Boolean Functions for Cryptography and Error

Correcting Codes
Claude Carlet∗

October 10, 2006

To appear soon as a chapter of the volume ”Boolean Methods and

Models”, published by Cambridge University Press, Eds Yves Crama and
Peter Hammer

∗
University of Paris 8; also with INRIA, Projet CODES (address: BP 105 - 78153, Le
Chesnay Cedex, FRANCE); e-mail: [email protected].

1
Contents
1 Introduction 4

2 Generalities on Boolean functions 7

2.1 Representation of Boolean functions . . . . . . . . . . . . . . 7
2.2 The discrete Fourier transform on pseudo-Boolean and on
Boolean functions . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.2.1 Fourier transform and NNF . . . . . . . . . . . . . . . 27
2.2.2 Fourier transform and graph theory . . . . . . . . . . 28

3 Boolean functions and coding 29

3.1 Reed-Muller codes . . . . . . . . . . . . . . . . . . . . . . . . 30

4 Boolean functions and cryptography 35

4.1 Cryptographic criteria for Boolean functions . . . . . . . . . . 40

5 Quadratic functions and other functions whose weights, Walsh

spectra or nonlinearities can be analyzed 56
5.1 Quadratic functions . . . . . . . . . . . . . . . . . . . . . . . 56
5.2 Indicators of flats . . . . . . . . . . . . . . . . . . . . . . . . . 58
5.3 Other functions whose nonlinearities can be better approxi-
mated than for general functions . . . . . . . . . . . . . . . . 59
5.3.1 Maiorana-McFarland’s functions and their generaliza-
tions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
5.3.2 Normal functions . . . . . . . . . . . . . . . . . . . . . 59
5.3.3 Partial covering sequences . . . . . . . . . . . . . . . . 60
5.3.4 Functions with low univariate degree . . . . . . . . . . 63

6 Bent functions 63
6.1 The dual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
6.2 Bent functions of low algebraic degrees . . . . . . . . . . . . . 67
6.3 Bound on algebraic degree . . . . . . . . . . . . . . . . . . . . 68
6.4 Constructions . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
6.4.1 Primary constructions . . . . . . . . . . . . . . . . . . 69
6.4.2 Secondary constructions . . . . . . . . . . . . . . . . . 73
6.4.3 Decompositions of bent functions . . . . . . . . . . . . 79
6.5 On the number of bent functions . . . . . . . . . . . . . . . . 80
6.6 Characterizations . . . . . . . . . . . . . . . . . . . . . . . . . 81
6.7 Subclasses: hyper-bent functions . . . . . . . . . . . . . . . . 83

2
 6.8 Superclasses: partially-bent functions, partial bent functions
and plateaued functions . . . . . . . . . . . . . . . . . . . . . 85
6.9 Normal and non-normal bent functions . . . . . . . . . . . . . 89
6.10 Kerdock codes . . . . . . . . . . . . . . . . . . . . . . . . . . 89
6.10.1 Construction of the Kerdock code . . . . . . . . . . . 90

7 Resilient functions 92
7.1 Bound on algebraic degree . . . . . . . . . . . . . . . . . . . . 92
7.2 Nonlinearity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
7.3 Constructions . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
7.3.1 Primary constructions . . . . . . . . . . . . . . . . . . 98
7.3.2 Secondary constructions . . . . . . . . . . . . . . . . . 103
7.4 On the number of resilient functions . . . . . . . . . . . . . . 107

8 Functions satisfying the strict avalanche and propagation

criteria 109
8.1 P C(l) criterion . . . . . . . . . . . . . . . . . . . . . . . . . . 109
8.1.1 Characterizations . . . . . . . . . . . . . . . . . . . . . 110
8.1.2 Constructions . . . . . . . . . . . . . . . . . . . . . . . 110
8.2 P C(l) of order k and EP C(l) of order k criteria . . . . . . . 111

9 Symmetric functions 112

9.1 Representation . . . . . . . . . . . . . . . . . . . . . . . . . . 112
9.2 Fourier and Walsh transforms . . . . . . . . . . . . . . . . . . 113
9.3 Nonlinearity . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
9.4 Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

3
1 Introduction
A fundamental objective of cryptography is to enable two people to commu-
nicate over an insecure channel (a public channel such as internet) in such
a way that any other person is unable to recover their message (called the
plaintext) from what is sent in its place over the channel (the ciphertext).
The transformation of the plaintext into the ciphertext is called encryption,
or enciphering. Encryption-decryption is the most ancient cryptographic
activity (ciphers already existed four centuries B. C.) but its nature has
deeply changed with the invention of computers, because the cryptanalysis
(the activity of the third person, the eavesdropper, who aims at recovering
the message) can now use their power.
The encryption algorithm takes as input the plaintext and an encryption
key KE , and it outputs the ciphertext. If the encryption key is secret, then
we speak of conventional cryptography or of symmetric cryptography. In
practice, the principle of conventional cryptography relies on the sharing of
a private key between the sender of a message and its receiver. If the en-
cryption key is public, then we speak of public key cryptography. Public key
cryptography appeared in the literature in the late seventies. The decryp-
tion (or deciphering) algorithm takes as input the ciphertext and a secret1
decryption key KD . It outputs the plaintext.

message - message
Encryption - Decryption -
b public b
channel
KE KD

Public key cryptography is preferable to conventional cryptography, since it

allows us to secretly communicate without having shared keys in a secret
way: every person who wants to receive secret messages can keep secret a
decryption key and publish an encryption key; if n persons want to secretly
communicate pairwisely using a public key cryptosystem, they need n en-
cryption keys and

n decryption keys, when conventional cryptosystems will
n n(n−1)
need at least 2 = 2 keys. But all known public key cryptosystems
are much less efficient than conventional cryptosystems (they produce a
1
According to principles already stated in 1883 by A. Kerckhoffs [159], who cited a still
more ancient manuscript by R. du Carlet [41], only the secret keys must be kept secret –
the confidentiality should not rely on the secrecy of the encryption method.

4
much lower data throughput, because they need much time to encrypt long
messages) and they also need much longer keys to ensure the same level
of security. This is why conventional cryptography is still widely used and
studied nowadays. Thanks to public key cryptosystems, the share-out of the
necessary secret keys can be done without using a secure channel (the secret
keys for conventional cryptosystems are strings of a few hundreds of bits
only and can then be encrypted by public key cryptosystems). Protocols
specially devoted to key-exchange can also be used.

The objective of error correcting codes is to enable digital communication

over a noisy channel in such a way that the errors in the transmission of
bits can be detected and localized (and therefore corrected) by the receiver.
This aim is achieved by using an encoding algorithm that transforms the
information before sending it over the channel. In the case of block coding,
the original message is treated as a list of binary words (vectors) of the
same length – say k – that are encoded into codewords of a larger length
– say n. Thanks to this extension of the length, called redundancy, the
decoding algorithm can correct the errors of transmission and recover the
correct message. The set of all possible codewords is called the code. Sending
over the channel words of length n instead of words of length k slows down
the transmission of information in the ratio of nk . This ratio, called the
transmission rate, must be as high as possible, to allow fast communication.

message - Encoding - Decoding - corrected

noisy message
channel

In both cryptographic and error correcting coding activities, Boolean

functions (that is, functions from the vectorspace Fn2 of all binary vectors
of length n, to the finite field with two elements F2 – denoted by B is some
chapters of the present volume) play a role:
- every code whose length equals 2n , for some positive integer n, can be
interpreted as a set of Boolean functions, since every n-variable Boolean
function can be represented by its truth table (an ordering of the set of
binary vectors of length n being first chosen) and thus associated with a
binary word of length 2n , and vice versa; important codes (Reed-Muller,
Kerdock codes) can be defined this way as sets of Boolean functions;

5
- in the case of conventional cryptography, the role of Boolean functions is
even more important; cryptographic transformations (pseudo-random gener-
ators in stream ciphers, S-boxes in block ciphers) are designed by appropriate
composition of nonlinear Boolean functions.
In both frameworks, n is rarely large, in practice, for the reason of ef-
ficiency. The S-boxes used in most block ciphers are concatenations of sub
S-boxes on at most 8 variables. In the case of stream ciphers, n was in gen-
eral at most equal to 10 until recently. However, this has changed with the
algebraic attacks, see [88, 89, 111] and see below. The error correcting codes
derived from n-variable Boolean functions have length 2n ; so, taking n = 10
already gives codes of length 1024.
Despite the fact that Boolean functions are currently used in cryptog-
raphy and coding with low numbers of variables, determining and studying
those Boolean functions satisfying some desired conditions (see Subection 4.1
below) is not feasible through an exhaustive computer investigation: the
n
number |BF n | = 22 of n-variable Boolean functions is too large when n ≥ 6.
We give in table 1 below the values of this number for n ranging between 4
and 8.

n 4 5 6 7 8
|BF n | 216 232 264 2128 2256
≈ 6 · 104 4 · 109 1019 1038 1077

Table 1: Number of n-variable Boolean functions

Assume that visiting an n-variable Boolean function, and determining whe-

ther it has the desired properties, needs one nano-second (10−9 seconds),
then it would need millions of hours to visit all functions on 6 variables, and
about one hundred billions times the age of the universe to visit all those
on 7 variables. The number of 8-variable Boolean functions approximately
equals the number of atoms in the whole universe! We see that trying to find
functions satisfying the desired conditions by picking up functions at random
is also impossible for these values of n, since visiting a non-negligible part
of all Boolean functions on 6 or more variables is not feasible. The study of
Boolean functions for constructing or studying codes or ciphers is essentially
mathematical. But clever computer investigation is very useful to imagine
or to test conjectures, and sometimes to generate interesting functions.

6
2 Generalities on Boolean functions
In this chapter and in the chapter “Vectorial Boolean Functions for Cryp-
tography”, the set {0, 1} will be most often endowed with the structure
of field (and denoted by F2 ), and the set Fn2 of all binary vectors (coders
say words) of length n will be viewed as a F2 -vectorspace. We shall de-
note simply by 0 the null vector in Fn2 . The vectorspace Fn2 will sometimes
be also endowed with the structure of field – the field F2n (also denoted
by GF (2n )); indeed, this field being an n-dimensional vectorspace over F2 ,
each of its elements can be identified with a binary vector of length n. The
set of all Boolean functions f : Fn2 → F2 will be denoted as usual by BF n .
The Hamming weight wH (x) of a binary vector x ∈ Fn2 being the number
of its nonzero coordinates (i.e. the size of {i ∈ N/ xi 6= 0} where N de-
notes the set {1, . . . , n}, called the support of the codeword ), the Hamming
weight wH (f ) of a Boolean function f on Fn2 is also the size of its sup-
port {x ∈ Fn2 / f (x) 6= 0}. The Hamming distance dH (f, g) between two
functions f and g is the size of the set {x ∈ Fn2 / f (x) 6= g(x)}, that is, the
support of the function. Thus it equals wH (f ⊕ g).
Note. Some additions of bits will be considered in Z and denoted then
by +, and some will be computed modulo 2 and denoted by ⊕. P All the
multiple sums computed in characteristic 0 will beL denoted by i and all
the sums computed modulo 2 will be denoted by i . For simplicity and
because there will be no ambiguity, we shall denote by + the addition of
vectors (words) of Fn2 or of elements of F2n .

2.1 Representation of Boolean functions

Among the classical representations of Boolean functions, the one which is
most usually used in cryptography and coding is the n-variable polynomial
representation over F2 , of the form
!
M Y M
f (x) = aI xi = aI xI , (1)
I∈P(N ) i∈I I∈P(N )

where P(N ) denotes the power set of N = {1, . . . , n}. Every coordinate xi
appears in this polynomial with exponents at most 1, because every bit in F2
equals its own square. This representation belongs to F2 [x1 , . . . , xn ]/(x21 ⊕
x1 , . . . , x2n ⊕ xn ). It is called the Algebraic Normal Form (in brief the ANF).

Example: let us consider the function f whose truth-table is

7
 x1 x2 x3 f (x)
0 0 0 0
0 0 1 1
0 1 0 0
0 1 1 0
1 0 0 0
1 0 1 1
1 1 0 0
1 1 1 1

It is the sum (modulo 2 or not, no matter) of the atomic functions f1 , f2

and f3 whose truth-tables are

x1 x2 x3 f1 (x) f2 (x) f3 (x)

0 0 0 0 0 0
0 0 1 1 0 0
0 1 0 0 0 0
0 1 1 0 0 0 .
1 0 0 0 0 0
1 0 1 0 1 0
1 1 0 0 0 0
1 1 1 0 0 1

The function f1 (x) takes value 1 if and only if 1 ⊕ x1 = 1, 1 ⊕ x2 = 1 and

x3 = 1, that is if and only if (1 ⊕ x1 )(1 ⊕ x2 ) x3 = 1. Thus the ANF of f1
can be obtained by expanding the product (1 ⊕ x1 )(1 ⊕ x2 ) x3 . After similar
observations on f2 and f3 , we see that the ANF of f equals (1 ⊕ x1 )(1 ⊕
x2 ) x3 ⊕ x1 (1 ⊕ x2 ) x3 ⊕ x1 x2 x3 = x1 x2 x3 ⊕ x2 x3 ⊕ x3 . 

Another possible representation of this same ANF uses an indexation by

means of vectors of Fn2 instead of subsets of N ; if, for any such vector u,
we denote by au what is denoted by asupp(u) in Relation (1) (where supp(u)
denotes the support of u), we have the equivalent representation:
 
M n
Y
f (x) = au  xj uj  .
u∈Fn
2 j=1

Qn uj
The monomial j=1 xj is often denoted by xu .

8
Existence and uniqueness of the ANF By applying the Lagrange in-
terpolation method described in the example above, it is a simple matter to
show the existence of the ANF of every Boolean function. This implies that
the mapping, from every polynomial P ∈ F2 [x1 , . . . , xn ]/(x21 ⊕ x1 , . . . , x2n ⊕
xn ) to the corresponding function x ∈ Fn2 7→ P (x), is onto BF n . Since
the size of BF n equals the size of F2 [x1 , . . . , xn ]/(x21 ⊕ x1 , . . . , x2n ⊕ xn ), this
correspondence is one to one2 . But more can be said.

Relationship
Q between a Boolean function and its ANF The prod-
I
uct x = i∈I xi is nonzero if and only if xi is nonzero (i.e. equals 1) for
every i ∈ I, thatL
is, if I is included in the support of x; hence, the Boolean
function f (x) = I∈P(N ) aI xI takes value
M
f (x) = aI , (2)
I⊆supp(x)

where supp(x) denotes the support of x. IfLwe use the notation f (x) =
au xu , we obtain the relation f (x) = ux au , where u  x means
L
u∈Fn2
that supp(u) ⊆ supp(x) (we say that u is covered by x). A Boolean func-
tion f ◦ can be associated to the ANF of f : for n ◦
Levery x ∈u F2 ,◦ we set f (x) =
asupp(x) , that is, with the notation f (x) = u∈Fn au x : f (u) = au . Re-
2
lation (2) shows that f is the image of f ◦ by the so-called binary Möbius
transform.
The converse is also true:

Proposition 1 Let f be a Boolean function on Fn2 and let I

L
I∈P(N ) aI x
be its ANF. We have:
M
∀I ∈ P(N ), aI = f (x). (3)
x∈Fn
2 / supp(x)⊆I

L
Proof. Let us denote x∈Fn f (x) by bI and consider the func-
2 / supp(x)⊆I
I
L
tion g(x) = I∈P(N ) bI x . We have
 
M M M
g(x) = bI =  f (y)
I⊆supp(x) I⊆supp(x) y∈Fn
2/ supp(y)⊆I

2
Another argument is that this mapping is a linear mapping from a vectorspace over F2
of dimension 2n to a vectorspace of the same dimension.

9
and thus  
M M
g(x) = f (y)  1 .
y∈Fn
2 I∈P(N )/ supp(y)⊆I⊆supp(x)
L
The sum I∈P(N )/ supp(y)⊆I⊆supp(x) 1 is null if y 6= x, since the set {I ∈
P(N )/ supp(y) ⊆ I ⊆ supp(x)} contains 2wH (x)−wH (y) elements if supp(y) ⊆
supp(x), and none otherwise. Hence, g = f and, by uniqueness of the ANF,
bI = aI for every I. 

Algorithm There exists a simple divide-and-conquer butterfly algorithm

to compute the ANF from the truth-table (or vice-versa). For every u =
(u1 , . . . , un ) ∈ Fn2 , the coefficient au of xu in the ANF of f equals
M
[f (x1 , . . . , xn−1 , 0)] if un = 0 and
(x1 ,...,xn−1 )(u1 ,...,un−1 )
M
[f (x1 , . . . , xn−1 , 0) ⊕ f (x1 , . . . , xn−1 , 1)] if un = 1.
(x1 ,...,xn−1 )(u1 ,...,un−1 )

Hence if, in the truth-table of f , the binary vectors are ordered in lexico-
graphic order, with the bit of higher weight on the right (for instance), the
table of the ANF equals the concatenation of those of the (n − 1)-variable
functions f (x1 , . . . , xn−1 , 0) and f (x1 , . . . , xn−1 , 0) ⊕ f (x1 , . . . , xn−1 , 1). We
deduce the following recursive algorithm:

1. write the truth-table of f , in which the binary vectors of length n are

in lexicographic order as decribed above;

2. let f0 be the restriction of f to Fn−1

2 × {0} and f1 the restriction of f
to Fn−1
2 × {1}; the truth-table of f0 (resp. f1 ) corresponds to the
upper (resp. lower) half of the table of f ; replace the values of f1 by
those of f0 ⊕ f1 ;

3. apply recursively step 2, separately to the functions now obtained in

the places of f0 and f1 .

When the algorithm ends (i.e. when it arrives to functions on one variable
each), the global table gives the values of the ANF of f . The complexity of
this algorithm is O(n2n ).

