of a Boolean function f called the height of f (denoted
by ht(f )) and defined as follows:
Definition 3. For a given Boolean function f , ht(f ) is equal to the minimal di-
mension of a subspace S such that DS f is the null function.
The functions f which answer positively to the second question of this paper are
all such that ht(f ) > 1.
We recall now the background necessary for Section 4.
The nonlinearity of a Boolean function f over Fn2 is the minimum Hamming
distance dH (f, h) = |{x ∈ Fn2 ; f (x) 6= h(x)}| between f and affine functions h (in
other words, the distance from f to R(1, n), the Reed-Muller code of order 1, since
this code equals the set of functions of algebraic degree at most 1, viewed as binary
vectors of length 2n ). Moreover we can also define the r − th order nonlinearity
(where r is an integer) of a Boolean function f over Fn2 as the minimum distance
between f and the set (denoted by R(r, n)) of all Boolean functions of degree at
most r (r ≤ n). Let us give the following definition:
Advances in Mathematics of Communications Volume 11, No. 4 (2017), 837–855
840 Claude Carlet and Serge Feukoua

Definition 4. [4, 11] A Boolean function over Fn2 (n even) is bent if its Hamming
distance to the set of all n-variable affine Boolean functions (the nonlinearity of f )
equals 2n−1 − 2n/2−1 (which is optimal).
Proposition 2. [4, 11] If f is a bent Boolean function over Fn2 , then wH (f ) =
n
2n−1 ± 2 2 −1 . The converse is true if f is quadratic.
Proposition 3. [4, 11] Bent functions are those functions such that, for every non
zero vector a ∈ Fn2 , the derivative Da F is balanced.
The algebraic degree of bent functions is bounded above:
Proposition 4. [4, 11] Let n be any even integer greater than or equal to 4. The
algebraic degree of any bent function on Fn2 is at most n/2.
Proposition 5. [4, 11] All quadratic bent functions over Fn2 are known and for
n ≥ 4, they are equivalent up to an affine nonsingular transformation and to the
addition of a constant to the function: x1 x2 + x3 x4 + ... + xn−1 xn .
For more details on bent function the reader can refer to [9].
Let us end this section with the following definitions useful to characterize second-
order-bent functions:
Definition 5. The Fourier transform of a Boolean function f over Fn2 denoted by
fb is defined by:
X
fb(u) = f (x)(−1)u·x for all u ∈ Fn2 ,
x∈Fn
2

where “ · ” is some chosen inner product, that is, where x · y is a bilinear form and
x · y = 0 for every y ∈ Fn2 if and only if x = 0 (i.e. the only element orthogonal to Fn2
is 0). Moreover the Walsh transform of f denoted by Wf , is the Fourier transform
of the sign function fχ (x) = (−1)f (x) :
X
Wf (u) = (−1)f (x)+u·x for all u ∈ Fn2 .
x∈Fn
2
P
These transforms satisfy the so-called inverse Fourier formulas u∈Fn2
u·x n u·x n f (x)
P
f (u)(−1)
b = 2 f (x) and u∈Fn2 WF (u)(−1) = 2 (−1) and the Parseval
relation u∈Fn2 WF2 (u) = 22n .
P

With the above definition, let us recall that bent functions are those functions
whose Walsh transform takes the values ±2n/2 only.
Definition 6. Let n be an odd integer. A Boolean function f over Fn2 is said to be
n+1
semi-bent if Wf (u) ∈ {0, ±2 2 } for all u ∈ Fn2 .

3. On the algebraic degree of restrictions and derivatives

For every Boolean function f , we denote by V ar(f ) the set {i | xi appears in the
ANF of f }. We introduce a class of Boolean functions which seems natural to
consider since it is based on the classical direct sum of functions.
Definition 7. Let n, p and s be three integers such that p ≥ 2, s ≥ 2 and n ≥ ps.
We denote by Cn,p,s the class of all those Boolean functions on Fn2 which are the
Advances in Mathematics of Communications Volume 11, No. 4 (2017), 837–855
 Three basic questions on Boolean functions 841

sum of a function of algebraic degree at most s − 1 and of the direct sum of p

monomials of algebraic degree s, that is, whose ANF is given by:
X p
f (x) = mi (x) + h(x)
i=1
where deg(h(x)) ≤ s − 1 and (mi )i=1...p is a sequence of monomials with the same
degree s satisfying the condition: V ar(mi (x)) ∩ V ar(mj (x)) = ∅ for all i 6= j.
n

(ps )(ps−s 2s s
s )...( s )(s)
Remark 1. The number of such partitions is ps × s p! and to each
Ps−1 n
( )
of these partitions one associates 2 i=0 i functions. This means that the total
n

(ns)(n−s 2s s
s )...( s )(s)
number of these functions when p, s and n are fixed, is ps × p! ×
Ps−1 n
2 i=0 ( i ) .
3.1. Functions in Cn,p,s allow answering positively to the first ques-
tion. We shall prove that, for p ≥ 2, s ≥ 2 and n ≥ ps, any Boolean function
f in Cn,p,s is such that, for any affine hyperplane H of the vector space Fn2 , the
algebraic degree deg(f|H ) of the restriction f|H of f to H equals deg(f ). In fact, we
shall prove a more general result:
Theorem 1. Let k be a positive integer. Then for every function f of Class Cn,p,s
with p ≥ k + 1 and s ≥ k + 1, and any affine subspace E of Fn2 of codimension k,
the algebraic degree deg(f|E ) of the restriction f|E of f to E equals deg(f ).
Proof. Note that the definition of Class Cn,p,s is invariant under any translation
x 7→ x + a, where a ∈ Fn2 ; we may then assume that E is a vectorspace. Such E is
characterized by a system of k linear homogeneous equations which are F2 -linearly
independent. By the Gauss reduction method, this system is equivalent to a system
which expresses k distinct variables xi1 , xi2 ,...,xik by means of the other variables.
By substituting these values in the ANF of a function f of Class Cn,p,s , we obtain
the ANF of the restriction f|E of f to E. Since p ≥ k + 1, there exists at least one
monomial, say mi0 , whose variables are kept unchanged after the substitution of
xi1 , xi2 ,...,xik (i.e. are all distinct from these variables). Moreover, since s ≥ k + 1,
at least one variable of each monomial is kept unchanged as well and since this
variable is not among the variables of mi0 , this latter monomial does not cancel
after substitution of xi1 , xi2 ,...,xik . 
Remark 2. The ANF of every Boolean function f on Fn2 whose restrictions to any
affine subspace E of Fn2 of codimension k have all the same algebraic degree deg(f ),
contains at least k + 1 monomials of the same degree deg(f ), i.e. has the form
p
X
f (x) = mi (x) + h(x)
i=1
where deg(h(x)) ≤ s − 1 and (mi )i=1...p is a sequence of monomials of the same
degree s with p ≥ k + 1. Indeed, suppose that there are at most k monomials mi (x)
with i = 1, ..., k of degree deg(f ) in the ANF of the function f and let us consider
the subspace E of Fn2 of codimension k, defined by the system of equations:

xi = 0
 1


x i2 = 0

 ...
x ik = 0


Advances in Mathematics of Communications Volume 11, No. 4 (2017), 837–855

842 Claude Carlet and Serge Feukoua

where it ∈ V ar(mt (x)) for all t = 1, ..., k . Then by substituting each xit = 0 in
mt (x), it is obvious that all these monomials of degree deg(f ) are canceled and the
function obtained is of degree at S most deg(f ) − 1.
For k = 1, the functions of p≥2,s≥2 Cn,p,s are the only n-variable functions f
S
in p≥1,s≥1 Cn,p,s whose restrictions to affine hyperplanes have the same algebraic
degree as f : we have seen that p ≥ 2 is necessary for such property, and if s = 1,
then at least one restriction is constant, so s ≥ 2 is also necessary.
3.2. Functions in Cn,p,s with n = ps allow answering positively to the
second question.
Proposition 6. Let n, p and s be three integers such that p ≥ 1, s ≥ 2 and n = ps.
Then every function f in Cn,p,s has all its derivatives of algebraic degree deg(f ) − 1.
Proof. For every non zero element u = (u1 , . . . , un ), the derivative f (x + u) + f (x)
of f in the direction of u equals
p
X X  Y 
uj xk + h0 (x)
i=1 j∈V ar(mi ) k6=j
k∈V ar(mi )

where deg(h0 (x)) ≤ s − 2. The products

Y
xk for all 1 ≤ i ≤ p and j ∈ V ar(mi )
k6=j
k∈V ar(mi )

are all distinct and have the same degree s−1 (this because V ar(mi (x))∩V ar(mj (x))
= ∅ and Card(V ar(mi (x))) = Card(V ar(mj (x))) for all i 6= j). Moreover, the fact
that there is at least i0 such that ui0 6= 0 yields that the summation
p
X X Y
uj xk
i=1 j∈V ar(mi ) k6=j
k∈V ar(mi )

will never be canceled. Therefore the degree of the derivation of f in the direction
of u 6= 0 is s − 1 = deg(f ) − 1. 

3.3. Functions in Cn,p,s with n > ps allow answering positively to the

first question but not to the second question. The next proposition is
straightforward.
Proposition 7. Let p ≥ 1, s ≥ 2 and n be three integers such that n > ps. For
any Boolean function f in Cn,p,s , f does not satisfy the second question.
Proof. Let f ∈ Cn,p,s with n > ps and assume that j is an integer which does
not belong to any V ar(mi (x)), i = 1, ..., p (the sets V ar(mi (x)) form a partition
of subsets of ps < n elements of the set {1, 2, ..., n}). Consider the vector ej ∈ Fn2
whose coordinates are all null except the j − th coordinate. Then, by a simple
operation we have
Dej f (x) = f (x) + f (x + ej ) = h(x) + h(x + ej ),
which means that deg(Dej f (x)) ≤ s − 2 and we have the result. 
Advances in Mathematics of Communications Volume 11, No. 4 (2017), 837–855
 Three basic questions on Boolean functions 843

3.4. A class of functions which allows answering positively to the

second question but not to the first.
Theorem 2. Let n ≥ 3, p ≥ 1 and s ≥ 3 be integers. Assume that f is a Boolean
function on Fn2 whose ANF is given again by:
p
X
f (x) = mi (x) + h(x)
i=1

where deg(h(x)) ≤ s − 1 and (mi )i=1...p is a sequence of monomials with the same
degree s and satisfying the following conditions:
• There exists an integer l such that for all i = 1, ..., p, l ∈ V ar(mi ) and for all
i 6= j, Card(V ar(mi (x)) ∩ V ar(mj (x))) ≤ s − 2
• ∪pi=1 V ar(mi (x)) = {1, 2, ..., n}.
Then all the derivatives of f have the same (optimal) algebraic degree deg(f ) − 1
but the restrictions of f to affine hyperplanes do not all have the same algebraic
degree deg(f ).
Proof. The algebraic degree of the restriction f|H of f , to the hyperplane H defined
by the equation
xl = 0,
is deg(f|H ) ≤ s − 1. This because all the functions mi (x) will be canceled after sub-
stituting xl in the ANF of f . Now let us show that f answers positively to the second
question. Consider a non zero vector u = (u1 , . . . , un ). Since ∪pi=1 V ar(mi (x)) =
{1, 2, ..., n}, there exits at least one integer r ∈ {1, ..., p} such that the derivative
mr (x + u) + mr (x) is not canceled (this means there exists t ∈ V ar(mr ) such that
ut = 1) and contains a sum of distinct products of same degree s−1. These products
(in Du (mr )) will never be canceled in f (x+u)+f (x). Indeed, for all j = 1, ..., p with
j 6= r, the condition Card(V ar(mr (x)) ∩ V ar(mj (x))) ≤ s − 2 implies that there
exists four integers r1 , r2 ∈ V ar(mr ) \ V ar(mj ) and j1 , j2 ∈ V ar(mj ) \ V ar(mr ).
Therefore, for every non zero element u = (u1 , . . . , un ), either mj (x + u) + mj (x) is
canceled (this happens when ut = 0 for all t ∈ V ar(mj )) or contains a sum of dis-
tinct products of same degree s − 1 and each of these products contains xj1 or xj2 as
variable. In these two cases, the products of degree s−1 in mr (x+u)+mr (x) which
contain all xr1 or xr2 as variable, will not be canceled in the sum Du mr (x)+Du mj (x)
since j1 , j2 ∈ V ar(mj ) \ V ar(mr ). Thus, mr (x + u) + mr (x) is not canceled in the
derivative f (x + u) + f (x). Thus, deg(Du f ) = s − 1 = deg(f ) − 1. 
The following example shows that this result is not true when Car(V ar(mi (x)) ≤
2.
Example 1. Consider the function f defined on F42 by f (x) = x1 x2 + x1 x3 + x1 x4 .
P4
The derivative f (x + u) + f (x) of f in the direction of u = i=1 ui ei equals:
u1 (x2 + x3 + x4 ) + (u2 + u3 + u4 )x1 + u1 u2 + u1 u3 + u1 u4
We can see that for u = e2 + e3 = (0, 1, 1, 0), the derivation f (x + u) + f (x) is null.
Remark 3. Let f be a Boolean function over Fn2 whose derivatives (in the direction
of any non zero vector) have all algebraic degree deg(f ) − 1. Then f is of the form
Xp
(1) f (x) = mi (x) + h(x),
i=1