10
The degree of the ANF is denoted by d◦ f and is called the algebraic de-
gree of the function (this makes sense thanks to the existence and uniqueness
of the ANF): d◦ f = max{|I|/ aI 6= 0}, where |I| denotes the size of I. Some
authors also call it the nonlinear order of f . According to Relation (3), d◦ f
equals the maximum dimension of the subspaces {x ∈ Fn2 / supp(x) ⊆ I} on
which f takes value 1 an odd number of times.
The algebraic degree is an affine invariant (it is invariant under the action
x1
 
 x2 
of the general affine group): for every affine isomorphism L :   ...  ∈


xn
x1 a1
   
 x2   a2 
Fn2 →
7 M × n
 ...  ⊕  ...  ∈ F2 (where M is a nonsingular n × n matrix
  

xn an
over F2 ), we have d◦ (f ◦ L) = d◦ f . Indeed, the composition by L clearly
cannot increase the algebraic degree, since the coordinates of L(x) have de-
gree 1. Hence we have d◦ (f ◦ L) ≤ d◦ f (this inequality is more generally
valid for every affine homomorphism). And applying this inequality to f ◦ L
in the place of f and to L−1 in the place of L shows the inverse inequality.
The algebraic degree being a linear (moreover, an affine) invariant and its
value, for a function f , equalling the maximum dimension of the linear sub-
spaces {x ∈ Fn2 / supp(x) ⊆ I} on which f takes value 1 an odd number
of times, it equals the maximum dimension of all the linear (resp. affine)
subspaces of Fn2 on which f takes value 1 an odd number of times.

Remarks.
1. Every atomic function (i.e. every function of weight 1) has algebraic de-
gree n, since its ANF equals (x1 ⊕ 1 )(x2 ⊕ 2 ) . . . (xn ⊕ n ), where i ∈ F2 , ∀i.
Thus, a Boolean function f has algebraic degree n if and only if, in its de-
composition as a sum of atomic functions (see above), the number of these
atomic functions is odd, that is, if and only if wH (f ) is odd. This property
will be useful at Section 3.
2. If we know that the algebraic degree of an n-variable Boolean func-
tion f is upper bounded by d < n, then the whole function can be recov-
ered from some of its restrictions (i.e., a unique function corresponds to
this partially defined Boolean function). Precisely, according to the exis-
tence and uniqueness of the ANF, the knowledge of the restriction of the
Boolean function f (of algebraic degree at most d < n) to a set E implies

11
the knowledge Lof the whole function if and only if the system of the equa-
tions f (x) = I∈P(N )/ |I|≤d aI xI , with indeterminates aI ∈ F2 , and where x
ranges over E (this makes |E| equations), has a unique solution3 . This hap-
pens with the set E of all words of Hamming weights smaller than or equal
to d, since Relation (3) gives the values of aI , where I ∈ P(N ) and |I| ≤ d.
Notice that Relation (2) permits then to recover the value of f (x) for ev-
ery x ∈ Fn2 , from the values taken by f at all words of Hamming weights
smaller than or equal to d.
The same property happens if we replace “Boolean” by “pseudo-Boolean”
(that is, real-valued) and if we consider the numerical degree (see below)
instead of the the algebraic degree, cf. [257]. 

The simplest functions, from the viewpoint of the ANF, are those Boolean
functions of s at most 1, called affine functions:

f (x) = a1 x1 ⊕ · · · ⊕ an xn ⊕ a0 .

They are the sums of linear and constant functions. Denoting by a · x the
usual inner product a · x = a1 x1 ⊕ · · · ⊕ an xn in Fn2 , the general form of an
n-variable affine function is a · x ⊕ a0 (with a ∈ Fn2 ; a0 ∈ F2 ).
Affine functions play an important role in coding (they permit to define
the Reed-Muller code of order 1, see Subsection 3.1) and in cryptography
(the Boolean functions used as “nonlinear functions” in cryptosystems must
behave as differently as possible from affine functions, see Subsection 4.1).

Trace representations A second kind of representation plays an im-

portant role in sequence theory, and is also used for defining and study-
ing Boolean functions. It leads to the construction of the Kerdock codes
(see Subsection 6.10). Recall that, for every n, there exists a (unique up to
isomorphism) field F2n (also denoted by GF (2n )) of order 2n (see [178]). The
vectorspace Fn2 can be endowed with the structure of this field F2n . Indeed,
we know that F2n has the structure of an n-dimensional F2 -vectorspace; if
we choose a F2 -basis (α1 , . . . , αn ) of this vectorspace, then every element
x ∈ Fn2 can be identified with x1 α1 + · · · + xn αn ∈ F2n . We shall still denote
by x this element of the field.
1. It is shown in the chapter “Vectorial Boolean Functions for Cryptog-
raphy” (see also below) that every mapping from F2n into F2n admits a
3
Note that taking f null leads to determining the so-called annihilators of the indicator
of E; this is the core analysis of Boolean functions from the viewpoint of algebraic attacks,
see Subsection 4.1.

12
(unique) representation as a polynomial over F2n on one variable and of
(univariate) degree at most 2n − 1. Any Boolean function on F2n is a par-
ticular case of a vectorial function from F2n to itself and admits therefore
such a unique representation.
n
2. For every u, v ∈ F2n we have (u + v)2 = u2 + v 2 and u2 = u (i.e.
n
u2 −1 = 1 if u 6= 0). Consequently, the function defined on F2n by trn (u) =
2 n−1
u + u2 + u2 + · · · + u2 is F2 -linear and satisfies (trn (u))2 = trn (u); it
is therefore valued in F2 . When there will be no ambiguity, we shall write
tr instead of trn . This function is called the trace function from F2n to its
prime field F2 . The function (u, v) 7→ tr(u v) is an inner product in F2n .
Every Boolean function can be written in the form f (x) = tr(F (x)) where
F is a mapping from F2n into F2n (an example of such mapping F is defined
by F (x) = 0 if f (x) = 0 and F (x) = λ where tr(λ) = 1 if f (x) P=n1). Thus, 
2 −1 i ,
every Boolean function can be also represented in the form tr i=0 βi x
where βi ∈ F2n . Such a representation is not unique. Now, thanks to the
fact that tr(u2 ) = tr(u) for every u ∈ F2n , we can restrict the exponents i
with nonzero coefficients βi so that there is at most one such exponent in
each cyclotomic class {i × 2j [ mod (2n − 1)] ; j ∈ N} of 2 modulo 2n − 1.
Trace representations and the algebraic normal form are closely related. It is
shown in the chapter “Vectorial Boolean Functions for Cryptography” how
a representation can be obtained from the other.
3. We come back now to the representation introduced above in 1. Let
us see how it can be obtained from the truth table of the function and
represented in a convenient way by using the notation trn . Assuming that
f (0) = 0 (otherwise, we can apply the method to the function f (x) ⊕ f (0)),
and denoting by α a primitive element of the field F2n (that is, an element
n
such that F2n = {0, 1, α, α2 , . . . , α2 −2 }), the Mattson-Solomon polynomial
n
of the vector (f (1), f (α), f (α2 ), . . . , f (α2 −2 )) is the polynomial
n −1
2X
n −1−j
A(x) = Aj x2
j=1

with: n −2
2X
Aj = f (αi )αij .
i=0

Note that the Mattson Solomon P2ntransformationP2isn −1

a discrete
P2n −2 Fourier trans-
i −1 −ij k (k−i)j
form. We have then A(α ) = j=1 Aj α = j=1 k=0 f (α )α =
i
P2n −1 (k−i)j
f (α ) for every i (since j=1 α equals 0 if k 6= i), and A is therefore

13
the trace representation of f seen in 1. Note that A2j = A2j . This allows rep-
n
resenting A(x) in the form k∈Γ(n) trnk (Ak xk ) + A2n −1 x2 −1 , where Γ(n)
P
is the set obtained by choosing one element in each cyclotomic class of 2
modulo 2n − 1 (the most usual choice for k is the smallest element in its
cyclotomic class - called the coset leader of the class), and where nk is the
size of the cyclotomic class containing k. Note that, for every k ∈ Γ(n) and
n
every x ∈ F2n , we have Ak ∈ F2nk (since A2k k = Ak ) and xk ∈ F2nk as well.

The algebraic degree of functions written in the trace representations

can be determined. For instance,P let i be a positive integer. Then i [mod
2n −1] can be written in the form j∈A 2j , where A ⊆ {0, 1, . . . , n−1}. The
size of A (say r) is often called the 2-weight of i [mod 2n − 1]. Let a ∈ F2n
and f (x) = tr(axi ). Then, as shown in [42], if f is not the null function,
it has algebraic degree r. Indeed, it is a simple matter to show that f has
algebraic degree at most r; to show that it has degree exactly r, we consider
the r-linear function φ over the field F2n whose value at (x1 , ..., xr ) equals the
sum of the images by f of all the 2r possible linear combinations of the xi ’s;
φ(x1 , ..., xr ) equals the sum, for all bijective mappings σ from {1, . . . , r} onto
σ(i)
A of tr(a ri=1 x2i ); proving that f has degree r is equivalent to proving
Q
that φ is not null; and it is a simple matter to prove that, if φ is null, then
f is null.

The representation over the reals has recently proved itself to be use-
ful for characterizing several cryptographic criteria [54, 73, 74] (see Sections 6
and 7). It represents Boolean functions, and more generally real-valued
functions on Fn2 (that are called n-variable pseudo-Boolean functions) by
elements of R [x1 , . . . , xn ]/(x21 − x1 , . . . , x2n − xn ) (or of Z [x1 , . . . , xn ]/(x21 −
x1 , . . . , x2n − xn ) for integer-valued functions). We shall call it the Numerical
Normal Form (NNF).
The existence of this representation for every pseudo-Boolean function is
easy to show with the same arguments as for the ANFs of Boolean functions
(writing 1 − xi instead of 1 ⊕ xi ). The linear mapping from every element of
the 2n -th dimensional R-vectorspace R [x1 , . . . , xn ]/(x21 − x1 , . . . , x2n − xn ) to
the corresponding pseudo-Boolean function on Fn2 being onto, it is therefore
one to one (the R-vectorspace of pseudo-Boolean functions on Fn2 having
also dimension 2n ). We deduce the uniqueness of the NNF.
We call the degree of the NNF of a function its numerical degree. It is shown
in [211] that, if a Boolean function f has no ineffective variable, then the
numerical degree of f is greater than or equal to log2 n − log2 log2 n.

14
The numerical degree is not an affine invariant. But the NNF leads to an
affine invariant (see a proof of this fact in [74]; see also [144]) which is more
discriminant than the algebraic degree:

Definition 1 Let f be a Boolean function on Fn2 . We call generalized de-

gree of f the sequence (di )i≥1 defined as follows:
for every i ≥ 1, di is the smallest integer d > di−1 (if i > 1) such that, for
every multi-index I of size strictly greater than d, the coefficient λI of xI in
the NNF of f is a multiple of 2i .

Example: the generalized degree of any nonzero affine function is the se-
quence of all positive integers.

xI
P
Similarly as for the ANF, a (pseudo-) Boolean function f (x) = I∈P(N ) λI
takes value: X
f (x) = λI . (4)
I⊆supp(x)

But, contrary to what we observed for the ANF, the reverse formula is not
identical to the direct formula:

Proposition 2 Let f be a pseudo-Boolean function on Fn2 and let its NNF

be I∈P(N ) λI xI . Then:
P

X
∀I ∈ P(N ), λI = (−1)|I| (−1)wH (x) f (x). (5)
x∈Fn
2 | supp(x)⊆I

Thus, function f and its NNF are related through the Möbius transform
over integers. X
Proof. Let us denote the number (−1)|I| (−1)wH (x) f (x) by µI
x∈Fn 2 | supp(x)⊆I
I
P
and consider the function g(x) = I∈P(N ) µI x . We have
 
X X X
g(x) = µI = (−1)|I| (−1)wH (y) f (y)
I⊆supp(x) I⊆supp(x) y∈Fn
2 | supp(y)⊆I

and thus
 
X X
g(x) = (−1)wH (y) f (y)  (−1)|I|  .
y∈Fn
2 I∈P(N )/ supp(y)⊆I⊆supp(x)

15
 X
The sum (−1)|I| is null if supp(y) 6⊆ supp(x). It
I∈P(N )/ supp(y)⊆I⊆supp(x)
is also null if supp(y) is included in supp(x), but different. Indeed, de-
PwH (x)−wH (y) wH (x)−wH (y)

noting |I| − wH (y) by i, it equals ± i=0 i (−1)i =
±(1 − 1)wH (x)−wH (y) = 0. Hence, g = f and, by uniqueness of the NNF, we
have µI = λI for every I. 

Notice that the ANF of any Boolean function can be deduced from its NNF
by reducing it modulo 2. Conversely, the NNF can be deduced from the
ANF since we have
I
M Y
f (x) = aI xI ⇐⇒ (−1)f (x) = (−1)aI x
I∈P(N ) I∈P(N )
Y
⇐⇒ 1 − 2 f (x) = (1 − 2 aI xI ).
I∈P(N )

Expanding this last equality gives the NNF of f (x) and we have [73]:
2n
X X
λI = (−2)k−1 aI1 . . . aIk . (6)
k=1 {I1 ,...,Ik } |
I1 ∪...∪Ik =I

A polynomial P (x) = J∈P(N ) λJ xJ , with real coefficients, is the NNF of

P

some Boolean function if and only if we have P 2 (x) = P (x), for every x ∈ Fn2
(which is equivalent to P = P 2 in R [x1 , . . . , xn ]/(x21 − x1 , . . . , x2n − xn )), or
equivalently, denoting supp(x) by I:
 2
X X
∀I ∈ P(N ),  λJ  = λJ . (7)
J⊆I J⊆I

Remark.
Imagine that we want to generate a random Boolean function through its
NNF (this can be useful, since we will see below that the main cryptographic
criteria, on Boolean functions, can be characterized, in simple ways, through
their NNFs). Assume that we have already chosen the values λJ for every
J ⊆ I (where P I ∈ P(N ) is some multi-index) except for I itself. Let us de-
note the sum J⊆I | J6=I λJ by µ. Relation (7) gives (λI +µ)2 = λI +µ. This
equation of degree 2 has two solutions (it has same discriminant as the equa-
tion λI 2 = λI , that is 1). One solution corresponds to the choice P (x) = 0
(where I = supp(x)) and the other one corresponds to the choice P (x) = 1.

16

Thus, verifying that a polynomial P (x) = I∈P(N ) λI xI with real coeffi-
P
cients represents a Boolean function can be done by checking 2n relations.
But it can also be done by verifying a simple condition on P and checking
one equation only.

Proposition 3 Any polynomial P ∈ R [x1 , . . . , xn ]/(x21 − x1 , . . . , x2n − xn )

is the NNF of an integer-valued function if and only if all of its coefficients
are integers. Assuming that thisPcondition is satisfied, P is the NNF of a
2 (x) =
P
Boolean function if and only if: x∈F n P x∈F n P (x).
2 2

Proof. The first assertion is a direct consequence of Relations (4) and (5).
If all the coefficients of P are integers, then we have P 2 (x) ≥ P (x) for
every x; this implies that the 2n equalities, expressing that P
the correspond-
ing function is Boolean, can be reduced to the single one x∈Fn P 2 (x) =
P 2

x∈Fn P (x). 
2
The translation of this characterization in terms of the coefficients of P is
given in Relation (29) below.

2.2 The discrete Fourier transform on pseudo-Boolean and

on Boolean functions
Almost all the characteristics needed for Boolean functions in cryptography
and for sets of Boolean functions in coding can be expressed by means of
the weights of some related Boolean functions (of the form f ⊕ `, where `
is affine, or of the form Da f (x) = f (x) ⊕ f (x + a)). In this framework,
the discrete Fourier transform is therefore a very efficient tool: for a given
Boolean function f , the knowledge of the discrete Fourier transform of f is
equivalent with the knowledge of the weights of all the functions f ⊕`, where
` is linear (or affine). Also called Hadamard transform, the discrete Fourier
transform is the linear mapping which maps any pseudo-Boolean function ϕ
on Fn2 to the function ϕ b defined on Fn2 by
X
ϕ(u)
b = ϕ(x) (−1)x·u (8)
x∈Fn
2

(we recall that x · u denotes the usual inner product).

Algorithm There exists a simple divide-and-conquer butterfly algorithm

b For every a = (a1 , . . . , an−1 ) ∈ Fn−1
to compute ϕ. 2 and every an ∈ F2 , the

17
number ϕ(a
b 1 , . . . , an ) equals
X
(−1)a·x [ϕ(x1 , . . . , xn−1 , 0) + (−1)an ϕ(x1 , . . . , xn−1 , 1)] .
x=(x1 ,...,xn−1 )∈Fn−1
2

Hence, if in the tables of values of the functions, the vectors are ordered in
lexicographic order with the bit of highest weight on the right (for instance),
the table of ϕ b equals the concatenation of those of the discrete Fourier
transforms of the (n − 1)-variable functions ψ0 (x) = ϕ(x1 , . . . , xn−1 , 0) +
ϕ(x1 , . . . , xn−1 , 1) and ψ1 (x) = ϕ(x1 , . . . , xn−1 , 0) − ϕ(x1 , . . . , xn−1 , 1). We
deduce the following recursive algorithm:
1. write the table of the values of ϕ (its truth-table if ϕ is Boolean), in
which the binary vectors of length n are – say – in lexicographic order;

2. let ϕ0 be the restriction of ϕ to Fn−1

2 × {0} and ϕ1 the restriction of ϕ
n−1
to F2 × {1}; the table of values of ϕ0 (resp. ϕ1 ) corresponds to the
upper (resp. lower) half of the table of ϕ; replace the values of ϕ0 by
those of ϕ0 + ϕ1 and those of ϕ1 by those of ϕ0 − ϕ1 ;

3. apply recursively step 2, separately to the functions now obtained in

the places of ϕ0 and ϕ1 .
When the algorithm ends (i.e. when it arrives to functions on one variable
each), the global table gives the values of ϕ.
b The complexity of this algo-
rithm is O(n2n ).

Application to Boolean functions For a given Boolean function f , the

discrete Fourier transform can be applied to f itself, viewed as a function
valued in {0, 1} ⊂ Z. We denote by fb the corresponding discrete Fourier
transform of f . Notice that fb(0) equals the Hamming weight of f . Thus,
the Hamming distance dH (f, g) = |{x ∈ Fn2 / f (x) 6= g(x)}| = wH (f ⊕ g)
between two functions f and g equals f[ ⊕ g(0).
The discrete Fourier transform can also be applied to the pseudo-Boolean
function fχ (x) = (−1)f (x) (often called the sign function 4 ) instead of f itself.
4
The symbol χ is used here because the sign function is the image of f by the non-
trivial character over F2 (usually denoted by χ); to be sure that the distinction between
the discrete Fourier transforms of f and of its sign function will be easily done, we also
change the font when we deal with the sign function; many other ways of denoting the
discrete Fourier transform can be found in the literature.

18
 x1 x2 x3 x4 x1 x2 x3 x1 x4 f (x) fχ (x) fbχ (x)
0 0 0 0 0 0 0 1 2 4 0 0
1 0 0 0 0 0 0 1 0 0 0 0
0 1 0 0 0 0 1 -1 -2 -4 8 8
1 1 0 0 0 0 1 -1 0 0 0 8
0 0 1 0 0 0 0 1 2 0 0 0
1 0 1 0 0 0 0 1 0 0 0 0
0 1 1 0 0 0 1 -1 -2 0 0 0
1 1 1 0 1 0 0 1 0 0 0 0
0 0 0 1 0 0 0 1 0 0 0 4
1 0 0 1 0 1 1 -1 2 4 4 -4
0 1 0 1 0 0 1 -1 0 0 0 4
1 1 0 1 0 1 0 1 -2 0 4 -4
0 0 1 1 0 0 0 1 0 0 0 -4
1 0 1 1 0 1 1 -1 2 0 -4 4
0 1 1 1 0 0 1 -1 0 0 0 4
1 1 1 1 1 1 1 -1 2 -4 4 -4

Table 2: truth table and Walsh spectrum of f (x) = x1 x2 x3 ⊕ x1 x4 ⊕ x2

We have X
fbχ (u) = (−1)f (x)⊕x·u .
x∈Fn
2

We shall call Walsh transform 5 of f the Fourier transform of the sign func-
tion fχ . We give in Table 2 an example of the computation of the Walsh
transform, using the algorithm recalled above.
Notice that fχ being equal to 1 − 2f , we have

fbχ = 2n δ0 − 2fb (9)

where δ0 denotes the Dirac symbol , i.e. the indicator of the singleton {0}, de-
fined by δ0 (u) = 1 if u is the null vector and δ0 (u) = 0 otherwise; see Propo-
sition 5 for a proof of the relation b 1 = 2n δ0 . Relation (9) gives conversely
5
The terminology is not much more settled in the literature than is the notation; we take
advantage here of the fact that many authors use the term of Walsh transform instead
of discrete Fourier transform: we call Fourier transform the discrete Fourier transform
of the Boolean function and Walsh transform (some authors write “Walsh-Hadamard
transform”) the discrete Fourier transform of its sign function.

19
 fbχ
fb = 2n−1 δ0 − 2 and in particular:

fbχ (0)
wH (f ) = 2n−1 − . (10)
2
Relation (10) applied to f ⊕ `a , where `a (x) = a1 x1 ⊕ · · · ⊕ an xn = a · x,
gives:
fb (a)
dH (f, `a ) = wH (f ⊕ `a ) = 2n−1 − χ . (11)
2
The mapping f 7→ fb (0) playing an important role, and being applied in the
χ
sequel to various functions deduced from f , we shall also use the specific
notation X
F(f ) = fbχ (0) = (−1)f (x) . (12)
x∈Fn
2

Properties of the Fourier transform The discrete Fourier transform,

as any other Fourier transform, has very nice and useful properties. The
number of these properties and the richness of their mutual relationship are
impressive. All of these properties are very useful in practice for studying
Boolean functions (we shall often refer to the relations below in the rest of
the chapter). Almost all properties can be deduced from the next lemma6
and from the next two propositions.

Lemma 1 Let
P E be any`(x)
vectorspace over F2 and ` any nonzero linear form
on E. Then x∈E (−1) is null.

Proof. The linear form ` being not null, its support is an affine hyperplane
of E and has 2dimE−1 = |E| 7 . Thus, `(x) being the sum
P
2 elements x∈E (−1)
of 1’s and -1’s in equal numbers, it is null. 

Proposition 4 For every pseudo-Boolean function ϕ on Fn2 and every el-

ements a, b and u of Fn2 , the value at u of the Fourier transform of the
function (−1)a·x ϕ(x + b) equals (−1)b·(a+u) ϕ(a
b + u).

Proof. ThePvalue at u of the Fourier transform of the function (−1)a·x ϕ(x +

b) equals x∈Fn (−1)(a+u)·x ϕ(x + b) = x∈Fn (−1)(a+u)·(x+b) ϕ(x) and thus
P
2 2
equals (−1)b·(a+u) ϕ(a
b + u). 
6
Lemma 1 allows proving a nice property on the Walsh transform of composed vectorial
functions, see the remark in the introduction of Subsection 2.1 in the chapter “Vectorial
Boolean Functions for Cryptography”.
7
Another way of seeing this is as follows: choose a ∈ E such that `(a) = 1; then the
mapping x 7→ x + a is one to one between `−1 (0) and `−1 (1).

20
Proposition 5 Let E be any vector subspace of Fn2 . Denote by 1E its in-
dicator (also called characteristic function), defined by 1E (u) = 1 if u ∈ E
and 1E (u) = 0 otherwise. Then:

E = |E| 1E ⊥ ,
1c (13)

where E ⊥ = {x ∈ Fn2 / ∀y ∈ E, x · y = 0} is the orthogonal of E.

In particular, for E = Fn2 , we have b
1 = 2n δ 0 .

Proof. For every u ∈ Fn2 , we have 1c u·x . If the linear

P
E (u) = x∈E (−1)
form x ∈ E 7→ u · x is not null on E (i.e. if u 6∈ E ⊥ ) then 1cE (u) is null,
⊥
according to Lemma 1. And if u ∈ E , then it clearly equals |E|. 

We deduce from Proposition 5 the Poisson summation formula, which

has been used to prove many cryptographic properties in [177], [184], [45]
and later in [32, 33], and whose most general statement is:

Corollary 1 For every pseudo-Boolean function ϕ on Fn2 , for every vector

subspace E of Fn2 , and for every elements a and b of Fn2 , we have:
X X
(−1)b·u ϕ(u)
b = |E| (−1)a·b (−1)a·x ϕ(x). (14)
u∈a+E x∈b+E ⊥
P
Proof. Let us first assume that a = b = 0. The sum u∈E ϕ(u),
b by defini-
u·x
P P P
tion, equals u∈E x∈Fn ϕ(x)(−1) = x∈Fn ϕ(x) 1E (x). Hence, accord-
c
2 2
ing to Proposition 5:
X X
ϕ(u)
b = |E| ϕ(x). (15)
u∈E x∈E ⊥

We apply this last equality to the function (−1)a·x ϕ(x + b), whose Fourier
transform is (−1)b·(a+u) ϕ(a
b + u), P accordinga·x
to Proposition 4. We deduce
b·(a+u) ϕ(a
P
u∈E (−1) b + u) = |E| x∈E ⊥ (−1) ϕ(x + b), which is equivalent
to Equality (14). 

Relation (14) with a = 0 and E = Fn2 gives:

Corollary 2 For every pseudo-Boolean function ϕ on Fn2 :

bb = 2n ϕ.
ϕ (16)

21
Thus, the Fourier transform is a permutation on the set of pseudo-Boolean
functions on Fn2 and is its own inverse, up to division by a constant. In order
to avoid this
√ division, the Fourier transform is often normalized, that is, di-
n
vided by 2 = 2 n/2 so that it becomes its own inverse. We do not use this
normalized transform here because the functions we consider are integer-
valued, and we want their Fourier transforms to be also integer-valued.
Corollary 2 permits to show easily that some properties, valid for the Fourier
transform of any function ϕ having some specificities, are in fact necessary
and sufficient conditions for ϕ having these specificities. For instance, ac-
cording to Proposition 5, the Fourier transform of any constant function
takes null value at every nonzero vector; according to Corollary 2, this is
a necessary and sufficient condition. Similarly, ϕ is constant on Fn2 \ {0} if
b is constant on Fn2 \ {0}.
and only if ϕ
A classical property of the Fourier transform is to be an isomorphism
from the set of pseudo-Boolean functions on Fn2 , endowed with the so-
called convolutional product, into this same set, endowed with the usual
(Hadamard) product of functions. We recall the definition of the convolu-
tional product between two functions ϕ and ψ:
X
(ϕ ⊗ ψ)(x) = ϕ(y)ψ(x + y)
y∈Fn
2

(adding here is equivalent to substracting since the operations take place in

Fn2 ).
Proposition 6 Let ϕ and ψ be any pseudo-Boolean functions on Fn2 . We
have:
ϕ\⊗ ψ = ϕ×
b ψ.
b (17)
Consequently:
b ⊗ ψb = 2n ϕ×ψ.
ϕ [ (18)
Proof. We have
X X X
\
ϕ ⊗ ψ(u) = (ϕ ⊗ ψ)(x) (−1)u·x = ϕ(y)ψ(x + y) (−1)u·x
x∈Fn
2 x∈Fn n
2 y∈F2
X X
= ϕ(y)ψ(x + y) (−1)u·y⊕u·(x+y) .
x∈Fn n
2 y∈F2

Thus
 
X X
\
ϕ ⊗ ψ(u) = ϕ(y)(−1)u·y  ψ(x + y) (−1)u·(x+y) 
y∈Fn
2 x∈Fn
2

22
   
X X
= ϕ(y)(−1)u·y   ψ(x) (−1)u·x  = ϕ(u)
b ψ(u).
b
y∈Fn
2 x∈Fn
2

This proves the first equality. Applying it to ϕ

b and ψb in the places of ϕ and
\b
ψ, we obtain ϕb ⊗ ψ = 22n ϕ×ψ, according to Corollary 2. Using again this
same corollary, we deduce Relation (18). 

Relation (18) applied at 0 gives

X
b ⊗ ψ(0)
ϕ b = 2n ϕ×ψ(0)
[ = 2n ϕ(x)ψ(x) = 2n ϕ ⊗ ψ(0). (19)
x∈Fn
2

Taking ψ = ϕ in (19), we obtain Parseval’s relation:

Corollary 3 For every pseudo-Boolean function ϕ, we have:
X X
b 2 (u) = 2n
ϕ ϕ2 (x).
u∈Fn
2 x∈Fn
2

If ϕ takes values ±1 only, this becomes:

X
b 2 (u) = 22n .
ϕ (20)
u∈Fn
2

This is why, when dealing with Boolean functions, we shall most often pre-
fer using the Walsh transform of f (that is, the Fourier transform of the
function fχ = (−1)f (x) ) instead of the Fourier transform of f .

Relation (17) leads to another relation involving the derivatives of a Boolean

function.
Definition 2 Let f be an n-variable Boolean function and let b be any vector
in Fn2 . We call derivative of f with respect to the direction b the Boolean
function Db f (x) = f (x) ⊕ f (x + b).
For instance, the derivative with respect to the vector (0, . . . , 0, 1) of a func-
tion of the form g(x1 , . . . , xn−1 ) ⊕ xn h(x1 , . . . , xn−1 ) equals h(x1 , . . . , xn−1 ).
Relation (17) applied with ψ = ϕ = fχ implies the so-called Wiener-
Khintchine Theorem:
b2
f\χ ⊗ fχ = fχ . (21)
We have (fχ ⊗ fχ )(b) = x∈Fn (−1)Db f (x) = F(Db f ) (the notation F was
P
2
defined at Relation (12)). Thus Relation (21) shows that fb 2 is the Fourier
χ

23
transform of the so-called auto-correlation function b 7→ ∆f (b) = F(Db f )
(this property was first used in the domain of cryptography in [44]):
X 2
∀u ∈ Fn2 , F(Db f )(−1)u·b = fbχ (u). (22)
b∈Fn
2

Applied at vector 0, this gives

X
F(Db f ) = F 2 (f ). (23)
b∈Fn
2

Corollary 1 and Relation (22) imply that, for every vector subspace E of Fn2
and every vectors a and b (cf. [33]):
X 2 X
(−1)b·u fbχ (u) = |E|(−1)a·b (−1)a·e F(De f ) . (24)
u∈a+E e∈b+E ⊥

Another interesting relation has been also shown in [33] (see also [180]):

Proposition 7 Let E and E 0 be subspaces of Fn2 such that E ∩ E 0 = {0}

and whose direct sum equals Fn2 . For every a ∈ E 0 , let ha be the restriction
of f to the coset a + E (ha can be identified with a function on Fk2 where k
is the dimension of E). Then
X 2 X
fbχ (u) = |E ⊥ | F 2 (ha ) . (25)
u∈E ⊥ a∈E 0

Proof. Every element of Fn2 can be written in a unique way in form x +

a where x ∈ E and a ∈ E 0 . For P every e ∈ E, we have F(De f ) =
f (x+a)⊕f (x+e+a) =
P
x∈E;a∈E 0 (−1) a∈E 0 F(De ha ). We deduce from Rela-
⊥
tion (24) applied with E instead of E, and with a = b = 0, that
!
X 2 X X X
⊥ ⊥
fb (u) = |E |
χ F(De f ) = |E | F(De ha )
u∈E ⊥ e∈E e∈E a∈E 0
!
X X
= |E ⊥ | F(De ha ) .
a∈E 0 e∈E

Thus, according to Relation (23) applied with E in the place of Fn2 (re-
call that E can be identified with Fk2 where k is the dimension of E):
P b2 ⊥
P 2
u∈E ⊥ fχ (u) = |E | a∈E 0 F (ha ). 

24
Fourier transform and linear isomorphisms A last relation that must
be mentioned shows what the composition with a linear isomorphism implies
on the Fourier transform of a pseudo-Boolean function:

Proposition 8 Let ϕ be any pseudo-Boolean function on Fn2 . Let M be a

x1
 
 x2 
 ...  7→
nonsingular n×n binary matrix and L the linear isomorphism L :  

xn
x1
 
 x2  0 −1 0
M ×
 ... . Let us denote by M the transpose of M and by L the linear


xn
x1 x1
   
x 2 x 
isomorphism L0 :   7→ M 0 ×  .2 . Then
  
.
 ..   .. 
xn xn

ϕ[ b ◦ L0 .
◦L=ϕ (26)

Proof. For every u ∈ Fn2 , we have ϕ[ ϕ(L(x))(−1)u·x =

P
◦ L(u) = x∈Fn
2
P −1
u·L (x) =
P L0 (u)·x .
x∈Fn ϕ(x)(−1) x∈Fn ϕ(x)(−1) 
2 2

A relationship between algebraic degree and Walsh transform was

shown in [171] (see also [45]):

Proposition 9 Let f be an n-variable Boolean function, and let 1 ≤ k ≤ n.

Assume that its Walsh transform takes values divisible by 2k (i.e., according
to Relation (9), that its Fourier transform takes values divisible by 2k−1 ,
or equivalently, according to Relation (11), that all the Hamming distances
between f and affine functions are divisible by 2k−1 ). Then f has algebraic
degree at most n − k + 1.

Proof. Let us suppose that f has algebraic degree d > n − k + 1 and,

consider a term xI of degree d in its algebraic normal form. Relation (15)
applied to ϕ = fχ and to the vectorspace E = {u ∈ Fn2 / ∀i ∈ I, ui = 0}
n−d ⊥ of E equals
P P
gives u∈E fχ (u) = 2
b
x∈E ⊥ fχ (x). The orthogonal E
n ⊥
{u ∈ F2 / ∀i 6∈ I, ui = 0}. The restriction of f to E , viewed as a function
on d
Q F2 , has an ANF of degree d (because all the monomials different from
i∈I xi in the ANF of f give monomials of degrees strictly less than d when

25
we set the coordinates xi , i 6∈ I). Thus, any P such restriction has an odd
weight (see Remark 1 of Subsection 2.1), and x∈E ⊥ fχ (x) is not divisible
by 4. Hence, u∈E fbχ (u) is not divisible by 2n−d+2 and it is therefore not
P
divisible by 2k . A contradiction. 
The converse of Proposition 9 is obviously valid if k = 1. It is also valid
if k = 2, since the n-variable Boolean functions of degrees at most n − 1
are those Boolean functions of even Hamming weights. It is finally also
valid for k = n, since the affine functions are characterized by the fact that
their Walsh transforms take values ±2n and 0 only (more precisely, their
Walsh transforms take value ±2n once, and all their other values are null,
because of Pareseval’s relation). The converse is false for any other value
of k. Indeed, we shall see below that it is false for k = n − 1 (n ≥ 4),
since there exist quadratic functions f which Walsh transforms take values
±2n/2 (n even ≥ 4) and ±2(n+1)/2 (n odd ≥ 5). Besides, it is possible to
show that the non-affine quadratic functions which Walsh transform values
are divisible by 2n−1 are those sums of an indicator of a flat (i.e. an affine
space) of co-dimension 2 and of an affine function. It is then an easy task
to deduce that the converse of Proposition 9 is also false for any value of k
such that 3 ≤ k ≤ n − 1: we choose a quadratic function g in 4 variables,
which Walsh transform value at 0 equals 22 , that is, which weight equals
23 − 2 = 6; and we take f (x) = g(x1 , x2 , x3 , x4 ) x5 · · · xl (5 ≤ l ≤ n). Such
function has algebraic degree l − 2 and its weight equals 6; hence its Walsh
transform value at 0 equals 2n − 12 and is therefore not divisible by 2k with
k = n − (l − 2) + 1 = n − l + 3 (the range of k being 3 ≤ k ≤ n − 2).
Determining those Boolean functions which Walsh transform is divisible by
2k seems to be an open problem for 3 ≤ k ≤ n−2 (partial results are given in
[63]). This problem is interesting because of the result on resilient functions
recalled in Proposition 32.
Note that it is possible to characterize the fact that a Boolean function
has degree at most d by means of its Fourier or Walsh transform: since a
Boolean function has algebraic degree at most d if and only if its restriction
to any (d + 1)-dimensional flat has an even weight, we can apply Poisson
summation formula (14).