Advances in Mathematics of Communications Volume 11, No. 4 (2017), 837–855

844 Claude Carlet and Serge Feukoua

where deg(h(x)) ≤ s − 1, deg(mi ) = s = deg(f ) for all i = 1, 2, ..., p and the mono-
mials (mi )i=1...p are pairwise distinct and satisfy the condition: ∪pi=1 V ar(mi (x)) =
{1, 2, ..., n}. Otherwise, f has null derivatives..
3.5. Characterization of functions which allow answering positively
to the second question when the number of highest degree monomi-
als is at most 3. We give in the following statements the characterization of
those Boolean functions defined in Remark 3 which answer positively to the second
question for p = 1, p = 2 and p = 3.
Pp
Theorem 3. Let f be a Boolean function over Fn2 defined by f (x) = i=1 mi (x) +
h(x), where deg(h(x)) ≤ s − 1, deg(mi ) = s = deg(f ) for all i = 1, 2, ..., p and the
monomials (mi )i=1...p are pairwise distinct and satisfy the condition ∪pi=1 V ar(mi (x))
= {1, 2, ..., n}. Then,
• If p = 1, then all derivatives Du f , u 6= 0, have the same algebraic degree,
deg(f ) − 1 if and only if V ar(m1 ) = {1, ..., n}.
• If p = 2 and n ≥ 4, then all derivatives Du f , u 6= 0, have the same algebraic
degree, deg(f ) − 1 if and only if Card(V ar(m1 (x)) ∩ V ar(m2 (x))) ≤ s − 2.
Proof.
• If p = 1, the necessary condition is given by Remark 3. Conversely, assume
that f (x) = x1 x2 ...xn + h(x) with deg(h(x)) ≤ n − 1. Then, for all u =
(u1 , . . . , un ),
n
X Y
f (x + u) + f (x) = ui xj + h0 (x),
i=1 j6=i
0
Q
with deg(h ) ≤ n − 2 and the products j6=i xj for i = 1, ..., n are all distinct
and have all the same degree n − 1. Thus, if u is not null, these products will
never be canceled.
• If p = 2, we first observe that for m1 6= m2 we have Card(V ar(m1 (x)) ∩
V ar(m2 (x))) ≤ s − 1.
If Card(V ar(m1 (x))∩V ar(m2 (x))) = s−1, then m1 (x) = xk m(x), m2 (x) =
xl m(x) with k, l 6∈ V ar(m(x)), k 6= l. Consider the vector u such that
uk = ul = 1 and for i 6= k, l, ui = 0. We obtain by a simple operation,
m1 (x + u) + m2 (x + u) = (xk + uk )m(x) + (xl + ul )m(x).
Thus,
m1 (x + u) + m2 (x + u) = xk m(x) + xl m(x) = m1 (x) + m2 (x).
Therefore, the equality Card(V ar(m1 (x)) ∩ V ar(m2 (x))) = s − 1 implies that
f does not answer positively to the second question, and we have the necessary
condition.
If Card(V ar(m1 (x)) ∩ V ar(m2 (x))) ≤ s − 2 then, m1 (x) = xk1 xk2 m(x),
m2 (x) = xl1 xl2 n(x) where k1 , k2 6∈ V ar(m(x)), l1 , l2 ∈ V ar(m2 (x)) \
V ar(m1 (x)) and where the monomials m(x), n(x) have the same degree s − 2
(note that in this case, n ≥ 4). For all non zero vector u = (u1 , . . . , un ),
either m1 (x + u) + m1 (x) is canceled (this happens when ui = 0 for all
i ∈ V ar(m1 )), or contains a sum of distinct products of same degree s − 1
and each of these products contains xk1 or xk2 . Idem for m2 (x + u) + m2 (x)
and l1 , l2 . Thus, the fact that ∪2i=1 V ar(mi (x)) = {1, 2, ..., n} means that for
all non zero vector u = (u1 , . . . , un ), the monomials of degree s − 1 of the
Advances in Mathematics of Communications Volume 11, No. 4 (2017), 837–855
 Three basic questions on Boolean functions 845

functions m1 (x + u) + m1 (x) and m2 (x + u) + m2 (x) will never be canceled

simultaneously. Therefore, the sum:
m1 (x + u) + m1 (x) + m2 (x + u) + m2 (x)
always contains, either a sum of distinct products of same degree s − 1 each
of them containing xk1 or xk2 , or a sum of distinct products of same degree
s − 1 each of them containing xl1 or xl2 . This means that
Xn
m1 (x + u) + m2 (x + u) + m1 (x) + m2 (x) = ui qi (x) + r(x)
i=1
where deg(r) ≤ s − 2, the monomials qi are all distinct of same degree s − 1
and verify
n
X
ui qi (x) 6= 0.
i=1
Then f answers positively to the second question.

For the case p = 3, we have the following lemma:
Lemma 1. Let f be a Boolean function of the form given by (1), with p = 3. If
for all i, j ∈ {1, 2, 3} with i 6= j, Card(V ar(mi (x)) ∩ V ar(mj (x))) ≤ s − 2, then all
derivatives Du f , u 6= 0, have algebraic degree deg(f ) − 1 (i.e. f answers positively
to the second question).
Proof. As seen in the proof of Theorem 3, for all non zero vector u ∈ Fn2 , the sum
Du (m1 )(x) + Du m2 (x) + Du m3 (x) always contains a sum of distinct monomials of
degree s − 1. 
To cover all cases with p = 3, we need now to study the case where there are two
distinct integers i1 , i2 ∈ {1, 2, 3} such that Card(V ar(mi1 (x)) ∩ V ar(mi2 (x))) =
s − 1. Then we can find two distinct integers t1 , t2 ∈ {1, 2, ..., n} such that mi1 (x) =
xt1 m(x), mi2 (x) = xt2 m(x) (with {t1 , t2 }∩var(m) = ∅) and if we denote by mi3 the
third monomial, either {t1 , t2 } ∩ V ar(mi3 (x)) = ∅ and f does not answer positively
to the second question since deg(Du f ) ≤ s−2 with u = (u1 , ..., un ) such that ut = 1
if and only if t = t1 or t = t2 , or {t1 , t2 } ∩ V ar(mi3 (x)) 6= ∅.
Therefore we just need to study the case {t1 , t2 } ∩ V ar(mi3 (x)) 6= ∅. Without
loss of generality, assume that i1 = 1, i2 = 2, i3 = 3 and t1 ∈ V ar(m3 (x)).
Then, m1 (x) = xt1 m(x), m2 (x) = xt2 m(x), m3 (x) = xt1 m0 (x), where deg(m) =
deg(m0 ) = s − 1 and t1 6∈ V ar(m) ∪ V ar(m0 ). We have the following result:
Proposition 8. Let f be a Boolean function of the form given by (1), with p = 3
and such that Card(V ar(m1 (x)) ∩ V ar(m2 (x))) = s − 1, and let t1 6= t2 be such
that m1 (x) = xt1 m(x); m2 (x) = xt2 m(x); m3 (x) = xt1 m0 (x) and t1 6∈ V ar(m) ∪
V ar(m0 ), t2 6∈ V ar(m). Then all derivatives Du f , u 6= 0, have algebraic degree
deg(f ) − 1 if and only if there exists t0 in V ar(m0 ) \ V ar(m2 ).
Proof. Let us show that the condition is necessary. Then, assume that V ar(m0 ) ⊆
V ar(m2 ). Since m0 (x) 6= m(x) (if not, m3 = m1 and this is not possible), then there
exists t ∈ V ar(m0 ) \ V ar(m) and the fact that this t belongs to V ar(m2 ) (because
we assumed V ar(m0 ) ⊆ V ar(m2 )) means that t = t2 . Thus, m0 (x) = xt2 n(x) with
V ar(n(x)) ⊆ V ar(m) and deg(n(x)) = s − 2. There exists then t3 ∈ V ar(m) such
that m1 (x) = xt1 xt3 n(x) , m2 (x) = xt2 xt3 n(x) (with {t1 , t2 , t3 } ∩ V ar(n(x)) = ∅)
and m3 (x) = xt1 xt2 n(x). We can easily verify that Du f (x) = n(x) + Du h(x) where
Advances in Mathematics of Communications Volume 11, No. 4 (2017), 837–855
846 Claude Carlet and Serge Feukoua