Characterizing the Fourier transforms of integer-valued pseudo-

Boolean functions and of Boolean functions According to Relation (16),
the Fourier transforms of integer-valued functions (resp. the Walsh trans-
forms of Boolean functions) are those integer-valued functions over Fn2 whose
Fourier transforms take values divisible by 2n (resp. equal to ±2n ). Also,

26
the Walsh transforms of Boolean functions being those integer-valued func-
tions ϕ over Fn2 such that ϕ
b2 equals the constant function 22n , they are those
integer-valued functions ϕ such that ϕ \ ⊗ ϕ = 22n , that is ϕ ⊗ ϕ = 22n δ0 ,
according to Relation (17) applied with ψ = ϕ. But these characterizations
are not easily computable: they need to check 2n divisibilities by 2n for
the Fourier transforms of integer-valued functions, and 2n equalities for the
Walsh transforms of Boolean functions.
Since the main cryptographic criteria on Boolean functions will be char-
acterized below as properties of their Walsh transforms, it is important to
have characterizations which are as simple as possible. We have seen that
characterizing the NNFs of integer-valued (resp. Boolean) functions is easy
(resp. easier than with Fourier transform). So it is useful to clarify the
relationship between these two representations.

2.2.1 Fourier transform and NNF

There is a similarity between the Fourier transform and the NNF:
- the functions (−1)u·x , u ∈ Fn2 , constitute an orthogonal basis of the space
of pseudo-Boolean functions, and the Fourier transform corresponds, up to
normalization, to a decomposition over this basis;
- the NNF is defined similarly with respect to the (non-orthogonal) basis of
monomials.
Let us see now how each representation can be expressed by means of the
other.
I
P
Let ϕ(x) be any pseudo-Boolean function and let I∈P(N ) λI x be its NNF.
n
P
For every word x ∈ F2 , we have: ϕ(x) = I⊆supp(x) λI . Setting b =
X
(1, . . . , 1), we have ϕ(x+b) = λI (since the support of x+b
I∈P(N )/ supp(x)∩I=∅
equals Fn2 \ supp(x)).
For every I ∈ P(N ), the set {x ∈ Fn2 / supp(x) ∩ I = ∅} is an (n − |I|)-
dimensional vector subspace of Fn2 . Let us denote it
Pby EI . Its orthogonal
equals {u ∈ Fn2 / supp(u) ⊆ I}. We have ϕ(x + b) = I∈P(N ) λI 1EI . Apply-
ing Propositions 4 (with a = 0) and 5, we deduce:
X
ϕ(u)
b = (−1)wH (u) 2n−|I| λI . (27)
I∈P(N ) | supp(u)⊆I

Using the same method as for computing λI by means of the values of f , it

is an easy task to deduce:
X
λI = 2−n (−2)|I| ϕ(u).
b (28)
u∈Fn
2 | I⊆supp(u)

27
Note that if ϕ has numerical degree D, then, according to Relation (27), we
have ϕ(u)
b = 0 for every vector u of weight strictly P greater than D.
Applying Relation (27) to ϕ(x) = P (x) = I∈P(N ) λI xI and to ϕ(x) =
P 
P 2 (x) = I∈P(N ) xI , with u = 0, we deduce
P
0
J,J ∈P(N ) | I=J∪J 0 λ λ
J J 0

from Proposition 3 that a polynomial P (x) = I∈P(N ) λI xI , with integer

P
coefficients, is the NNF of a Boolean function if and only if
X X X
2n−|I| λJ λ J 0 = 2n−|I| λI . (29)
I∈P(N ) J,J 0 ∈P(N ) | I=J∪J 0 I∈P(N )

Remark. The NNF presents the interest of being a polynomial represen-

tation, but it can also be viewed as the transform which maps any pseudo-
Boolean function f (x) = I∈P(N ) λI xI to the pseudo-Boolean function g
P
defined by g(x) = λsupp(x) . Let us denote this mapping by Φ. Three other
transforms have also been used for studying Boolean functions:
- the mapping Φ−1 (the formulae relating this mapping and the Walsh trans-
form are slightly simpler than for Φ; see [226]);
- a mapping defined by a formula similar to Relation (5), but in which
supp(x) ⊆ I is replaced by I ⊆ supp(x); see [122];
- the inverse of this mapping. 

2.2.2 Fourier transform and graph theory

Let f be a Boolean function and let Gf be the Cayley graph associated
to f : the vertices of this graph are the elements of Fn2 and there is an edge
between two vertices u and v if and only if the vector u + v belongs to the
support of f . Then (see [14]), if we multiply by 2n the values fb(a), a ∈ Fn2 ,
of the Fourier spectrum of f , we obtain the eigenvalues of the graph Gf
(that is, by definition, the eigenvalues of the adjency matrix (Mu,v )u,v∈Fn2
of Gf , whose term Mu,v equals 1 if u + v belongs to the support of f , and
equals 0 otherwise).
As a consequence, the cardinality Nfb of the support {a ∈ Fn2 / fb(a) 6= 0} of
the Fourier transform of any n-variable Boolean function f is greater than
or equal to the cardinality Ngb of the support of the Fourier transform of
any restriction g of f , obtained by keeping constant some of its input bits.
Indeed, the adjency matrix Mg of the Cayley graph Gg is a submatrix of
the adjency matrix Mf of the Cayley graph Gf ; the number Ngb equals the
rank of Mg , and is then smaller than or equal to the rank Nfb of Mf .
This property can be generalized to any pseudo-Boolean function ϕ. More-
over, a simpler proof is obtained by using Relation (14): let I be any

28
subset of N = {1, . . . , n}; let E be the vector subspace of Fn2 equal to
{x ∈ Fn2 / xi = 0, ∀i ∈ I}; we have E ⊥ = {x ∈ Fn2 / xi = 0, ∀i ∈ N \ I}
and the sum of E and ⊥ direct; then, for every a ∈ E ⊥ and every
P of E is b·u
b ∈ E, the equality u∈a+E (−1) ϕ(u) b = |E| (−1)a·b ψ(a),
b where ψ is the
⊥
restriction of ϕ to b + E , implies that, if Nfb = k, that is, if ϕ(u)
b is nonzero
for exactly k vectors u ∈ Fn , then clearly ψ(a)
2
b is nonzero for at most k
vectors a ∈ E ⊥ .
If we apply this property to a Boolean function f and if we choose for g a
restriction of odd weight (whose Fourier transform takes therefore nonzero
values, only), we deduce (see [14]) that Nfb ≥ 2d , where d is the algebraic
degree of f (choose a monomial xI of degree d in the ANF of f ). Notice
that Nfb equals 2d if and only if at most one element (that is, exactly one)
satisfying fb(u) 6= 0 exists in each coset of E, that is, in each set obtained
by keeping constant the coordinates xi suchPthat ni
∈ I.
The number Nfb is also upper bounded by D i=0 i , where D is the numer-
ical degree of f . This is a direct consequence of Relation (27) and of the
observation which follows it.
The graphic viewpoint also gives insight on the Boolean functions whose
Fourier spectra have at most three values (see [14]).
A hypergraph can also be related to the ANF of a Boolean function f . A
related (weak) upper bound on the nonlinearity of f has been pointed out
in [270].

3 Boolean functions and coding

We explained in the introduction how, in error correcting coding, the mes-
sage is divided into vectors of the same length k, which are transformed into
codewords of length n > k, before being sent over a noisy channel, in order
to enable the correction of the errors of transmission (or of storage, in the
case of CD, CD-ROM and DVD) at their reception. A choice of the set of
all possible codewords (called the code – let us denote it by C) permits to
correct up to t errors (in the transmission of each codeword) if and only if
the Hamming distance between any two different codewords is greater than
or equal to 2t + 1 (so, if d is the minimum distance between two codewords,
the code can enable to correct up to d−1

2 errors, where “b c” denotes the
integer part). Indeed, the only information the receiver has, concerning the
sent word, is that it belongs to C. In order to be always able to recover the
correct codeword, he needs that, for every word y at distance at most t from

29
a codeword x, there does not exist another codeword x0 at distance at most t
from y, and this is equivalent to saying that the Hamming distance between
any two different codewords is greater than or equal to 2t+1. This necessary
condition is also sufficient, in principle8 . Thus, the problem of generating
a good code consists in finding a set C of binary words of the same length
which minimum distance mina,b∈C dH (a, b) (where dH (a, b) = |{i/ ai 6= bi }|)
is high9 .
A code is called a linear code if it has the structure of a linear subspace of
FN2 where N is its length. The minimum distance of a linear code equals the
minimum Hamming weight of all nonzero codewords, since the Hamming
distance between two vectors equals the Hamming weight of their differ-
ence. We shall write that a linear code is an [N, k, d]-code if it has length
N , dimension k and minimum distance d. It can then be described by a
generator matrix G, obtained by choosing a basis of this vectorspace and
writing its elements as lines. The code equals the set of all the vectors of
the form u × G, where u ranges over Fk2 .
As explained in the introduction, every code which length equals 2n , for
some positive integer n, can be interpreted as a set of Boolean functions.
This viewpoint has led to the Reed-Muller codes.

3.1 Reed-Muller codes

The existence of Reed-Muller codes comes from the following observation:

Proposition 10 Any two distinct n-variable functions f and g of algebraic

degrees at most r have mutual distances at least 2n−r .

Proof. In order to prove this property, it is necessary and sufficient to show

that any nonzero function of algebraic degree d ≤ r has weight at least 2n−r
(see above what is observed about linear codes). This can be proved by a
double
Q induction over r and n (see [187]), but there exists a simpler proof.
Let i∈I xi be a monomial of degree d in the ANF of f ; consider the 2n−d
restrictions of f obtained by keeping constant the n − d coordinates of x
whose indices lie outside I. Each of these restrictions, viewed as a function
8
In practice, we still need to have an efficient decoding algorithm to recover the sent
codeword; the naive method consisting in visiting all codewords and keeping the nearest
one from the received word is inefficient because the number 2k of codewords is too large,
in general.
9
High with respect to some known bounds giving the necessary trade-offs between
the length of the code, the minimum distance between codewords and the number of
codewords, see [187, 222])

30
on Fd2 , has an ANF of degree d, because all the monomials, different from
Q
i∈I xi in the ANF of f , give monomials of degrees strictly less than d when
we keep constant the coordinates xi , i 6∈ I. Thus any such restriction has
an odd (and hence a nonzero) weight (see Remark 1 of Subsection 2.1). The
weight of f being equal to the sum of the weights of its restrictions, f has
weight at least 2n−d , which completes the proof. 

The functions of Hamming weight 2n−r and degree r have been charac-
terized, see a proof in [187]. We give below an original proof which brings a
little more insight on the reasons of this characterization.

Proposition 11 The Boolean functions of algebraic degree r and of Ham-

ming weight 2n−r are the indicators of (n − r)-dimensional flats (i.e. the
functions whose supports are (n − r)-dimensional affine subspaces of Fn2 ).

Proof. The indicators of (n − r)-dimensional flats have clearly degree r and

Hamming weight 2n−r . Conversely, let Q f be a function of algebraic degree
r and of Hamming weight 2n−r . Let i∈I xi be a monomial of degree r in
the ANF of f and let J = {1, . . . , n} \ I. For every vector α ∈ FJ2 , let us
denote by fα the restriction of f to the flat {x ∈ Fn2 ; ∀j ∈ J, xj = αj }.
According to the proof of Proposition 10, and since f has Hamming weight
2n−r , each function fα is the indicator of a singleton {aα }. Let us prove that
the mapping a : α → aα is affine, i.e. that, for every α, β, γ ∈ F2J , we have
aα+β+γ = aα + aβ + aγ (this will complete the proof of the proposition).
Proving this is equivalent to proving that fα+β+γ ⊕ fα ⊕ fβ ⊕ fγ has degree
at most rL − 2. But more generally, for every k-dimensional flat A of F2J , the
function α∈A fα has degree at most r − k (this can be easily proved by
induction on k, using that f has degree r). 

Remark. Q
1. The proof of Proposition 10 shows in fact that, if a monomial Q i∈I xi
has coefficient 1 in the ANF of f , and if every other monomial i∈J xi such
that I ⊂ J has coefficient 0, then the function has weight at least 2n−|I| .
Applying this observation to the Möbius transform f ◦ of f , whose definition
has been given after Relation (2), shows that, if there exists a vector x ∈ Fn2
such that f (x) = 1 and f (y) = 0 for every vector y 6= x whose support
contains supp(x), then the ANF of f has at least 2n−wH (x) terms (this has
been first observed in [270]). Indeed, the Möbius transform of f ◦ is f .
2. The d-dimensional subspace E of equations xi = 0, i 6∈ I, in the proof of
Proposition 10, is a maximal odd weighting subspace: the restriction of f to

31
E has odd weight, and the restriction of f to any of its proper superspaces
has even weight (since the restriction of f to any coset of E has odd weight).
Similarly as above, it can be proved, see [270], that any Boolean function
admitting a d-dimensional maximal odd weighting subspace E has weight
at least 2n−d .

The Reed-Muller code of order r is by definition the set of all Boolean

functions of algebraic degrees at most r (or more precisely the set of the bi-
nary words of length 2n corresponding to the truth-tables of these
functions).

Denoted by R(r, n), it is a F2 -vectorspace of dimension 1 + n + n2 + · · · + nr
(since this is the number of monomials of degrees at most r) and thus, it
n n
has 21+n+( 2 )+···+( r ) elements.
For r = 1, it equals the set of all affine functions. Notice that the weight of
any non-constant affine function being equal to the size of an affine hyper-
plane, it equals 2n−1 .

Historic note: the Reed-Muller code R(1, 5) was used in 1972 for trans-
mitting the first black-and-white photographs of Mars. It has 26 = 64 words
of length 25 = 32, with mutual distances at least 24 = 16. Each codeword
corresponded
 16−1  to a level of darkness (this made 64 different levels). Up to
2 = 7 errors could be corrected in the transmission of each codeword. 

R(r, n) is a linear code, i.e. a F2 -vectorspace. Thus, it can be described by

a generator matrix G. For instance, a generator matrix of the Reed-Muller
code R(1, 4) is:
 
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
 0 1 0 0 0 1 1 1 0 0 0 1 1 1 0 1 
 
G=  0 0 1 0 0 1 0 0 1 1 0 1 1 0 1 1 

 0 0 0 1 0 0 1 0 1 0 1 1 0 1 1 1 
0 0 0 0 1 0 0 1 0 1 1 0 1 1 1 1

(the first line corresponds to the constant function 1 and the other lines
correspond to the coordinate functions x1 , . . . , x4 )10 .
For a given linear code C of length m and dimension k having a generator
matrix G, a possible encoding algorithm is the mapping u ∈ Fk2 7→ u × G ∈
10
We have chosen to order the words of length 4 in increasing weights; we could have
chosen other orderings; this would have led to other codes, but equivalent ones, having
the same parameters (a code C is said to be equivalent to another code C 0 if there exists
a permutation σ on {1, . . . , m} such that C = {(xσ(1) , . . . , xσ(m) )/ x ∈ C 0 ).

32
Fm2 . Thus, the generator matrix permits to generate the codewords, but it is
not well suited for checking if a received word of length m is a codeword or
not. A characterization of the codewords is obtained thanks
Lm to the generator
⊥ m
matrix H of the dual C = {x ∈ F2 / ∀y ∈ C, x · y = i=1 xi yi = 0} (such
a matrix is called a parity-check matrix ): we have x ∈ C if and only if x×H t
is the null vector.
The case of Reed-Muller codes is simple:
Proposition
L 12 The dual R(r, n)⊥ = {f ∈ BF n / ∀g ∈ R(r, n), f · g =
x∈Fn f (x) g(x) = 0} equals R(n − r − 1, n).
2

Proof. We have seen at Subsection 2.1 that the functions in BF n whose

weights are even are the elements of R(n − 1, n). Thus, R(r, n)⊥ is the set
of those functions f such that, for every function g of algebraic degree at
most r, the product function f g has algebraic degree at most n − 1. This is
clearly equivalent to the fact that f has algebraic degree at most n − r − 1.
The Reed-Muller codes are invariant under the action of the general affine
group. The sets R(r, n) or R(r, n)/R(r0 , n) have been classified under this
action for some values of r, of r0 < r and of n, see [133, 135, 20, 188, 249, 250].