the vector u = (u1 , ..., un ) ∈ Fn2 is such that ut = 1 if and only if t ∈ {t1 , t2 , t3 }.
Since deg(n(x)) = s − 2 and deg(Du h(x)) ≤ s − 2, the condition is necessary.
Conversely, assume that there exists t0 ∈ V ar(m0 ) \ V ar(m2 ). Then there exists
a monomial n0 (x) such that m3 (x) = xt1 xt0 n0 (x) with {t1 , t0 } ∩ V ar(n0 (x)) = ∅
and deg(n0 (x)) = s − 2. Let t3 ∈ V ar(m) such that m1 (x) = xt1 xt3 n(x), m2 (x) =
xt2 xt3 n(x) with {t1 , t2 , t3 , t0 }∩V ar(n(x)) = ∅ and deg(n(x)) = s−2. Thus for every
vector u = (u1 , ..., un ) ∈ Fn2 , Du f (x) = (ut1 +uP t2 )xt3 n(x)+ut3Qxt1 n(x)+ut3 xt2 n(x)+
ut1 xt0 n0 (x) + ut0 xt1 n0 (x) + (xt1 xt3 + xt2 xt3 )( i∈V ar(n(x)) ui j6=i;j∈V ar(n(x)) xj ) +
xt1 xt0 ( i∈V ar(n0 (x)) ui j6=i;j∈V ar(n0 (x)) xj ) + h0 (x), where deg(h0 ) ≤ s − 2. There-
P Q

fore, Du f (x) + h0 (x) is a sum of monomialsPof same degree Q s − 1 and in this sum, we
can observe that the polynomials xt1 xt0 ( i∈V ar(n0 (x)) ui j6=i;j∈V ar(n0 (x)) xj ) and
P Q
xt2 xt3 ( i∈V ar(n(x)) ui j6=i;j∈V ar(n(x)) xj ) will be canceled if and only if ut = 0
for all t ∈ V ar(n(x)) ∪ V ar(n0 (x)) (because the monomials in these polynomi-
als are pairwise distinct and each of them is different from any other monomial
in Du f (x) + h0 (x)). Thus, if Du f (x) + h0 (x) = 0 then, ut = 0 for all t ∈
V ar(n(x)) ∪ V ar(n0 (x)) and Du f (x) + h0 (x) = (ut1 + ut2 )xt3 n(x) + ut3 xt1 n(x) +
ut3 xt2 n(x) + ut1 xt0 n0 (x) + ut0 xt1 n0 (x) = 0. We have then two cases to considerer if
Du f (x) + h0 (x) = 0:
• The case n(x) 6= n0 (x), which yields the system (note that in this case, the
monomials of this last sum are pairwise distinct):

ut1 + ut2 = 0
,
ut1 = ut3 = ut0 = 0
that is, ut = 0 for all t ∈ {t1 , t2 , t3 , t0 }.
• The case n0 (x) = n(x) where the equality Du f (x) + h0 (x) = 0 becomes
Du f (x) + h0 (x) = (ut1 + ut2 )xt3 n(x) + (ut3 + ut0 )xt1 n(x) + ut3 xt2 n(x) +
ut1 xt0 n(x) = 0 which yields the system:

 ut1 + ut2 = 0
ut + ut3 = 0 ,
 0
ut1 = ut3 = 0
that is, ut = 0 for all t ∈ {t1 , t2 , t3 , t0 }.
Therefore, Du f (x) + h0 (x) = 0 if and only if u = 0 and the result follows. 
3
Corollary 1. Let f be a Boolean function defined over Fn2 by f (x) = i=1 mi (x) +
P
3
h(x), such that for all i = 1, 2, 3, deg(mi (x)) = s ≥ 2, ∪i=1 V ar(mi (x)) = {1, 2, ..., n}
and deg(h(x)) ≤ s − 1. Then f answers positively to the second question if and only
if one of the two following conditions is satisfied:
• For all i, j ∈ {1, 2, 3}, i 6= j, Card(V ar(mi (x)) ∩ V ar(mj (x))) ≤ s − 2.
• There exists three distinct integers i1 , i2 , i3 ∈ {1, 2, 3}, and two distinct in-
tegers t1 , t2 ∈ {1, 2, ..., n} such that mi1 (x) = xt1 m(x), mi2 (x) = xt2 m(x),
mi3 = xtj m0 (x) with j ∈ {1, 2} and V ar(m0 ) 6⊆ var(mij (x)).
Proof. We use Lemma 1 and Proposition 8. But here, there are two cases when
we use Proposition 8: The case mi3 (x) = xt1 m0 (x) and the case mi3 (x) = xt2 m0 (x)
which yield the same result. 
Example 2. The functions f (x) = x1 x2 x3 x4 + x1 x2 x5 x6 + x1 x2 x7 x8 and g(x) =
x1 x2 x3 x4 + x1 x2 x3 x5 + x4 x5 x7 x8 defined over F82 , satisfy (respectively) the first
and the second condition of Corollary1. Then they answer positively to the second
question.
Advances in Mathematics of Communications Volume 11, No. 4 (2017), 837–855
 Three basic questions on Boolean functions 847

Pp
Corollary 2. Let f be a Boolean function defined over Fn2 by f (x) = i=1 mi (x) +
h(x) (p ≥ 2), such that for all i = 1, ..., p, deg(mi (x)) = s ≥ 2, ∪pi=1 V ar(mi (x)) =
{1, 2, ..., n} and deg(h(x)) ≤ s − 1. If for all i, j ∈ {1, 2, ..., p}, i 6= j, Card(V ar
(mi (x)) ∩ V ar(mj (x))) ≤ s − 2, then f answers positively to the second question.
Proof. By using the same idea of P
Theorem2 and Theorem 3, it is easy to check that
p
for all non zero vector u ∈ Fn2 , i=1 Du mi (x) always contains a sum of distinct
monomials of degree s − 1. 