The open problem of the weight distribution of Reed-Muller

codes, MacWilliams’ identity and the notion of dual distance What
are the possible distances between the words of R(r, n), or equivalently the
possible weights in R(r, n)? The answer, which is useful for improving the
efficiency of the decoding algorithms and for evaluating their complexities, is
known for every n if r ≤ 2: see Subsection 5.1. For r ≥ n − 3, it can also be
deduced from the very nice relationship, due to F. J. MacWilliams, existing
between every linear code and its dual: let C beP any binary linear code of
length m; consider the polynomial WC (X, Y ) = m i=0 Ai X
m−i Y i where A
i
is the number of codewords of weight i. This polynomial is called the weight
enumerator of C and describes11 the weight distribution (Ai )0≤i≤m of C.
Then (see [187, 222])

WC (X + Y, X − Y ) = |C| WC (X, Y ). (30)

We give only a sketch of PproofQof this MacWilliams’ identity: we observe

m
first that
P WCQ (X, Y ) = x∈C i=1 X 1−xi Y xi ; we deduce WC (X + Y, X −
m xi
Y) = x∈C i=1 (X + (−1) Y ); applying
P a classical method of expan-

sion, we derive WC (X +Y, X −Y ) = x∈C b∈Fm m 1−bi ((−1)xi Y )bi
P Q
i=1 X
2

11
WC is a homogeneous version of the classical generating series for the weight distri-
bution of C.

33
(for bi = 0, we choose X in the factor X + (−1)xi Y ; and for bi = 1,
we choose (−1)xi Y ; all the different possible choices are taken into ac-
count by considering all P binary m−w words b of length P m). We
obtain then
WC (X + Y, X − Y ) = b∈Fm X (b) Y w (b) b·x
x∈C (−1) and we con-
H H
2
clude by using Relation (13) with E = C.
The MacWilliams identity permits, theoretically, to deduce the weight dis-
tribution of R(n − r − 1, n) from the weight distribution of R(r, n) (in fact,
to actually determine this weight distribution, it is necessary to be able to
explicitely expand the factors (X + Y )m−i (X − Y )i and to simplify the ob-
tained expression for WC (X + Y, X − Y ); this is not possible for all values
of n). But this gives no information for the cases 3 ≤ r ≤ n − 4 which
remain unsolved (except for small values of n, see [13], and for n = 2r,
because the code is then self-dual, see [187, 222]). McEliece’s theorem [200]
(or Ax’s theorem [8]) shows that the weights (and thus the distances) in
n−1
R(r, n) are all divisible by 2d r e−1 = 2b r c (this can also be shown by us-
n

ing the properties of the NNF, see [73]). Moreover,l if f mhas degree d and g
h n−d0 i
has degree d0 ≤ d, then dH (f, g) ≡ wH (f ) mod 2 d [157]. In [26], A.
Canteaut gives further properties of the weights in f ⊕ R(1, n). Kasami and
Tokura [155] have shown that the only weights in R(r, n) occuring in the
range [2n−r ; 2n−r+1 [ are of the form 2n−r+1 − 2i for some i; and they have
completely characterized the codewords with these weights (and computed
their number).
The principle of MacWilliams identity can also be applied to nonlinear
codes. When C is not linear, the weight distribution of C has no great
relevance. The distance distribution has morePinterest. We consider the
1 m m−i Y i , where B
distance enumerator of C: DC (X, Y ) = |C| i=0 Bi X i
is the size of the set {(x, y) ∈ C 2 / dH (x, y) = i}. Note that, if C is
linear, then D QCm = 1−(x
WC . Similarly as above, we see that DC (X, Y ) =
1 P
X i ⊕yi ) Y xi ⊕yi ; we deduce that the polynomial D (X+
|C| (x,y)∈C 2 i=1 C
1 P Qm xi ⊕yi Y ). Expanding these
Y, X − Y ) equals |C| (x,y)∈C 2 i=1 (X + (−1)
Qm
1 P
X 1−bi ((−1)xi ⊕yi Y )bi , that
P

products, we obtain |C| (x,y)∈C 2 b∈Fm i=1
2
1 P m−wH (b) Y wH (b) b·x 2 .
P

is DC (X + Y, X − Y ) = |C| b∈F2m X x∈C (−1)
The minimum nonzero exponent of Y in the P polynomial DC (X + Y, X − Y ),
that is, the number min{wH (b); b 6= 0, x∈C (−1)b·x 6= 0}, is usually de-
noted by d⊥ and is called thePdual distance of C. Note that the maximum
number j such that the sum x∈C (−1)b·x is null for every nonzero vector b
of weight at most j, equals d⊥ − 1 (see more in [99, 100]). This property
will be useful at Subsection 4.1.

34
 It is shown in [43] (see also the remark of Subsection 5.1) that for every
Boolean function f on Fn2 , there exists an integer m and a Boolean function
g of algebraic degree at most 3 on Fn+2m
2 whose Walsh transform takes value
gc m
χ (0) = 2 fχ (0) at 0 (the null vector). This means that the weight of f is
b
related to the weight of g in a simple way. This shows that the distances in
R(3, n) can be very diverse, contrary to those in R(2, n). 

4 Boolean functions and cryptography

Stream ciphers are based on the so-called Vernam cipher (see Figure 1) in
which the plaintext (say a binary string of some length) is bitwise added to
a (binary) secret key of the same length, in order to produce the ciphertext.
The Vernam cipher is also called the one time pad because a new random
secret key must be used for every encryption. Indeed, the bitwise addition
of two ciphertexts corresponding to the same key equals the addition of the
corresponding plaintexts, which gives much information on these plaintexts
(it is often enough to recover both plaintexts; some secret services learned
this at their own expenses!).

Key Key

Plaintext ? Ciphertext Ciphertext ? Plaintext

-⊕ - ... -⊕ -

Figure 1: Vernam cipher

The Vernam cipher, which is the only known cipher offering uncondi-
tional security (see [244]) if the key is truly random and if it is changed for
every new encryption, was used for the communication between the heads of
USA and USSR during the cold war (the keys being carried by diplomats)
and by some secret services.
In practice, since the length of the private key must be equal to the
length of the plaintext, pseudo-random generators are most often used in
order to minimize the size of the private key (but the unconditional security
is then no longer ensured): a method (shared by the sender and the recipient)

35
is chosen for producing long pseudo-random sequences from short random
secret keys (only the latter are actually shared, together with the method).
The pseudo-random sequence is used in the place of the key in a Vernam
cipher. Stream ciphers, because they operate on data units as small as
a bit or a few bits, are suitable for fast telecommunication applications.
Having also a very simple construction, they are easily implemented both
in hardware and software.
The first method for generating a pseudo-random sequence from a secret
key has used Linear Feedback Shift Registers (LFSR). In such an LFSR

L L L

×c1 ×cL−1 ×cL

sn 6 6 6

- sn−1 ··· sn−L+1 sn−L -

Figure 2: LFSR

(see Figure 2), at every clock-cycle, the bits sn−1 , . . . , sn−L contained in the
flip-flops of the LFSR move to LLthe right. The left-most flip-flop is feeded
with the linear combination i=1 ci sn−i . Thus, such an LFSR outputs a
recurrent sequence satisfying the relation
L
M
sn = ci sn−i .
i=1

Such sequence is always ultimately periodic12 (if cL = 1, then it is periodic;

we shall assume that cL = 1 in the sequel) with period at most 2L − 1.
The short secret key gives then the initialization s0 , . . . , sL−1 of the LFSR
and the values of the feedback coefficients ci (these must be kept secret;
otherwise, the observation of L consecutive bits of the key would permit to
recover all the subsequent sequence).
But these LFSRs are cryptographically weak because of Berlekamp-
Massey algorithm [197]: let L be the length of the minimum LFSR pro-
12
Conversely, every ultimately periodic sequence can be generated by at least one LFSR.

36
ducing the same sequence (this length, called the linear complexity of the
sequence, is assumed to be unknown from the attacker), then if we know at
least 2L consecutive bits, Berlekamp-Massey algorithm recovers the values
of L and of the ci ’s and the initialization of the sequence. So, the attacker
only needs in practice to know about 20 consecutive bits. The modern way
of avoiding this attack is by using Boolean functions, the most usual way
being with Combining Boolean functions (see Figure 3).

x1
LFSR 1
@
@
x2 R
@
LFSR 2 - output si
f -
..
. 
xn
LFSR n

Figure 3: Combining function

Such system clearly outputs a periodic sequence (whose period is at most

the LCM of the periods of the sequences output by the n LFSRs). So, this
sequence is also recurrent and can therefore be produced by a single LFSR.
However, well-chosen Boolean functions allow the linear complexity of the
sequence to be much larger than the sum of the lengths of the n LFSRs.
Nevertheless, choosing f such that the linear complexity and the period are
large enough is not sufficient. The combining function should also not leak
information about the individual LFSRs.
Notice that the feedback coefficients of the n LFSRs used in such a generator
can be public. The Boolean function is also public, in general, and the short
secret key gives only the initialization of the n LFSRs: if we want to use for
instance a 120 bit long secret key, this permits to use n LFSRs of lengths
L1 , . . . , Ln such that L1 + · · · + Ln = 120.
Other ways of using Boolean functions exist. A filtered LFSR does not
output the bit contained in the right-most flip-flop, but outputs f (x1 , . . . , xn )
where f is some n-variable Boolean function, called a filtering function
and where x1 , . . . , xn are the bits contained in some flip-flops of the LFSR,
see Figure 4.
Such system is equivalent to the combining system13 . A Feedback Shift
13
However, the attacks, even when they apply to both systems – the original one and

37
 L L L
6 6 6
- si+L−1 ··· si+1 si
x1 xi xn
? ? ?
f (x1 , x2 , · · · , xn )
output
?

Figure 4: Filtering function

Register has the same structure as an LFSR, but the left-most flip-flop is
feeded with f (x1 , . . . , xn ) where n ≤ L, f is some n-variable Boolean func-
tion and where x1 , . . . , xn are bits contained in the flip-flops of the FSR. The
linear complexity of the produced sequence can then be potentially near 2L .
But there does not exist much published work on this subject (see [147] for
general FSRs and [80] for FSRs with quadratic function f ) and the linear
complexity is difficult to study in general.

Boolean functions also play an important role in block ciphers. A first ob-
servation is that every block cipher admits as input a binary vector (x1 , . . . , xn )
(a block of plaintext) and outputs a binary vector (y1 , . . . , ym ); the coordi-
nates y1 , . . . , ym are the outputs to Boolean functions (depending on the
key) whose common input is (x1 , . . . , xn ). see Figure 5.
But the number n of variables of these Boolean functions being large (most
often, more than a hundred), these functions could not be analyzed. Boolean
functions on fewer variables are in fact involved in the ciphers. All known
block ciphers are the iterations of a number of rounds (at most 16).
We give in Figures 6 and 7 a description of these rounds for the DES
and for the AES. The input to a DES round is a binary string of length 64,
divided into two strings of 32 bits each (in the figure, they enter the round,
from above, on the left and on the right); confusion is achieved by the S-box,
the equivalent one – may not work quite similarly. Consequently, the criteria that the
involved Boolean functions must satisfy because of these attacks may be different for the
original system and for the equivalent one.

38
 Plaintext: x1 xn
···
? ?
Key
- E

···
? ?
Ciphertext: y1 ym

Figure 5: Block cipher

Round key

+l +l
? ?
 P  S   E  ?

? ?

Figure 6: A DES round

which is a nonlinear transformation of a binary string of 48 bits14 into a 32

bit long one. So, 32 Boolean functions on 48 variables are involved. But, in
fact, this nonlinear transformation is the concatenation of eight sub-S-boxes,
which transform binary strings of 6 bits into 4 bit long ones. So, 32 (that
is, 8 × 4) Boolean functions on 6 variables are involved.
In the (standard) AES round, the input is a 128 bit long string, divided into
16 strings of 8 bits each; the S-box is the concatenation of 16 sub-S-boxes
corresponding to 16 × 8 Boolean functions on 8 variables.
A block cipher being considered, the individual properties of all the
involved Boolean functions can be studied (see Subsection 4.1), but this
is not sufficient. The whole sub-S-boxes must be globally studied (see the
chapter “Vectorial Boolean Functions for Cryptography”).
14
The E-box has expanded the 32 bit long string into a 48 bit long one.

39
 ? ?
S1 S16
···
? ?

linear permutation


?
Round key - +

?

Figure 7: An AES round

4.1 Cryptographic criteria for Boolean functions

The design of conventional cryptographic systems relies on two fundamental
principles introduced by Shannon [244]: confusion and diffusion. Confusion
aims at concealing any algebraic structure in the system. It is closely related
to the complexity15 of the involved Boolean functions. Diffusion consists in
spreading out the influence of any minor modification of the input data or of
the key over all outputs. These two principles were stated more than half a
century ago. Since then, many attacks have been found against the diverse
known cryptosystems, and the relevance of these two principles has always
been confirmed. The known attacks on each cryptosystem lead to criteria
[204, 223, 245] that the implemented cryptographic functions must satisfy.
More precisely, the resistance of the cryptosystems to the known attacks can
be quantified through some fundamental characteristics (some, more related
to confusion, and some, more related to diffusion) of the Boolean functions
used in them; and the design of these cryptographic functions needs to con-
15
That is, cryptographic complexity, which is different from circuit complexity, for in-
stance.

40
sider various characteristics simultaneously. Some of these characteristics
are affine invariants, i.e. are invariant under affine equivalence (recall that
two functions f and g on Fn2 are called affinely equivalent if there exists a lin-
ear isomorphism L from Fn2 to Fn2 and a vector a such that f (x) = g(L(x)+a)
for every input x ∈ Fn2 ) and some are not. Of course, all characteristics can-
not be optimum in the same time, and trade-offs must be considered (see
below).

The algebraic degree: cryptographic functions must have high alge-

braic degrees. Indeed, all cryptosystems using Boolean functions for con-
fusion (combining functions in stream ciphers, functions involved in the S-
boxes of block ciphers, ...) can be attacked if the functions have low degrees.
For instance, in the case of combining functions, if n LFSRs having lengths
L1 , . . . , Ln are combined by the function
!
M Y
f (x) = aI xi ,
I∈P(N ) i∈I

where P(N ) denotes the power set of N = {1, . . . , n}; then (see [234]) the
sequence produced by f can be obtained by a single LFSR of length
!
X Y
L≤ aI Li .
I∈P(N ) i∈I

The algebraic degree of f (i.e. the largest size of I such that aI = 1) has to
be high so that L can have high value (the number of those nonzero coeffi-
cients aI , in the ANF of f , such that I has large size, also plays a role, but
a less important one). In the case of block ciphers, using Boolean functions
of low degrees makes the higher differential attack [162, 169] effective.
When n tends to infinity, random Boolean functions have almost surely
algebraic degrees at least n − 1 since the number of Boolean functions of
Pn−2 n
algebraic degrees at most n − 2 equals 2 i=0 ( i ) = 22n −n−1 and is negligible
n
with respect to the number 22 of all Boolean functions. But we shall see
that the functions of algebraic degrees n − 1 or n do not permit to achieve
good characteristics (nonlinearity, resiliency, ...).
We have seen at Subsection 2.1 that the algebraic degree is an affine invari-
ant.

The nonlinearity: in order to provide confusion, cryptographic func-

tions must lie at large Hamming distance to all affine functions. Let us

41
explain why. We shall say that there is a correlation between a Boolean
function f and a linear function ` if dH (f, `) is different from 2n−1 . Be-
cause of Parseval’s Relation (20) applied to the sign function fχ and of Re-
lation (11), any Boolean function has correlation with some linear functions
of its input. But this correlation should be small: the existence of affine ap-
proximations of the Boolean functions involved in a cryptosystem permits
in various situations (block ciphers, stream ciphers) to build attacks on this
system (see [124, 199]). The nonlinearity of f is the minimum Hamming
distance between f and affine functions. It must be high (in a sense that
will be clarified below). The nonlinearity criterion can be quantified through
the Walsh transform: let `a (x) = a1 x1 ⊕ · · · ⊕ an xn = a · x be any linear
function; according to Relation (11), we have dH (f, `a ) = 2n−1 − 12 fbχ (a) and
we deduce dH (f, `a ⊕ 1) = 2n−1 + 12 fbχ (a); the nonlinearity of f is therefore
equal to:
1
N L(f ) = 2n−1 − maxn |fbχ (a)|. (31)
2 a∈F2
The nonlinearity is an affine invariant, by definition, since dH (f ◦ L, ` ◦ L) =
dH (f, `), for every functions f and `, and for every affine automorphism L,
and since ` ◦ L ranges over the whole set ofP affine functions when ` does.
Parseval’s Relation (20) applied to fχ gives a∈Fn fbχ 2 (a) = 22n , and implies
2
that the mean of fb 2 (a) equals 2n . The maximum of fb 2 (a) being greater
χ χ
than or equal to its mean (and we shall use below the property that equality
occurs if and only if fbχ 2 (a) is constant), we deduce that maxa∈Fn2 |fbχ (a)| ≥
2n/2 . This implies
N L(f ) ≤ 2n−1 − 2n/2−1 . (32)
This bound, valid for every Boolean function, will be called the covering ra-
dius bound (since this is the value of the covering radius of the Reed-Muller
code of order 1 if n is even). It can be improved when we restrict ourselves
to sub-classes of functions (e.g. resilient and correlation-immune functions,
see Section 7). A Boolean function will be considered as highly nonlinear if
its nonlinearity lies near the upper bound corresponding to the class of func-
tions to which it belongs. The meaning of “near” depends on the framework,
see [151]. D. Olejár and M. Stanek [214] have shown that, when n tends
to infinity, random Boolean functions on Fn2 have almost surely nonlinearity
√ n−1
greater than 2n−1 − n 2 2 (this is easy to prove by counting the number
of functions whose nonlinearities are upper bounded by a given number, see
[57]).
Equality occurs in (32) if and only if |fbχ (a)| equals 2n/2 for every vector a.

42
The corresponding functions are called bent functions. They exist only for
even values of n, because 2n−1 − 2n/2−1 must be an integer (in fact, they
exist for every n even,
P seebSection 6). They have the property that, for every
w
even w, the sum a∈Fn fχ (a) is minimum. Note that such sums (for even
2
or odd w) play a role with respect to fast correlation attacks (see below for
more on correlation attacks and see [38, 31] for the fact that when these
sums have small magnitude, for low values of w, this contributes to a good
resistance to fast correlation attacks).
For n odd, Inequality (32) cannot be tight. The maximum nonlinear-
n−1
ity of n-variable Boolean functions lies then between 2n−1 − 2 2 (which
can always be achieved by quadratic functions, see Subsection 5.1) and
n−1
2n−1 − 2n/2−1 . It has been shown in [127, 209] that it equals 2n−1 − 2 2
when n = 1, 3, 5, 7, and in [220], by Patterson and Wiedemann16 , that it
n−1
is greater than 2n−1 − 2 2 if n ≥ 15 (a review on what is known on the best
nonlinearities of functions on odd numbers of variables is given in [113]).
The maximum Hamming distance between a general Boolean function and
R(1, n), i.e. the maximum nonlinearity of all Boolean functions, is the cov-
ering radius of R(1, n) (i.e. the minimum integer t such that every binary
word of length 2n lies at Hamming distance at most t from at least one
codeword). The covering radius of a code is an important parameter [87],
which can be used for analyzing and improving the decoding algorithms
devoted to this code. The nonlinearity of a Boolean function f equals the
minimum distance of the linear code R(1, n) ∪ (f ⊕ R(1, n)). More generally,
the minimum distance of a code defined as the union of cosets f ⊕ R(1, n),
f ∈ F, equals the minimum nonlinearity of the functions f ⊕ g, where f
and g are distinct and range over F. This observation permits to construct
good nonlinear codes such as Kerdock codes (see Subsection 6.10).
Bent functions being not balanced (i.e. their values being not uniformly
distributed, see below), they are improper for use in cryptosystems17 (see
below). For this reason, even when they exist (for n even), it is also necessary
to study those functions which have large but not optimal nonlinearities, say
n−1
between 2n−1 − 2 2 and 2n−1 − 2n/2−1 , among which some balanced func-
16
It has been later proved (see [242, 107] and [195, 163]) that balanced functions with
n−1
nonlinearity strictly greater than 2n−1 −2 2 , and with algebraic degree n−1, or satisfying
P C(1), exist for every odd n ≥ 15.
17
As soon as n is large enough (say n ≥ 20), the difference 2n/2−1 between their weights
and the weight 2n−1 of balanced functions is very small with respect to this weight.
However, according to [9, Theorem 6], 2n bits of the pseudo-random sequence output by f
are enough to distinguish it from a random sequence. Nevertheless, we shall see at Section
6 that highly nonlinear functions can be built from bent functions.

43
tions exist. The maximum nonlinearity of balanced functions is unknown
for any n ≥ 8.
Two relations have been observed in [266, 269] between the nonlinearity and
the derivatives of Boolean functions: applying Relation
p (24) to linear hyper-
planes E and with b = 0, we have: N L(f ) ≤ 2n−1 − 12 2n + maxe6=0 |F(De f )|.
And the obvious relation wH (f ) ≥ 12 wH (De f ), valid for every e ∈ Fn2 , leads
when applied to the functions f ⊕ `, where ` is affine, to the lower bound
N L(f ) ≥ 2n−2 − 14 mine6=0 |F(De f )|.
Another lower bound on the nonlinearity is a consequence of Remark 2 after
Proposition 10: if f admits a maximal odd weighting subspace E of dimen-
sion d ≥ 2, then for every affine function `, the function f ⊕ ` also admits E
as maximal odd weighting subspace (since the restriction of ` to E and to
any of its superspaces has an even weight) and thus has nonlinearity at least
2n−d .

The r-th order nonlinearity: changing one or a few bits in the out-
put to a low degree Boolean function (that is, in its truth-table) gives a
function with high degree and does not fundamentally modify the robust-
ness of the system using this function (however, explicit attacks using ap-
proximations by low degree functions exist for self-synchronizing stream ci-
phers and block ciphers more than for synchronous stream ciphers, see e.g.
[164]). A relevant criterion is the nonlinearity profile, that is, the sequence
of the Hamming distances to the Reed-Muller code of order r, for small
values of r. This distance is called the r-th order nonlinearity of f and
denoted√N Lr (f ). The best known asymptotic upper bound on N Lr (f ) is
√
2n−1 − 215 · (1 + 2)r−2 · 2n/2 + O(nr−2 ) (see [76], where a non-asymptotic -
and more complex - bound is also given). Counting the number of functions
whose r-th order nonlinearities are upper bounded by a given number (see
[87]) allows proving that, when n tends to infinity,
qP there
exist functions with
r n n−1
r-th order nonlinearity greater than 2 n−1 − 2 2 .
i=0 i

Balancedness and resiliency: cryptographic functions must be bal-

anced functions (their output must be uniformly – that is, equally – dis-
tributed over {0, 1}) for avoiding statistical dependence between the input
and the output (which can be used in attacks). Notice that f is balanced if
and only if fbχ (0) = F(f ) = 0.
A stronger condition is necessary in the filtering model of pseudo-random
generators, in order to avoid the so-called distinguishing attacks. These
attacks are able to distinguish the pseudorandom sequence (si )i∈N from a

44
random sequence. A way of doing so is to observe that the distribution of
the sequences (si+γ1 , . . . , si+γn ) is not uniform, where γ1 , . . . , γn are the posi-
tions where the input bits to the filtering function are chosen. J. Golić [118]
has observed that if the characteristic (or the feedback) polynomial of the
LFSR is primitive and if the filtering function has the form x1 +g(x2 , . . . , xn )
or g(x1 , . . . , xn−1 ) + xn , then this property is satisfied. A. Canteaut [31] has
proved that this condition on the function is also necessary. For choosing a
filtering function, we shall have to choose a function g satisfying the cryp-
tographic conditions listed above and below, and use f defined, by means
of g, in one of the two ways above.
There is an additional condition to balancedness in the case of combination
functions in stream ciphers: any such function f (x) must stay balanced if
we keep constant some coordinates xi of x (at most m of them where m is
as large as possible). We say that f is then an m-resilient function 18 . This
definition of resiliency was introduced by Siegenthaler19 in [245]; it is related
to an attack on pseudo-random generators using combining functions, called
correlation attack : if f is not m-resilient, then there exists a correlation be-
tween the output of the function and (at most) m coordinates of its input; if
m is small, a divide-and-conquer attack due to Siegenthaler [246] and later
improved (and also generalized to pseudo-random generators using fitering
functions) by several authors [38, 148, 149, 150, 203] uses this weakness for
attacking a system using f as combining function; in the original attack by
Siegenthaler, all the possible initializations of the m LFSRs corresponding
to these coordinates are tested (in other words, an exhaustive search of the
initializations of these specific LFSRs is done); when we arrive to the correct
initialization of these LFSRs, we observe a correlation (before that, the cor-
relation is negligible, as for random pairs of sequences); the initializations of
the other LFSRs can then be found with an independent exhaustive search.
In the improved attacks (called fast correlation attacks), the correct initial-
18
More generally, a (non necessarily balanced) combining function whose output distri-
bution probability is unaltered when any m (or, equivalently, at most m) of the inputs
are kept constant is called an m-th order correlation-immune function. Similarly with
resiliency, correlation immunity is characterized by the set of zero values in the Walsh
spectrum of the function: f is m-th order correlation-immune if and only if fbχ (u) = 0, i.e.
fb(u) = 0, for all u ∈ Fn 2 such that 1 ≤ wH (u) ≤ m. The notion of correlation-immune
function is related to the notion of orthogonal array (see [25]). Only resilient functions
are of interest as cryptographic functions (but Boolean correlation-immune functions play
a role with respect to vectorial resilient functions, see the chapter “Vectorial Boolean
Functions for Cryptography”).
19
The term of resiliency was, in fact, introduced in [86], in relationship with another
cryptographic problem.

45
ization is found in a more effective way, related to error-correcting decoding.
To make stream ciphers with nonlinear filtering generators resistant against
fast correlation attacks (see [115, 148, 203]), the Boolean filtering function
must be highly nonlinear. In the case of stream ciphers with Boolean com-
bining functions as well, Canteaut and Trabbia in [38] and Canteaut in [29]
show that, to make fast correlation attacks as inefficient as possible, the co-
efficient fbχ (u) of an m-resilient function has to be small for every vector u of
Hamming weight higher than, but close to, m and this condition is satisfied
by highly nonlinear Boolean m-resilient functions.
Note that, when we say that a function f is m-resilient, we do not mean
that m is the maximum value of k such that f is k-resilient. We will call
this maximum value the resiliency order of f .
Resiliency has been characterized by Xiao and Massey through the Fourier
and the Walsh transforms:

Proposition 13 [125] Any n-variable Boolean function f is m-resilient if

and only if fbχ (u) = 0 for all u ∈ Fn2 such that wH (u) ≤ m. Equivalently, f
is m-resilient if and only if it is balanced and fb(u) = 0 for all u ∈ Fn2 such
that 0 < wH (u) ≤ m.

We give here a first direct proof of this fact: we apply Relation (25) to
E = {x ∈ Fn2 / xi = 0, ∀i ∈ I} where I is any set of indices of size m;
2
we get u∈E ⊥ fbχ (u) = |E ⊥ | a∈E 0 F 2 (ha ); the orthogonal E ⊥ of E equals
P P
{x ∈ Fn2 / xi = 0, ∀i 6∈ I} (it contains words of weight at most m, only), and
F(ha ) is null if and only if ha is balanced.
An alternate proof of this same result is obtained by applying Relation (14)
to ϕ = fχ , a = 0 and E = {x ∈ Fn2 / xi = 0, ∀i 6∈ I}, b ranging over Fn2 .
Proposition 13 shows that f is m-resilient if and only if its support has
size 2n−1 and dual distance at least m + 1 (see [99, 100]; see also in [198]
a generalization of this result to arrays over finite fields and other related
nice results); indeed, if C denotes the P support of f , the dual distance of C
equals the number min{wH (b); b 6= 0, x∈C (−1)b·x 6= 0}, and we have, for
every vector b: x∈C (−1)b·x = fb(b). An easily provable related property is
P
that, if G is the generator matrix of an [n, k, d] linear code, then for every
k-variable balanced function g, the n-variable function f (x) = g(x × Gt ) is
(d − 1)-resilient [98] (but such function has nonzero linear structures, see
below).
Contrary to the algebraic degree, to the nonlinearity and to the balanced-
ness, the resiliency order is not an affine invariant, except for the null order
(and for the order n, but the set of n-resilient functions is empty, because

46
of Parseval’s relation). It is invariant under any translation x 7→ x + b,
according to Propositions 4 and 13. The symmetry group of the set of m-
resilient functions and the orbits under its action have been studied in [142]).

Strict avalanche criterion and propagation criterion: the Strict

Avalanche Criterion (SAC) was introduced by Webster and Tavares [259]
and this concept was generalized into the Propagation Criterion (P C) by
Bart Preneel [223] (see also [224]). The SAC, and its generalizations, are
based on the properties of the derivatives of Boolean functions. These prop-
erties describe the behavior of a function whenever some coordinates of the
input are complemented. Thus, they are related to the property of diffusion
of the cryptosystems using the function. They must be satisfied at high lev-
els, in particular by the Boolean functions involved in block ciphers. Let f
be a Boolean function on Fn2 and E ⊂ Fn2 . The function f satisfies the
propagation criterion P C with respect to E if, for all a ∈ E, the derivative
Da f (x) = f (x) ⊕ f (a + x) (see Definition 2) is balanced. It satisfies P C(l) if
it satisfies P C with respect to the set of all those nonzero vectors of weights
at most l. In other words, f satisfies P C(l) if the auto-correlation coefficient
F(Da f ) is null for every a ∈ Fn2 such that 1 ≤ wH (a) ≤ l. Criterion SAC
corresponds to P C(1).
It is needed, for some cryptographic applications, to have Boolean functions
which still satisfy P C(l) when a certain number k of coordinates of the input
x are kept constant (whatever are these coordinates and whatever are the
constant values chosen for them). We say that such functions satisfy the
propagation criterion P C(l) of order k. This notion, introduced in [223], is
a generalization of the strict avalanche criterion of order k, SAC(k) (which
is equivalent to P C(1) of order k), introduced in [114]. Obviously, if a func-
tion f satisfies P C(l) of order k ≤ n − l, then it satisfies P C(l) of order k 0
for any k 0 ≤ k.
There exists another notion, which is similar to P C(l) of order k, but
stronger [223, 225] (see also [52]): a Boolean function satisfies the extended
propagation criterion EP C(l) of order k if every derivative Da f , with a 6= 0
of weight at most l, is k-resilient.
All of these criteria are not affine invariants, in general.
A weakened version of the PC criterion has been studied in [166].

Non-existence of nonzero linear structure: we shall call the linear

kernel of f the set of those vectors e such that De f is a constant function.
The linear kernel of any Boolean function is a subspace of Fn2 . Any element e
of the linear kernel of f is said to be a linear structure of f . Nonlinear

47
cryptographic functions used in block ciphers should have no nonzero linear
structure (see [110]). The existence of nonzero linear structures, for the
functions implemented in stream ciphers, is a potential risk that should also
be avoided, despite the fact that such existence could not be used in attacks,
so far.
Proposition 14 An n-variable Boolean function admits a nonzero linear
structure if and only if it is linearly equivalent to a function of the form
f (x1 , . . . , xn ) = g(x1 , . . . , xn−1 ) ⊕ ε xn where ε ∈ F2 .
Indeed, if we compose f on the right with a linear automorphism L such that
L(0, . . . , 0, 1) = e is a nonzero linear structure, we have then D(0,...,0,1) (f ◦
L)(x) = f ◦L(x)⊕f ◦L(x+(0, . . . , 0, 1)) = f ◦L(x)⊕f (L(x)+e) = De f (L(x)).
Note that, according to Proposition 14, if f admits a nonzero linear struc-
n−1
ture, then the nonlinearity of f is upper bounded by 2n−1 − 2 2 (this im-
plies that the functions obtained by Patterson and Wiedemann cannot have
nonzero linear structure), since it equals twice that of g and since, g being an
n−1
(n−1)-variable function, it has nonlinearity upper bounded by 2n−1 −2 2 −1 .
n+k−2
Applying recursively this property, we deduce that N L(f ) ≤ 2n−1 − 2 2 ,
where k is the dimension of the linear kernel of f [32].
Another characterization of linear structures [170, 109] (see also [34]) is a
direct consequence of Relation (24), with b = 0 and E = {0, e}⊥ , that is
2
fb (u) = 2n−1 (2n + (−1)a·e F(De f )).
P
u∈a+E χ

Proposition 15 Let f be any n-variable Boolean function. The deriva-

tive De f equals the constant function 1 (resp. the null function) if and only
if the set {u ∈ Fn2 / fbχ (u) = 0} contains the linear hyperplane {0, e}⊥ (resp.
its complement).
Thus, De f equals the null function (resp. the function 1) if and only if the
support Sfb = {u ∈ Fn2 / fbχ (u) 6= 0} of fbχ is included in {0, e}⊥ (resp. its
χ
complement). Notice that, if De f is the constant function 1 for some e ∈ Fn2 ,
then f is balanced (indeed, the relation f (x + e) = f (x) ⊕ 1 implies that f
takes the values 0 and 1 equally often). Thus, a non-balanced function f
has no nonzero linear structure if and only if there is no nonzero vector e
such that De f is null. According to Proposition 15, this is equivalent to
saying that the support of its Walsh transform has rank n. A similar char-
acterization exists for balanced functions by replacing the function f (x) by
a non-balanced function f (x) ⊕ b · x. It is deduced in [83] (see more in [255])
that resilient functions of high orders must have linear structures.
The existence/non-existence of nonzero linear structures is clearly an affine

48
invariant. But, contrary to the other criteria, it is an all-or-nothing crite-
rion. Meier and Staffelbach introduced in [204] a related criterion, lead-
ing to a characteristic (that is, a criterion which can be satisfied at levels
quantified by numbers): a Boolean function on Fn2 being given, its dis-
tance to linear structures is its distance to the set of all Boolean functions
admitting nonzero linear structures (among which we have all affine func-
tions, but also other functions, such as all non bent quadratic functions).
This distance is always upper bounded by 2n−2 . More precisely, it equals
2n−2 − 41 maxe∈Fn2 ∗ |F(De f )|, since a function g, which admits some vector e
as a linear structure, and which lies at minimum distance from f among all
such functions, can be obtained by choosing an affine hyperplane H such
that Fn2 = H ∪ (e + H), and defining g(x) = f (x) for every x ∈ H and
g(x) = g(x + e) ⊕  for every x ∈ (e + H), where  is chosen in F2 ; the Ham-
ming distance between f and this function g  equals |{x ∈ e + H/ De f (x) =

 ⊕ 1}| = 2 |{x ∈ F2 / De f (x) =  ⊕ 1}| = 2 2n−1 − (−1)
1 n 1
2 F(De f ) ; recall
that ∆f (e) = F(De f ) is the auto-correlation function of f . We see that the
distance of f to linear structures equals 2n−2 if and only if f is bent.