4. Second-order-bent Boolean functions

Let us recall from introduction the definition of second-order-bent Boolean func-
tions:
Definition 8. An n-variable Boolean function f is said to be second-order-bent
if for any pair of distinct and nonzero vectors a and b over Fn2 , the second-order
derivative Da Db f (x) = f (x) + f (x + a) + f (x + b) + f (x + a + b) is balanced.
A first straightforward observation is that the algebraic degree of such function
is at least 3. Let us study the simple class of cubic functions f : F32n/3 → F2 ,
where n is divisible by 3, defined as follows: for every vector (x, y, z) ∈ F32n/3 ,
f (x, y, z) = tr(xyz), where tr is the trace function from F2n/3 to F2 . We have then
D(a,b,c) f (x, y, z) = tr(ayz + bxz + cxy) + A(x) where A is an affine function and
D(a,b,c) D(a0 ,b0 ,c0 ) f (x, y, z) = tr((bc0 + b0 c)x + (ac0 + a0 c)y + (ab0 + a0 b)z) + k where
k is a constant. Hence D(a,b,c) D(a0 ,b0 ,c0 ) f is unbalanced if and only if bc0 + b0 c =
ac0 + a0 c = ab0 + a0 b = 0 that is, if the two vectors (a, b, c) and (a0 , b0 , c0 ) are linearly
dependent over F32n/3 . This means f is second-order-bent if and only if n = 3.
Note that the second-order-bent Boolean functions over F32 are exactly the cubic
functions over F32 (of the form x1 x2 x3 + q(x) where deg(q) ≤ 2). Hence, we know
an example of second-order-bent function, but only in 3 variables, and the question
of the existence of such n-variable function for n > 3 arises.
In the following proposition, we relate second-order-bent Boolean functions to
the well-studied bent functions. Recall that:
• For all a 6= 0 and for all hyperplane Ha of Fn2 such that a 6∈ Ha , {Ha , (a+Ha )}
(where a + Ha = {a + x | x ∈ Ha }) forms a partition of Fn2 ,
• For all Boolean function f and all x ∈ Fn2 , Da f (x) = Da f (x + a)
Proposition 9. An n-variable Boolean function f is second-order-bent if and only
if, for all non-zero vector a ∈ Fn2 , the restriction of the derivative Da f to any
hyperplane Ha (resp. to some hyperplane Ha ) which does not contain a is bent.
We shall see in Remark 6 that this is equivalent to the fact that Da f is semi-bent
for every a 6= 0.
Proof. For every nonzero a ∈ Fn2 , let Ha be any linear hyperplane of Fn2 which does
not contain a. The derivative Da f is entirely defined by its restriction to Ha and
by the relation Da f (x + a) = Da f (x). For all b ∈ Fn2 and µ ∈ {0, 1}, we have then:
Card ({x ∈ Fn2 | Db Da f (x) = µ}) = 2 Card({x ∈ Ha | Db Da f (x) = µ}).
Moreover, for all a, b, x ∈ Fn2 , we have Db Da f (x) = Db+a Da f (x). Therefore, for
all µ ∈ {0, 1}, the equality Card({x ∈ Fn2 | Db Da f (x) = µ}) = 2n−1 holds for all
F2 -linearly independent a, b if and only if the equality Card({x ∈ Ha | Db Da f (x) =
µ}) = 2n−2 holds for all F2 -linearly independent a ∈ Fn2 , b ∈ Ha . The restriction
Advances in Mathematics of Communications Volume 11, No. 4 (2017), 837–855
848 Claude Carlet and Serge Feukoua

of Da f to Ha , that we denote by ha , being bent if and only if Db (ha ) is balanced

over Ha for all non zero vector b ∈ Ha , we deduce that f is second-order-bent if
and only if, for every non-zero a ∈ Fn2 , Da f is bent over Ha . 
Remark 4. Given a ∈ Fn2 non-zero, if Da f is bent over a hyperplane Ha such that
a 6∈ Ha , then Da f is bent over any other hyperplane having the same property.
Remark 5. We know from the results of Rodier [10] that the density of the class
of semi-bent functions among Boolean functions tends to 0 when n tends to infin-
ity. Hence, the density of the class of second-order bent functions among Boolean
functions tends to 0 as well.
Propositions 4 and 9 directly imply the following first restriction on n and upper
bound on the algebraic degree:
Corollary 3. If f is a second-order-bent n-variable Boolean function, then n is odd
and f has algebraic degree at most n+1
2 .

Proof. If f is second-order-bent over Fn2 , then Da f being bent over Ha which has
dimension n − 1, we have that n − 1 is even and deg(Da f ) ≤ n−1 2 for every a 6= 0.
This implies that n is odd and f has algebraic degree at most n+1 2 . 
We shall see in Proposition 10 that in fact we must have n ≡ 3 [mod 4] but the
proof of this property will need additional results.
According to Proposition 2 and to Proposition 9, we have then:
Corollary 4. If a Boolean function over Fn2 is second-order-bent, then for all a 6= 0
n−1
wH (Da f ) equals 2n−1 ± 2 2 . The converse is true if f is cubic.
The characterization of bent functions by the Walsh transform together with
Proposition 9 also implies:
Corollary 5. An n-variable Boolean function with n ≥ 3 is second-order-bent if
and only if for all non zero vector a ∈ Fn2 and for all vector b ∈ Fn2 such that b·a = 0,
n+1
we have WDa f (b) = ±2 2 .
Proof. Given a 6= 0 and an inner product “ · ” in Fn2 , the restriction of this inner
product to a given linear hyperplane Ha such that a 6∈ Ha is not necessarily an
inner product in Ha , since some nonzero element u of Ha can be orthogonal to Ha .
But, since in Proposition 9 we can choose Ha , we can avoid such situation by taking
Ha = {x ∈ Fn2 ; u · x = 0} where u · u = 1 (so that u, which is orthogonal to Ha , does
not belong to Ha ) and u · a = 1 (so that a 6∈ Ha ). We can then assume without
loss of generality that the restriction of “ · ” to Ha is an inner product in Ha . The
restriction Da f|Ha of Da f to Ha is then bent if and only if, for all b ∈ Ha , we have
n−1
Da f (x)+b·x
P
x∈Ha (−1) = ±2 2 . The equality
X X X
(−1)Da f (x)+b·x = (−1)Da f (x)+b·x + (−1)Da f (x)+b·x
x∈Fn
2 x∈Ha x∈a+Ha
X
b·a Da f (x)+b·x
= (1 + (−1) ) (−1)
x∈Ha
implies that:
• If b · a 6= 0, then x∈Fn2 (−1)Da f (x)+b·x = 0,
P

• If b · a = 0, then x∈Fn2 (−1)Da f (x)+b·x = 2 x∈Ha (−1)Da f (x)+b·x

P P

and the result follows, by application of Proposition 9. 