The algebraic immunity:

A new kind of attacks, called algebraic attacks, has been introduced recently
(see [88, 89, 111]). Algebraic attacks recover the secret key, or at least the
initialization of the system, by solving a system of multivariate algebraic
equations. The idea that the key bits can be characterized as the solutions
of a system of multivariate equations comes from C. Shannon [244]. In
practice, this system is too complex to be solved (its equations being highly
nonlinear). However, in many situations, we can get a very overdefined
system (i.e. a system with a number of independent equations much greater
than the number of unknowns). Consider for instance an LFSR of length
N , filtered by an n-variable Boolean function f ; then there exists a linear
permutation L : FN N 0 N n
2 7→ F2 and a linear mapping L : F2 7→ F2 such that,
denoting by u1 , . . . , uN the initialisation of the LFSR and by (si )i≥0 the
pseudo-random sequence output by the generator, we have, for every i ≥ 0:

si = f (L0 ◦ Li (u1 , . . . , uN ))

(this is more generally valid for every linear automata combined by a Boolean
function, and in particular in the case of several LFSR combined by a
Boolean function). The number of equations can then be much larger than
the number of unknowns. This makes less complex the resolution of the
system by using Groebner basis (see [111]), and even allows linearizing the

49
system (i.e. obtaining a non-degenerate system of linear equations by re-
placing every monomial of degree greater than 1 by a new unknown). The
resulting linear system has however too many unkwnowns and cannot be
solved. Nevertheless, Courtois and Meier have had a simple but very effi-
cient idea. Assume that there exist functions g 6= 0 and h of low degrees
(say, of degrees at most d) such that f ∗ g = h (where f ∗ g denotes the
function whose support is the intersection of the supports of f and g, we
shall omit writing ∗ in the sequel). We have then, for every i ≥ 0:
si g(L0 ◦ Li (u1 , . . . , uN )) = h(L0 ◦ Li (u1 , . . . , uN )).
This equation in u1 , . . . , uN has degree at most d, since L and L0 are linear,
and the system of equations obtained after linearization can then be solved
by Gaussian elimination.
Low degree relations have been shown to exist for several well known con-
structions of stream ciphers, which were immune to all previously known
attacks.
Note that if we only know the existence of a nonzero low degree multiple h
of f , then the support of h being included in that of f , we have (f ⊕1)h = 0,
and taking g = h, we have the desired relation f g = h. More precisely, it is
a simple matter to see that the existence of functions g 6= 0 and h, of degrees
at most d, such that f g = h is equivalent to the existence of a function g 6= 0
of degree at most d such that f g = 0 or (f ⊕1)g = 0. Indeed, f g = h implies
f 2 g = f h, that is, f (g ⊕ h) = 0, and if g = h then f g = h is equivalent to
(f ⊕ 1)g = 0. A function g such that f g = 0 is called an annihilator of f .
Clearly, the set of all annihilators is equal to the ideal of all the multiples
of f ⊕ 1. The minimum degree of g 6= 0 such that f g = 0 (i.e. such that
g is an annihilator of f ) or (f ⊕ 1)g = 0 (i.e. such that g is a multiple
of f ) is called the (basic) algebraic immunity of f and denoted by AI(f ).
This important characteristic is an affine invariant. As shown in [89], the
algebraic immunity of any n-variable function is upper bounded by dn/2e
(and consequently by dk/2e if, up to affine equivalence, it depends only on k
variables, and by dk/2 + 1e if it has a linear kernel of dimension n − k, since
it is then equivalent to a function in k variables plus an affine function).
Indeed, the sum of the number of monomials of degrees at most dn/2e and
of the (equal) number of the products between f and these monomials being
greater than 2n , these functions are necessarily linearly dependent elements
of the 2n -dimensional vectorspace of all Boolean functions. This linear de-
pendence gives two functions g and h of degrees at most dn/2e such that
f g = h and (g, h) 6= (0, 0), i.e. g 6= 0. It has been proved in [102] that,
for all a < 1, when n tends to infinity, AI(f ) is almost surely greater than

50
 q
n
− n2 ln a ln n


2 2 .
In [30], A. Canteaut has observed that, if a balanced function f in an odd
number n of variables admits no non-zero annihilator of degree at most n−1 2 ,
then it has optimum algebraic immunity n+1 2 (this means that we do not
need to check also that f ⊕ 1 has no non-zero annihilator of degree at most
n−1
2 for showing that f has optimum algebraic immunity). Indeed, consider
the Reed-Muller code of length 2n and of order n−1 2 . This code is self-dual
(i.e. is its own dual) [187]. Let G be a generator matrix of this code. Each
column of G is labeled by a vector of F2n . Saying that f has no non-zero
annihilator of degree at most n−1 2 is equivalent to saying that the matrix
obtained by selecting those columns of G corresponding to the elements of
P n−1
2 n

n−1 . Since f has weight 2n−1 ,
the support of f has full rank i=0 i = 2
this is also equivalent to saying that the support of the function is an infor-
mation set, that is (assuming for simplicity that the columns corresponding
to the support of f are the 2n−1 first ones), that we can take G = (Id | M ).
Then the complement of the support of f is also an information set (other-
wise there would exist a vector (z | 0), z 6= 0, in the code and this is clearly
impossible since G is also a parity-check matrix of the code).
Now let an n-variable function f , with algebraic immunity dn/2e be used
as a filtering function on a linear automaton (e.g. an LFSR) with m ≥ 2k
states, where k is the length of the key (otherwise, it is known that the
system is not robust). Then the complexity of an algebraic attack using


log2 (7)
one annihilator of degree dn/2e is roughly 7 m 0 + . . . + m
dn/2e ≈

2.8
7 m m


0 + . . . + dn/2e (see [89]). Let us choose k = 128 (which is usual)
and m = 256, then the complexity of the algebraic attack is at least 280 for
n ≥ 13; and it is greater than the complexity of an exhaustive search, that
is 2128 , for n ≥ 15. If the attacker knows several linearly independent anni-
hilators of degree dn/2e, then the numbers of variables must be enhanced!
It has been shown in [93] and [64] that low nonlinearity implies low alge-
braic immunity (but high algebraic immunity does not imply high non-
PAI(f )−1 n

linearity). More precisely, it can be easily shown that i=0 i ≤
Pn−AI(f ) n

wH (f ) ≤ i=0 i (the left-hand inequality must for instance be true
since, otherwise, the number wH (f ) of equations in system expressing that
a function of degree at most AI(f ) − 1 is an annihilator of f would have
a number of equations smaller than its number of unknowns and it would
therefore have non-trivial solutions, a contradiction). This implies that a
function f such that AI(f ) = n+1 2 (n odd) must be balanced. Since it

51
can also be easily proved that, for every function h of degree r, we have
AI(f ) − r ≤ AI(f + h) ≤ AI(f ) + r, we deduce
AI(f )−2  
X n
N L(f ) ≥
i
i=0

and more generally:

AI(f )−r−1  
X n
N Lr (f ) ≥ .
i
i=0

These bounds have been improved, in all cases for the first order nonlinearity
PAI(f )−2 n−1

into N L(f ) ≥ 2 i=0 i [182], and in most cases for the r-th order
PAI(f )−r−1 n−r

nonlinearity into N Lr (f ) ≥ 2 i=0 i (in fact, the improvement
was slightly stronger than this, but more complex), see [62].
Note that if f is k-normal then its algebraic immunity is at most n − k, since
the fact that f (x) =  ∈ F2 for every x ∈ A (where A is a k-dimensional
flat) implies that the indicator of A is an annihilator of f + . This bound
is tight, since the majority function (cf. below) is bn/2c-normal for every n
(see [57]) and has algebraic immunity dn/2e. But AI(f ) ≤ ` does not imply
conversely that f is (n − `)-normal, since when n tends to infinity, for every
a > 1, n-variable Boolean functions are almost surely non-a log2 n-normal
[57] (note that k < a log2 n implies that n − k ∼ n) and the algebraic immu-
nity is always upper bounded by n/2.
Balanced highly nonlinear functions in up to 20 variables (derived from the
power mappings studied in the chapter “Vectorial Boolean Functions for
Cryptography”) with high algebraic immunities have been exhibited in [69]
and [5]. However, it has been proved in [210] that, if the number of runs r(d)
of 1’s in the binary expansion of the exponent d of a power function tr(axd )
(that is, the number of subsequences of 1’s, separated by 0’s) is (much)
√
smaller than n/2, then the algebraic immunity is low. l More m precisely, the
√ n
algebraic immunity is upper bounded by r(d)b nc + b nc − 1. Note that
√

this bound is better than the general bound dn/2e for only a negligible part
of power mappings, but it concerns however all of those whose exponents
have a constant 2-weight or a constant number of runs - the power functions
studied as potential S-boxes in block ciphers enter in this framework (see
the chapter “Vectorial Boolean Functions for Cryptography”). Moreover,
the bound is further improved when n is odd and the function is almost
bent (see this same chapter for a definition).
The majority function (first proposed by J.D. Key, T.P. McDonough and

52
V.C. Mavron in the context of the erasure channel [160] - rediscovered by
Dalai et al. in the context of algebraic immunity [95]), f (x) = 1 if wH (x) ≥
n/2, has optimum algebraic immunity (note that changing wH (x) ≥ n/2
into wH (x) > n/2 or wH (x) ≤ n/2 or wH (x) < n/2 changes the function
into an affinely equivalent one, up to addition of the constant 1). It is a sym-
metric function and its properties and structure are known. Some variants
have also optimum algebraic immunity. A nice construction of an infinite
class of functions with optimum algebraic immunity has been given in [94]
and further studied in [64]; however, the functions it produces are neither
balanced nor highly nonlinear. All of these functions are weak against fast
algebraic attacks, as shown in [5]. Indeed, a high value of AI(f ) is not
a sufficient property for a resistance to algebraic attacks, because of fast
algebraic attacks, in which h can have a greater degree than g (see [89]).
Similarly as above, when the number of monomials of degrees at most e,
plus the number of monomials of degrees at most d, is strictly greater than
2n – that is, when d◦ g + d◦ h ≥ n – there exist g of degree at most e and h of
degree at most d such that f g = h. An n-variable function f is then opti-
mal with respect to fast algebraic attacks if there do not exist two functions
g 6= 0 and h such that f g = h and d◦ g + d◦ h < n. Since f g = h implies
f h = f f g = f g = h, we see that h is then an annihilator of f + 1 and its
degree is then at least equal to the algebraic immunity of f . This means
that having a high algebraic immunity is not only a necessary condition for
a resistance to standard algebraic attacks but also for a resistance to fast
algebraic attacks.

Other criteria:
- the second moment of the auto-correlation coefficients:
X
V(f ) = F 2 (De f ) (33)
e∈Fn
2

has been introduced by Zhang and Zheng [265] for measuring the global ava-
lanche criterion (GAC). It is called the sum-of-squares indicator by some
authors. The absolute indicator is by definition maxe∈Fn2 , e6=0 | F(De f ) |.
Both indicators are clearly affine invariants. In order to achieve good diffu-
sion, cryptographic functions should have low sum-of-squares indicators and
absolute indicators. Obviously, we have V(f ) ≥ 22n , since F 2 (D0 f ) = 22n .
Note that every lower bound of the form V(f ) ≥q V straightforwardly implies
V −22n
that the absolute indicator is lower bounded by 2n −1 . The functions that
achieve V(f ) = 22n are those functions whose derivatives De f (x), e 6= 0, are

53
all balanced. We shall see at Section 6 that these are the bent functions.
If f has a k-dimensional linear kernel, then V(f ) ≥ 22n+k (with equality if
and only if f is partially bent, see below).
Note that, according to Relation (23) applied to De f for every e, we have
X
V(f ) = F(Da De f ),
a,e∈Fn
2

where Da De f (x) = f (x) ⊕ f (x + a) ⊕ f (x + e) ⊕ f (x + a + e) is the second

order derivative of f .
Note also that, according to Relation (18) applied to ϕ(e) = ψ(e) = F(De f ),
we have, for any n-variable Boolean function f :
X 2 2 X
∀a ∈ Fn2 , fbχ (e)fbχ (a + e) = 2n F 2 (De f )(−1)e·a ,
e∈Fn
2 e∈Fn
2

2
as shown in [33] (indeed, the Fourier transform of ϕ equals fbχ , according to
Relation (22)), and thus, for a = 0:
X 4
fbχ (e) = 2n V(f ). (34)
e∈Fn
2

4 2 2
P P  
We have fbχ (e) ≤
e∈Fn e∈Fn fbχ (e) maxe∈Fn2 fbχ (e) . According to
2 2
P 2 2n
Parseval’s relation e∈Fn fχ (e) = 2 , we deduce, using Relation (34):
b
2
2
max e∈Fn
2
fbχ (e) ≥ V(f )
2n (with equality if and only if f is plateaued [33], see
below); thus, according to Relation (31) and to the inequality V(f ) ≥ 22n ,
we have (as first shown in [266, 269]):
1p
N L(f ) ≤ 2n−1 − 2−n/2−1
p
V(f ) ≤ 2n−1 − 4
V(f ).
2

Denoting again by Nfb the cardinality of the support {a ∈ Fn2 / fbχ (a) 6= 0} of
χ
the Walsh transform of f , Relation (34) also implies the following relation,
first observed in [269]: V(f )×Nfb ≥ 23n . Indeed, using for instance Cauchy-
χ
P 2
2  P 4

Schwartz inequality, we see that a∈Fn f
b
χ (a) ≤ a∈Fn f
b
χ (a) × Nfb
2 2 χ
P 2 2n
and we have a∈Fn fχ (a) = 2 , according to Parseval’s Relation (20).
b
2
The functions satisfying V(f ) × Nfb = 23n are the functions whose Walsh
χ
transforms take at most one nonzero magnitude. These functions are called

54
plateaued functions (see Subsection 6.8 for further properties of plateaued
functions). Constructions of balanced Boolean functions with low absolute
indicators and high nonlinearities have been studied in [189].

- The maximum correlation of an n-variable Boolean function f with respect

to a subset I of N = {1, . . . , n} equals by definition (see [264]) Cf (I) =
F(f ⊕ g)
max , where BF I,n is the set of n-variable Boolean functions
g∈BF I,n 2n
depending on {xi , i ∈ I} only. According to Relation (31), the distance
from f to BF I,n equals 2n−1 (1 − Cf (I)). The maximum correlation of any
combining function with respect to any subset I of small size should be
small (i.e. its distance to BF I,n should be high). It is straightforward to
P2n−|I| |F (hj )|
prove, by decomposing the sum F(f ⊕ g), that Cf (I) equals j=1 2n ,
where h1 , . . . , h2n−|I| are the restrictions of f obtained by keeping constant
the xi ’s for i ∈ I, to see that the distance from f to BF I,n is achieved by the
functions g taking value 0 (resp. 1) when the corresponding value of F(hj )
is positive (resp. negative), and that we have Cf (I) = 0 if and only if all
hj ’s are balanced (thus, f is m-resilient if and only if Cf (I) = 0 for every
set I of size at most m). Also, according to Cauchy-Schwartz inequality, we
P n−|I| 2 P2n−|I| 2
2
have j=1 |F(h j )| ≤ 2n−|I| j=1 F (hj ), and Relation (25) directly
implies the following inequality observed in [28, 29]:
 1
2
−n 
X 2 |I| 1
Cf (I) ≤ 2 fbχ (u) ≤ 2−n+ 2 (2n − 2N L(f )) 2 . (35)
u∈Fn
2 / ui =0, ∀i6∈I

This inequality shows that the nonlinearity of any combining function should
be high. An affine invariant related to the maximum correlation and also
related to the “distance to linear structures” is the following: the distance to
the Boolean functions g such that the space {e ∈ Fn2 / De g = 0} has dimen-
sion at least k (the functions of BF I,n can be viewed as n-variable functions
N \I
g such that the set {e ∈ Fn2 / De g = 0} contains F2 ). The results on the
maximum correlation above generalize to this criterion [29].

- the main cryptographic complexity criteria for a Boolean function are

the algebraic degree and the nonlinearity, but other criteria have also been
studied: the minimum number of terms in the algebraic normal forms of all
affinely equivalent functions, called the algebraic thickness (studied in [57]
and first evoked in [204]), the maximum dimension k of those flats E such

55
that the restriction of f to E is constant (f is then called a k-normal func-
tion) or is affine (f is called a k-weakly-normal function) [57] (see Sub-
section 5.3.2), the number of nonzero coefficients of the Walsh transform
[225, 232]. It has been shown in [57, 214, 232] that (asymptotically) almost
all Boolean functions have high complexities with respect to all these criteria
(see also [230] for some complementary results).
For every even integer k such that 4 ≤ k ≤ 2n , the kth-order nonhomomor-
phicity [268] of a Boolean function equals the number of k-tuples (u1 , . . . , uk )
of vectors of Fn2 such that u1 + · · · + uk = 0 and f (u1 ) ⊕ · · · ⊕ f (uk ) = 0.
It is a simple matter to show (more directly than in [268]) that it equals
2(k−1)n−1 + 2−n−1
P b k (u). This parameter should be small (but no
n f
u∈F2 χ

related attack exists on stream ciphers). It is maximum and equals 2(k−1)n if

nk
and only if the function is affine. It is minimum and equals 2(k−1)n−1 +2 2 −1
if and only if the function is bent, and some relationship obviouly exists be-
tween nonhomomorphicity and nonlinearity.

5 Quadratic functions and other functions whose

weights, Walsh spectra or nonlinearities can be
analyzed
5.1 Quadratic functions
The weights and the Walsh spectra of affine functions are peculiar: the
Walsh transform of the function `(x) = a · x ⊕ ε takes null value at every
vector u 6= a and takes value 2n (−1)ε at a. More generally, the behavior of
the functions of R(2, n), called quadratic functions, is also peculiar. Recall
that Relation (23) states that, for every Boolean function f :
X
F 2 (f ) = F(Db f ).
b∈Fn
2

If f is quadratic, then Db f is affine for every b ∈ Fn2 , and is therefore either

balanced or constant. Since F(g) = 0 for every balanced function g, we
deduce: X
F 2 (f ) = 2n (−1)Db f (0) , (36)
b∈Ef

where Ef is the set of all b ∈ Fn2 such that Db f is constant. The set Ef is the
linear kernel of f (see Subsection 4.1). In the case of quadratic functions,
it also equals the kernel {x ∈ Fn2 / ∀y ∈ Fn2 , ϕf (x, y) = 0} of the symplectic

56
(i.e. bilinear, symmetric, and null over the diagonal) form associated to f :
ϕf (x, y) = f (0) ⊕ f (x) ⊕ f (y) ⊕ f (x + y). The restriction of the function
b 7→ Db f (0) = f (b)⊕f (0) to this vectorspace is linear; we deduce that F 2 (f )
equals 2n |Ef | if this linear form on Ef is null, that is, if f is constant on Ef ,
and is null otherwise. According to Relation (10), this proves the following:
Proposition 16 Any quadratic function f is balanced if and only if its
restriction to its linear kernel Ef ( i.e. the kernel of its associated symplectic
form) is not constant. If it is not balanced, then its weight equals 2n−1 ±
n+k
2 2 −1 where k is the dimension of Ef .
Note that Proposition 16 implies that f is balanced if and only if there
exists b ∈ Fn2 such that the derivative Db f (x) = f (x) ⊕ f (x + b) equals
the constant function 1 (take b in Ef such that f (b) 6= f (0)). For general
Boolean functions, this condition is sufficient for f being balanced, but it is
not necessary.
According to Relation (36) applied to f ⊕ `, where ` is a linear function
such that f ⊕ ` is not balanced (such function ` always exists, according to
Parseval’s relation), the co-dimension of Ef must be even (this co-dimension
is the rank of ϕf ).
The weight of a quadratic function can be any element of the set {2n−1 } ∪
{2n−1 ± 2i / n/2 − 1 ≤ i ≤ n − 1}. Its nonlinearity can be any element of the
set {2n−1 − 2i / n/2 − 1 ≤ i ≤ n − 1}, and if f has weight 2n−1 ± 2i , then for
every affine function l, the weight of the function f ⊕ l belongs to the set
{2n−1 − 2i , 2n−1 , 2n−1 + 2i }.
Any quadratic non-affine function f having a monomial of degree 2 in
its ANF, we can assume without loss of generality that, up to a non-
singular linear transformation, this monomial is x1 x2 . The function has
then the form x1 x2 ⊕ x1 f1 (x3 , . . . , xn ) ⊕ x2 f2 (x3 , . . . , xn ) ⊕ f3 (x3 , . . . , xn )
where f1 , f2 are affine functions and f3 is quadratic. Then, f (x) equals
(x1 ⊕ f2 (x3 , . . . , xn ))(x2 ⊕ f1 (x3 , . . . , xn )) ⊕ f1 (x3 , . . . , xn )f2 (x3 , . . . , xn ) ⊕
f3 (x3 , . . . , xn ) and is therefore affinely equivalent to the function x1 x2 ⊕
f1 (x3 , . . . , xn )f2 (x3 , . . . , xn ) ⊕ f3 (x3 , . . . , xn ). Applying this method recur-
sively shows (see [187]):
Proposition 17 Every quadratic non-affine function is affinely equivalent
to x1 x2 ⊕ · · · ⊕ x2l−1 x2l ⊕ x2l+1 (where l ≤ n−1
2 ) if it is balanced, to x1 x2 ⊕
· · · ⊕ x2l−1 x2l (where l ≤ n/2) if it has weight smaller than 2n−1 and to
x1 x2 ⊕ · · · ⊕ x2l−1 x2l ⊕ 1 (where l ≤ n/2) if it has weight greater than 2n−1 .
This permits to describe precisely the weight distribution of R(2, n).