Advances in Mathematics of Communications Volume 11, No. 4 (2017), 837–855
 Three basic questions on Boolean functions 849

Remark 6. According to Corollary 5 and to its proof, f is second-order-bent if

and only if Da f is semi-bent for all a 6= 0. Indeed, P the condition is necessary
and conversely, we have seen that if b · a 6= 0, then x∈Fn2 (−1)Da f (x)+b·x = 0 and
2
(b) = 22n , if Da f is semi-bent then
P
according to the Parseval relation b∈Fn WD af
2
n−1
Da f (x)+b·x
P
x∈Ha (−1) = ±2 2 for every b such that b · a = 0.
Remark 7. From the characterization of plateaued functions in [2, 5], a Boolean
function g is plateaued of amplitude λ if and only if for all x ∈ Fn2 we have:
X
(−1)Da Db g(x) = λ2 .
a,b∈Fn
2
n+1
Then, since semi-bent functions are those plateaued functions of amplitude 2 2 ,
according to Corollary 5, a Boolean function f is second-order-bent if and only if
for all a, x ∈ Fn2 with a 6= 0 we have:
X
(−1)Da Db Dc f (x) = 2n+1 .
b,c∈Fn
2

n+1
Now we can prove that second-order-bent functions do not exist when 2 is
odd.
Proposition 10. Let f be a second-order-bent Boolean function over Fn2 . Then,
n+1 n+5
n ≡ 3 [mod 4] and x∈Fn (−1)f (x) ≡ 2 4 [mod 2 4 ].
P
2

Proof. According to Corollary 5, there exists a Boolean function g such that

n+1
(−1)Da f (x) = 2 2 (−1)g(a) . Since we have
P
for all a 6= 0, WDa f (0) = x∈Fn
2
(−1)D0 f (x) = 2n , we deduce by summing these equalities, that:
P
x∈Fn
2
 2
X n+1 X
(2)  (−1)f (x)  = 2n + 2 2 (−1)g(a) .
x∈Fn
2 a6=0

There exists an integer j ≥ 1 and an integer λ such that x∈Fn (−1)f (x) = 2j +
P
P 22
j+1 f (x)
2 λ; there exists then an integer µ such that x∈Fn (−1) = 22j + 22j+2 µ.
2

Since a6=0 (−1)g(a) is odd, we have that n+1

P
2 = 2j. This completes the proof. 
n+1 n+5
P 2
f (x)
(−1)f (x)
P
Remark 8. Note that x∈Fn (−1) ≡2 4 [mod 2 4 ], that is, x∈Fn
2 2
n+1 n+5
[mod 2 2 ] and (2) imply a6=0 (−1)g(a) ≡ 1 [mod 4] for n ≥ 5. It seems
P
≡2 2

then natural if we wish P to see g as a function over the whole space Fn2 to take
g(0) = 1: we have then a∈Fn (−1)g(a) ≡ 0 [mod 4] and function g has algebraic
2
degree less than n (since its Hamming weight is even). We shall in the sequel assume
that g(0) = 1. For every u ∈ Fn2 , we have then:
X n+1 n+1
Wf2 (u) = (−1)Da f (x)+u·a = 2n + 2 2 + 2 2 Wg (u),
a,x∈Fn
2

that is,
n+1 n−1
(3) Wg (u) = 2− 2 Wf2 (u) − 2 2 − 1.
Research of second-order-bent Boolean functions over F72
Applying (3), if f is a second-order-bent function over F72 , then Wg (u) = 2−4
2
Wf (u) − 9 and since deg(f ) < 7, Wf (u) is divisible by 4 for all vector u. Thus,
Advances in Mathematics of Communications Volume 11, No. 4 (2017), 837–855
850 Claude Carlet and Serge Feukoua

Wg (u) + 9 is the square of an integer for all vector u, that is, since Wg (u) is divisible
by 4, Wg (u) ∈ {−8, 0, 16, 40, 72, 112}. Then, the idea is to try to find a function g
from its Walsh transform distribution and then a function f by (3).
We denote w1 = −8, w2 = 0, w3 = 16, w4 = 40, w5 = 72, w6 = 112, the possible
values of Wg (u) and for i = 1, 2...6, we denote by Ni the number of occurrences of
wi among the Wg (u). Firstly, we have:
6
X
(4) Ni = 2n = 128,
i=1
and by the Fourier inverse formula:
X 6
(5) Ni wi = 27 (−1)g(0) = −128,
i=1
and by the Parseval relation:
X 6
(6) Ni wi2 = 214 = 16384.
i=1
Replacing wi by its value, Relations (4), (5), (6) yield the system:

 N1 + N2 + N3 + N4 + N5 + N6 = 128
−8N1 + 16N3 + 40N4 + 72N5 + 112N6 = −128 ,
64N1 + 256N3 + 1600N4 + 5184N5 + 12544N6 = 16384


that is: 
 N1 + N2 + N3 + N4 + N5 + N6 = 128 (L1)
(7) −N1 + 2N3 + 5N4 + 9N5 + 14N6 = −16 (L2) .
N1 + 4N3 + 25N4 + 81N5 + 196N6 = 256 (L3)


The equation (L3) in (7) implies N6 ∈ {0, 1} and N5 ∈ {0, 1, 2, 3}. We have the
following cases:
• If N6 = 0 and N5 = 0, then System (7) becomes:

 N1 + N2 + N3 + N4 = 128
(8) −N1 + 2N3 + 5N4 = −16 .
N1 + 4N3 + 25N4 = 256


The solutions of System (8) are all (N1 , . . . , N4 ) such that: N1 = 96 − 5N4 ;
N2 = −8+9N4 (which implies N4 ≥ 1) and N3 = 40−5N4 (which implies N4 ≤
8). In this case, when N4 ranges over the set {1, 2, 3, 4, 5, 6, 7, 8}, the solu-
tions of System (7) are: (91, 1, 35, 1, 0, 0); (86, 10, 30, 2, 0, 0); (81, 19, 25, 3, 0, 0);
(76, 28, 20, 4, 0, 0); (71, 37, 15, 5, 0, 0); (66, 46, 10, 6, 0, 0); (61, 55, 5, 7, 0, 0) and
(56, 64, 0, 8, 0, 0).
• If N6 = 0 and N5 = 1, System (7) becomes:

 N1 + N2 + N3 + N4 = 127
−N1 + 2N3 + 5N4 = −25 .
N1 + 4N3 + 25N4 = 175


The solutions of this system are all (N1 , . . . , N4 ) such that: N1 = 75 − 5N4 ;
N2 = 27 + 9N4 and N3 = 25 − 5N4 (which implies N4 ≤ 5). When N4 ranges
over the set {0, 1, 2, 4, 5} the solutions of System (7) are: (75, 27, 25, 0, 1, 0);
(70, 36, 20, 1, 1, 0); (65, 45, 15, 2, 1, 0); (60, 54, 10, 3, 1, 0); (55, 63, 5, 4, 1, 0) and
(50, 72, 0, 5, 1, 0).
Advances in Mathematics of Communications Volume 11, No. 4 (2017), 837–855
 Three basic questions on Boolean functions 851

• If N6 = 0 and N5 = 2, System (7) becomes:


 N1 + N2 + N3 + N4 = 126
−N1 + 2N3 + 5N4 = −34 .
N1 + 4N3 + 25N4 = 94


The solutions of this system are all (N1 , . . . , N4 ) such that: N1 = 54 − 5N4 ;
N2 = 62 + 9N4 and N3 = 10 − 5N4 (which implies N4 ≤ 2). When N4 ranges
over the set {0, 1, 2} the solutions of System (7) are: (54, 62, 10, 0, 2, 0); (49, 71,
5, 1, 2, 0) and (44, 80, 0, 2, 2, 0)
• If N6 = 0 and N5 = 3, the equation (L3) in (7) implies N4 = 0 and the
resolution gives N3 < 0 which is impossible.
• N6 = 1 implies N5 = 0 (by the equation (L3) in (7)), and we have the system:

 N1 + N2 + N3 + N4 = 127
−N1 + 2N3 + 5N4 = −30 .
N1 + 4N3 + 25N4 = 60


The solutions of this system are all (N1 , . . . , N4 ) such that: N1 = 40 − 5N4 ;
N2 = 82 + 9N4 and N3 = 5 − 5N4 (which implies N4 ≤ 1). In this case, when
N4 ranges over the set {0, 1}, the solutions of System (7) are: (40, 82, 5, 0, 0, 1)
and (35, 91, 0, 1, 0, 1).
This gives the possible distributions of the Walsh transform of g. It remains now
to find a function g with one of these distributions for which there exists a second-
order-bent function f over F72 . But a computer search made by S. Picek for functions
g with such parameters has been unsuccessful.
Other results on second-order-bent Boolean functions over Fn2
Proposition 11. If f is a second-order-bent Boolean function over Fn2 of degree r
with n > 5, then
4(n−1) n+1
• If n ≡ 1 [mod r], then n−3 ≤r≤ 2
4(n−1)
• otherwise, n+1 <r ≤ n+1
2 .

Proof. If f is second-order-bent, then according to Proposition 10 and using

n−3 n+1 n−1
McEliece’s theorem, we have wH (f ) ≡ 2 4 [mod 2 4 ] ≡ 0 [mod 2b r c ]. This
n−1 n−3
relation implies that 2b r c divides 2 4 that is, b n−1 n−3
r c ≤ 4 , that is:
n−1 n−3 4(n−1)
• if n ≡ 1 [mod r], then r ≤ 4 and therefore r≥ n−3 ,
n−1 n−3 4(n−1)
• otherwise, r −1≤ 4 and then r > n+1 .
Moreover, we know that every m variable bent Boolean function with m ≥ 4 is
of algebraic degree at most m
2 . Then, according to Proposition 9, every n-variable
second-order-bent function has all its derivatives of algebraic degree at most n−1
2
when n − 1 ≥ 4; so f has algebraic degree at most n+1 2 . 
Corollary 6. For all n > 3 there is no second-order-bent Boolean functions of
degree 3 over Fn2 .

Proof. This is a direct consequence of Propositions 10 and 11, since 4(n−1)

n+1 ≥ 3 for
n ≥ 7. 
Characterizations of second-order bent functions
We know that a Boolean function f is second-order-bent if and only if, for every
a 6= 0 in Fn2 and every linear hyperplane Ha not containing a, the restriction of Da f
Advances in Mathematics of Communications Volume 11, No. 4 (2017), 837–855
852 Claude Carlet and Serge Feukoua

n−1
Da f (x)+b·x
P
to Ha is bent, that is, for every b, the sum x∈Ha (−1) equals ±2 2 .
Hence:
Lemma 2. Given any n-variable second-order-bent function f , there exists a
n−1
Boolean function ϕ over Fn2 × Fn2 such that x∈Ha (−1)Da f (x)+b·x = 2 2 (−1)ϕ(a,b)
P
for every a 6= 0 and every b, and therefore:
 n
 2 if a = b = 0

0 if a = 0, b 6= 0
X 

(9) (−1)Da f (x)+b·x = n+1

x∈Fn

 2 2 (−1)ϕ(a,b) if a 6= 0 and a · b = 0
2 

0 otherwise.
Remark 9. Since we know that bent Boolean functions are those functions with
maximum nonlinearity, we could imagine that the functions whose second-order
nonlinearity is maximal are the class of second-order-bent functions but this is not
clear. Nothing is known about those functions of maximum second-order nonlinear-
n−1
ity. Note that for a 6= 0, b = 0, Relation (9) implies that wH (Da f ) = 2n−1 ± 2 2
n−3
and then wH (f ) ≥ 2n−2 − 2 2 , which implies (since adding a linear function to f
preserves its 2nd-order bentness) the following bound on the minimum distance to
n−3
quadratic functions: nl2 (f ) ≥ 2n−2 − 2 2 . A better bound
q can be obtained thanks
n−1 1 2n
P
to an inequality from [1]: we have nl2 (f ) ≥ 2 − 2 2 − 2 a∈F n nl1 (Da f ) ≥
2
q p 3n+1
n−1 n+1
2n−1 − 21 22n − 2(2n − 1)(2n−1 − 2 2 ) = 2n−1 − 12 2 2 + 2n − 2 2 . But this
does not prove the non existence of second-order-bent functions since we know that,
asymptotically, functions with such 2nd-order nonlinearity exist (see [1]).
By taking the Fourier transform of both expressions in (9) viewed as functions
of a, we have that (9) is equivalent to the fact that for every b and u:
n+1 P

X  2n + 2 2 a∈Fn2
(−1)ϕ(a,b)+a·u if b = 0
f (x)+f (y)+b·x+(x+y)·u
(−1) = n+1 P
a6=0

x,y∈Fn
 2 2 a∈Fn
2
(−1)ϕ(a,b)+a·u if b 6= 0,
2 a6=0,a·b=0

that is:
Proposition 12. Given any n-variable second-order-bent function f , let ϕ over
n−1
Fn2 × Fn2 be such that x∈Ha (−1)Da f (x)+b·x = 2 2 (−1)ϕ(a,b) for every a 6= 0 and
P

every b. Then, defining ϕ(0, b) = 0 and ψ(a, b) = a · b and denoting by ϕ(., b) the
function a 7→ ϕ(a, b), we have:
( n+1 n+1
2n − 2 2 + 2 2 Wϕ(.,b) (u) if b = 0
Wf (b + u)Wf (u) = n+1 n−1

−2 2 + 2 2 Wϕ(.,b) (u) + Wϕ(.,b)+ψ(.,b) (u) if b 6= 0.
n+1 n−1
= 2n δ0 (b) − 2 2 + 2 2 Wϕ(.,b) (u) + Wϕ(.,b)+ψ(.,b) (u) ,


(10)
where δ0 is the Dirac (or Kronecker) symbol.
By taking the Fourier transform of left and right handsides in (10), we have:
X
Wf (b + u)Wf (u)(−1)b·v =
b∈Fn
2

X
Wf (u) Wf (b)(−1)(b+u)·v =
b∈Fn
2

Advances in Mathematics of Communications Volume 11, No. 4 (2017), 837–855

 Three basic questions on Boolean functions 853

2n Wf (u) (−1)f (v)+u·v =

3n+1 n−1
2n − 2 2 δ0 (v) + 2 2 (Wϕ (u, v) + Wϕ+ψ (u, v)) .
Since this last necessary condition is also sufficient (because Relation (10) is equiva-
lent to Relation (9) which characterizes also second-order-bent functions), we have:
Proposition 13. An n-variable Boolean function f is second-order-bent if and only
if there exists a Boolean function ϕ over Fn2 × Fn2 such that, for every u, v:
n+1 −(n+1)
(11) Wf (u) (−1)f (v)+u·v = 1 − 2 2 δ0 (v) + 2 2 (Wϕ (u, v) + Wϕ+ψ (u, v)) ,
where ψ(a, b) = a · b.
Remark 10. Note that (10) for b = 0 and the square of (11) give that, for every v ∈
n+1 n+1
 n+1 −(n+1)
2
Fn2 , 2n − 2 2 + 2 2 Wϕ(.,0) (u) = 1 − 2 2 δ0 (v) + 2 2 (Wϕ (u, v) + Wϕ+ψ (u, v)) .
 n+1 2 3(n+1) n+1
Hence, 2 2 + Wϕ (u, v) + Wϕ+ψ (u, v) is divisible by 2 2 , that is, 2 2 +
3(n+1) n+1
Wϕ (u, v) + Wϕ+ψ (u, v) is divisible by 2 4 , for every u, v. Then writing 2 2 +
3(n+1)
Wϕ (u, v) + Wϕ+ψ (u, v) = 2 4 λu,v , (11) becomes
n+1 n+1
Wf (u) (−1)f (v)+u·v = −2 2 δ0 (v) + 2 4 λu,v .
The following result gives another characterization of second-order-bent func-
tions, which uses again the Walsh Transform, but does not involve any function like
ϕ:
Proposition 14. Let f be a Boolean function over Fn2 . f is second-order-bent if
and only if for all b, c ∈ Fn2 :
2n+1

X  −2
 if b 6= 0, c 6= 0, b 6= c
Wf (u + b + c)Wf (u + b)Wf (u + c)Wf (u) = 3 · 2 − 22n+1 if b = c = 0, .
3n
n

u∈F2
23n − 22n+1 otherwise .


Proof. A function f is second-order-bent over Fn2 if and only if x∈Ha (−1)Da f (x)+x·c
P
n−1
= ±2 2 for all a 6= 0, for all c and for every hyperplane Ha (a 6∈ Ha ). This is equiv-
n−1
alent to: x∈F n (−1)Da f (x)+x·c = ±2 2 (1+(−1)c·a ) [i.e. 0 if c·a = 1 and ±2(n+1)/2
P
2
if c·a = 0] for all non zero vector
P a and for all c, which means f is second-order-bent
if and only if for all a and c, x,y∈F n (−1)Da f (x)+Da f (y)+(x+y)·c = (1−δ0 (a))[2n (1+
2
(−1)c·a )] + δ0 (a)[22n δ0 (c)] = 2n (1 + (−1)c·a ) + δ0 (a) (22n δ0 (c) − 2n (1 + (−1)c·a )),
because (1 + (−1)c·a )2 = 2(1 + (−1)c·a ). Applying the Fourier transform to the left
handside and the right handside of this equality viewed as functions of a gives that f
is second-order-bent if and only if for all b, c, x,y,a∈F n (−1)Da f (x)+Da f (y)+(x+y)·c+a·b =
P
2

2n (2n δ0 (b) + 2n δc (b)) + 22n δ0 (c) − 2n+1 .

We have:
X
(−1)Da f (x)+Da f (y)+(x+y)·c+a·b
x,y,a∈F2n
X 0 0 0
= (−1)f (x)+f (y)+f (x )+f (x+y+x )+(x+y)·c+(x+x )·b =
x,y,x0 ∈F2n

Advances in Mathematics of Communications Volume 11, No. 4 (2017), 837–855

854 Claude Carlet and Serge Feukoua

X 0 0 0 0 0
2−n (−1)f (x)+f (y)+f (x )+f (y )+u·(x+y+x +y )+(x+y)·c+(x+x )·b =
x,y,x0 ,y 0 ,u∈F2n
X
2−n Wf (u + c + b)Wf (u + c)Wf (u + b)Wf (u).
u∈F2n
Hence, f is second-order-bent if and only if:
X
2−n Wf (u + c + b)Wf (u + c)Wf (u + b)Wf (u)
u∈F2n

= 2n (2n δ0 (b) + 2n δc (b)) + 22n δ0 (c) − 2n+1 ,

and the result follows. 

5. Further research and open problems

We leave open the characterizations of those Boolean functions whose algebraic
degree does not diminish when restricting them to affine hyperplanes, and of those
whose derivatives all have an algebraic degree equal to the algebraic degree of the
function minus 1. We started to characterize the latter ones, but in a restricted
framework: when the number of their highest degree terms in their ANF is at most
3, which is very small since the average number of highest degree monomials for all
(n)
n-variable Boolean functions of algebraic degree k equals 2k . We leave also open
the problem of determining whether there exist second-order-bent functions over
Fn2 for n > 3. It is difficult to guess whether they can exist. If they did, they would
be very nice combinatorial objects. We gave several restrictions on their number
of variables and on their properties, and we gave characterizations, but no proof of
inexistence arose and no construction either.

Acknowledgments
We thank Stjepan Picek who made a search of 7−variable second- order-bent
functions using evolutionary method which did not give positive result.

References
[1] C. Carlet, Recursive lower bounds on the nonlinearity profile of Boolean Functions and their
applications, IEEE Transactions on information Theory, 54 (2008), 1262–1272.
[2] C. Carlet, Boolean and vectorial plateaued functions, and APN functions, IEEE Transactions
on Informations Theory, 61 (2015), 6272–6289.
[3] C. Carlet, Boolean functions for cryptography and error correcting codes, Chapter of the
Monography Boolean Models and Methods in Mathematics, Computer Science, and Engineer-
ing, Y. Crama and P. Hammer eds, Cambridge University Press, (2010), 257–397, Preliminary
version available at http://www.math.univ-paris13.fr/~carlet/chap-fcts-Bool-corr.pdf
[4] C. Carlet and S. Mesnager, Four decades of research on bent functions, Designs, Codes and
Cryptography, 78 (2016), 5–50.
[5] C. Carlet and E. Prouff, On plateaued Boolean functions and theirs constructions, Proceeding
of Fast Software Encryption 2003, Lecture Notes in Computer Science, 2887 (2003), 54–73.
[6] X. Hou and P. Langevin, H-codes and Derivations, Research note, Université de Toulon,
France, 2005.
[7] P. Langevin and P. Solé, Kernels and defaults, Finite Fields and Applications, Contemporary
Mathematics, 225 (1999), 77–85.
[8] R. J. McEliece, Weight congruence for p−ary cyclic codes, Discrete Mathematics, 3 (1972),
177–192.
[9] S. Mesnager, Bent Functions: Fundamentals and Results, Springer Verlag, 2016,
Version available at http://www.math.univ-paris13.fr/~mesnager/Publications/
Contents-Book-bent-Mesnager---copie---copie.pdf

Advances in Mathematics of Communications Volume 11, No. 4 (2017), 837–855

 Three basic questions on Boolean functions 855

[10] F. Rodier, Asymptotic nonlinearity of Boolean functions, Designs, Codes and Cryptography,
40 (2006), 59–70.
[11] O. S. Rothaus, On “bent” functions, J. Comb. Theory, 20 (1976), 300–305.
[12] A. Salagean and M. Mandache-Salagean, Counting and characterizing functions with “fast
points” for differential attacks, Cryptography and Communications, 9 (2017), 217–239.

Received for publication April 2017.

E-mail address: [email protected]
E-mail address: [email protected]

Advances in Mathematics of Communications Volume 11, No. 4 (2017), 837–855