57
Remark. Let f1 , f2 and f3 be any Boolean functions on Fn2 . Define the
function on Fn+2
2 : f (x, y1 , y2 ) = y1 y2 ⊕ y1 f1 (x) ⊕ y2 f2 (x) ⊕ f3 (x). Then we
have
X
F(f ) = (−1)(y1 ⊕f2 (x))(y2 ⊕f1 (x))⊕f1 (x)f2 (x)⊕f3 (x)
x∈Fn
2 / y1 ,y2 ∈F2

X X
= (−1)y1 y2 ⊕f1 (x)f2 (x)⊕f3 (x) = 2 (−1)f1 (x)f2 (x)⊕f3 (x) .
x∈Fn
2 / y1 ,y2 ∈F2
x∈Fn
2

So, starting with a function g = f1 f2 ⊕ f3 , we can relate F(g) to F(f ), on

two more variables, in which the term f1 f2 has disappeared. This permits
to show (see [43]) that, for every Boolean function g on Fn2 , there exists an
integer m and a Boolean function f of algebraic degree at most 3 on Fn+2m2
whose Walsh transform takes value fbχ (0) = 2m gc χ (0) at 0.

5.2 Indicators of flats

A Boolean function f is the Qrindicator of a flat A of co-dimensionnr if and only
if it has the form f (x) = i=1 (ai · x ⊕ εi ) where a1 , . . . , ar ∈ F2 are linearly
independent and ε1 , . . . , εr ∈ F2 . Then f has weight 2n−r . Moreover, set
a ∈ Fn2 . If a is linearly independent of a1 , . . . , ar , then the function f (x)⊕a·x
is balanced (and hence fbχ (a) = 0), since it is linearly equivalent to a function
of thePform g(x1 , . . . , xr ) ⊕ xr+1 . If a is linearly dependent of a1 , . . . , ar , say
a = ri=1 ηi ai , then a · x is clearly constant on the flat and this constant
value equals ri=1 ηi (a · x) = ri=1 ηi (i ⊕ 1); hence, fb(a) = x∈A (−1)a·x
L L P
Lri
equals then 2n−r (−1) Li=1 ηi (i ⊕1) . Thus, if a = ri=1 ηi ai 6= 0, then we have
P
r
fbχ (a) = −2n−r+1 (−1) i=1 ηi (i ⊕1) ; and we have fbχ (0) = 2n − 2n−r+1 .
Note that the nonlinearity of f equals 2n−r and is bad. But indicators of
flats can be used to design Boolean functions with good nonlinearities (see
Subsection 7.3).

Note. As recalled at Section 3.1, the functions of R(r, n) whose weights

occur in the range [2n−r ; 2n−r+1 [ have been characterized by Kasami and
Tokura [155]; any such function is the product of the indicator of a flat and
of a quadratic function or is the sum (modulo 2) of two indicators of flats.
The Walsh spectra of such functions can also be precisely computed.

58
5.3 Other functions whose nonlinearities can be better ap-
proximated than for general functions
5.3.1 Maiorana-McFarland’s functions and their generalizations
Maiorana-McFarland’s functions will be defined at Sections 6 (for bent func-
tions) and 7 (for resilient functions). The computation of their weights and
Walsh spectra are easier than for general Boolean functions, and in some
cases can be completely determined. Generalizations exist, sharing this same
property (see Section 7). Their algebraic immunity has been studied in [69].

5.3.2 Normal functions

Let E and E 0 be subspaces of Fn2 such that E ∩ E 0 = {0} and whose direct
sum equals Fn2 . Denote by k the dimension of E. For every a ∈ E 0 , let ha be
the restriction of f to the coset a + E. Then, Relation (25) in Proposition 7
implies
2 X
maxn fbχ (u) ≥ F 2 (ha )
u∈F2
a∈E 0
2
(indeed, the maximum of fbχ (u) is greater than or equal to its mean). Hence
2
we have: maxu∈Fn2 fbχ (u) ≥ F 2 (ha ) for every a. Applying this property to
f ⊕ `, where ` is any linear function, and using Relation (31), we deduce:

∀a ∈ E 0 , N L(f ) ≤ 2n−1 − 2k−1 + N L(ha ). (37)

This bound was first proved (in a different way) by Zheng et al. in [270].
The present proof is from [33]. Relation (37) can also be deduced from
Relation (14) applied to the sign function of f , and inPwhich the roles of E
and E ⊥ are exchanged: let us choose b ∈ Fn2 such that  x∈a⊕E (−1)f (x)⊕b·x 
is maximum, that is, equals 2k − 2N L(ha ) . Then

 
   
 X a·u b  = |E ⊥ | 2k − 2N L(ha ) .


 (−1) fχ (u) 
u∈b⊕E ⊥ 

Then the mean of (−1)a·u fbχ (u), when u ranges over b ⊕ E ⊥ , is equal to
± 2k − 2N L(ha ) . Thus, the maximum magnitude of fbχ (u) is greater than

or equal to 2k − 2N L(ha ). This implies Relation (37). These two methods,

for proving (37), lead to two different necessary conditions for the case of
equality (see [57]).

59
Relation (37) implies in particular that, if the restriction of f to a k-
dimensional flat of Fn2 is affine (say equals `), then N L(f ) ≤ 2n−1 − 2k−1 ,
and that, if equality occurs, then f ⊕ ` is balanced on every other coset of
this flat.

Definition 3 A function is called k-weakly-normal (resp. k-normal) if its

restriction to some k-dimensional flat is affine (resp. constant).

H. Dobbertin introduced this terminology by calling normal the functions

that we call n/2-normal here (we shall also call normal the n/2-normal func-
tions, in the sequel). He used this notion for constructing balanced functions
with high nonlinearities (see Subsection 7.3.1). It is proved in [57] that, for
every α > 1, when n tends to infinity, random Boolean functions are almost
surely (α log2 n)-non-normal. This means that almost all Boolean functions
have high complexity with respect to this criterion. As usual, the proof
of existence of non-normal functions does not give examples of such func-
tions. Alon, Goldreich, Hastad and Peralta give in [2] several constructions
of functions that are nonconstant on flats of dimension n/2. This is not
explicitly mentioned in the paper. What they actually show is that the
functions (they say, the sets) are not constant on flats defined by equations
xi1 = a1 , ..., xin/2 = an/2 . To prove that, they use however the fact that the
sets have small bias with respect to linear tests. As this property is invariant
w.r.t. affine transformations, it implies the result.
There are also explicit constructions that work for dimensions (1/2 − ) n,
for some small  > 0 very recently found by Jean Bourgain [18].
Functions that are nonconstant on flats of dimensions nδ for every δ > 0 are
also given in [10]. These constructions are very good asymptotically (but
may not be usable to obtain functions in explicit numbers of variables).
As far as we know, no construction is known below nδ .

5.3.3 Partial covering sequences

The notion of covering sequence for a Boolean function has been introduced
in [79].

Definition 4 Let f be an n-variable Boolean function. An integer-valued20

sequence P
(λa )a∈Fn2 is called a covering sequence for f if the integer-valued
function a∈Fn λa Da f (x) takes a constant value. This constant value is
2

20
or real-valued, or even complex-valued; but taking real or complex sequences instead
of integer-valued ones has no practical sense.

60
called the level of a covering sequence. If the level is nonzero, we say that
the covering sequence is a non-trivial covering sequence.
P
Note that the sum a∈Fn λa Da f (x) involves both kinds of additions: the
P 2
addition in Z and the addition ⊕ in F2 (which is concealed inside Da f ).
It was shown in [79] that any function admitting a non-trivial covering se-
quence is balanced (see Proposition 18 below for a proof) and that any
balanced function admits the constant sequence 1 as covering sequence (the
level of this sequence is 2n−1 ).
A characterization of covering sequences by means of the Walsh transform
was also given in [79]: denote again by Sfb the support {u ∈ Fn2 | fbχ (u) 6= 0}
χ

of fχ ; then f admits an integer-valued sequence λ = (λa )a∈Fn2 as covering

b
b of the function a 7→ λa takes
sequence if and only if the Fourier transform λ
a constant value on Sfb . Indeed, f admits the covering sequence λ with
χ

level ρ if and only if, for every x ∈ Fn2 , we have λa (−1)f (x+a) =
P
P  a∈Fn
2

a∈Fn λa − 2ρ (−1)f (x) ; the characterization is then a consequence of the

2
property that the equality between two integer-valued functions is equiva-
lent to the equality between their Fourier transforms,
 and of the relation
f (x+a)+x·b a·b
P P
a,x∈Fn λa (−1) = a∈Fn λa (−1) fχ (b).
b
2 2
Knowing a covering sequence (trivial or not) of a function f permits to know
that all the vectors a such that f (x) ⊕ a · x is non-balanced belong to the
set λb−1 (µ), where µ is this value; hence, if f admits a covering sequence
λ = (λa )a∈Fn2 with level ρ (resp. with level ρ 6= 0), then f is k-th order
correlation-immune (resp. k-resilient) where k + 1 is the minimum Ham-
ming weight of nonzero b ∈ Fn2 such that λ(b) b = r, where r = λ(0)b − 2ρ.
Conversely, if f is k-th order correlation-immune (resp. k-resilient) and if
it is not (k + 1)-th order correlation-immune (resp. (k + 1)-resilient), then
there exists at least one (non-trivial) covering sequence λ = (λa )a∈Fn2 with
level ρ such that k + 1 is the minimum Hamming weight of b ∈ Fn2 satisfying
λ(b)
b = λ(0) b − 2ρ.
A covering sequence playing a particular role is the indicator of the set of
vectors of weight one. The functions which admit this covering sequence are
called regular; they are (ρ−1)-resilient (where ρ is the level); more generally,
any function, admitting as covering sequence the indicator of a set of vectors
whose supports are disjoint, has this same property. See further properties
in [79].
But knowing a covering sequence for f gives no information on the non-
linearity of f , since it gives only information on the support of the Walsh

61
transform, not on the nonzero values it takes. in [60] is weakened the def-
inition of covering sequence, so that it can help computing the (nonzero)
values of the Walsh transform.
Definition 5 Let f be a Boolean function on Fn2 . A non-trivial partial
covering sequence for f P
is an integer-valued sequence (λa )a∈Fn2 such that the
integer-valued function a∈Fn λa Da f (x) takes on two values 0 and ρ 6= 0.
2
The constant ρ is called the level of the partial covering sequence.
A simple example of non-trivial partial covering sequence is as follows: let E
be any set of derivatives of f which is not reduced to the null function.
Assume that E is stable under addition (i.e. is a F2 -vectorspace). Then
P |E|
g∈E g takes on values 0 and 2 . Thus, if E = {Da f / a ∈ E} (where any
two different vectors of the set E give different functions of E), then 1E is a
non-trivial partial covering sequence.
The interest of non-trivial partial covering sequences is that they permit
to simplify the computation of the weight of f (or the value of F(f ), which
is equivalent).
Proposition 18 Let f be a Boolean function on Fn2 and let (λa )a∈Fn2 be
a non-trivial partial covering sequence for f . Denote by A the set {x ∈
n
P
F2 / a∈Fn λa Da f (x) = 0}. Then
2
X
F(f ) = (−1)f (x)
x∈A

and if A = ∅, then f is balanced.

Proof. For every a ∈ Fn2 , the set (Da f )−1 (1) is invariant under the mapping
x 7→ x + a. For every x in this set, we have f (x + a) = f (x) ⊕ 1 and, thus,
(−1)f (x+a) + (−1)f (x) = 0. Hence, we have
X X
Da f (x)(−1)f (x) = (−1)f (x) = 0. (38)
x∈Fn
2 x∈(Da f )−1 (1)
P 
f (x) is null. This
P
We deduce that the sum a∈Fn λa x∈F2 n Da f (x)(−1)
P 2 
f (x) = ρ x6∈A (−1)f (x) .
P P
sum equals x∈Fn (−1) a∈F n λa Da f (x)
2
P 2
Hence x6∈A (−1)f (x) = 0 and x∈Fn (−1)f (x) = x∈A (−1)f (x) .
P P

2

Examples are given in [60] of computations of the weights or the Walsh

spectra of some Boolean functions (quadratic functions, Maiorana-McFar-
land’s functions and their extensions, and other examples of functions), using
Proposition 18.

62
5.3.4 Functions with low univariate degree
The following Weil’s Theorem is very well-known in finite field theory (cf.
[178, Theorem 5.38]):

Theorem 1 Let q be a prime power and f ∈ Fq [x] a univariate polynomial

of degree d ≥ 1 with gcd(d, q) = 1. Let χ be a non-trivial character of Fq .
Then  
X 
 ≤ (d − 1) q 1/2 .
 

 χ(f (x))
x∈Fq 

For q = 2n , this Weil’s bound means that, for every nonzero a ∈ F2n :
tr(af (x))
 ≤ (d − 1) 2n/2 . And since adding a linear function
P
 x∈F2n (−1)


tr(bx) to the function tr(af (x)) corresponds to adding (b/a) x to f (x) and
does not change its anivariate degree, we deduce that, if d > 1 is odd and
a 6= 0, then:
N L(tr(af )) ≥ 2n−1 − (d − 1) 2n/2−1 .

6 Bent functions
Bent functions have been defined, at Subsection 4.1, as those Boolean func-
tions f on Fn2 (n even) whose distance to the set R(1, n) of all n-variable
affine functions (the nonlinearity of f ) equals 2n−1 − 2n/2−1 (the covering
radius of the Reed-Muller code of order 1). Equivalently, as seen also at
Subsection 4.1, f is bent if and only if fbχ takes on values ±2n/2 only. Hence,
f is bent if and only if its distance to any affine function equals 2n−1 ±2n/2−1 .
Note that, for any bent function f , half of the elements of the Reed-Muller
code of order 1 lie at distance 2n−1 + 2n/2−1 from f and half lie at distance
2n−1 − 2n/2−1 (indeed, if ` lies at distance 2n−1 + 2n/2−1 from f , then ` ⊕ 1
lies at distance 2n−1 −2n/2−1 and vice versa). In fact, the condition on fbχ can
be weakened, without losing the property of being necessary and sufficient:

Lemma 2 Any n-variable (n even ≥2) Boolean function f is bent if and

only if, for every a ∈ Fn2 , fbχ (a) ≡ 2n/2 mod 2n/2+1 , or equivalently fb(a) ≡


2n/2−1 mod 2n/2 .

 

Proof. This necessary condition is also sufficient, since, if it is satisfied, and

if fbχ (a) 6= ±2n/2 for some a, then fχ cannot satisfy Parseval’s Relation (20);
a contradiction. 

63
A slightly different viewpoint is that of bent sequences21 but we shall not
adopt it here because it most often gives no extra insight on the problems.
The nonlinearity being an affine invariant, so is the notion of bent function.
Clearly, if f is bent and ` is affine, then f ⊕` is bent. A class of bent functions
is called a complete class of functions if it is globally invariant under the
action of the general affine group and the addition of affine functions. The
notion of bent function is also independent of the choice of the inner product
on Fn2 (since any other inner product has the form hx, si = x · L(s), where L
is an auto-adjoint linear isomorphism, i.e. an isomorphism whose associated
matrix is symmetric).
Thanks to Relation (22) and to the fact that the Fourier transform of a
function is constant if and only if the function equals δ0 times some constant,
we see that any function f is bent if and only if, for any nonzero word a,
the Boolean function Da f (x) = f (x) ⊕ f (x + a) is balanced. In other words:

Proposition 19 Any n-variable Boolean function (n even) is bent if and

only if it satisfies P C(n).

For this reason, bent functions are also called perfect nonlinear functions 22 .
Equivalently, f is bent if and only if the 2n ×2n matrix H = [(−1)f (x+y) ]x,y∈Fn2
is a Hadamard matrix (i.e. satisfies H × H t = 2n I, where I is the iden-
tity matrix), and if and only if the support of f is a difference set 23 of the
elementary Abelian 2-group Fn2 [104, 152]. Other types of difference sets
exist (see e.g. [106]). This implies that the Cayley graph Gf (see Subsec-
tion 2.2.2) is strongly regular (see [14] for more precision).
Functions satisfying P C(n) do not exist for odd n.
The functions whose derivatives Da f , a ∈ H, a 6= 0 are all balanced, where
n
21
For each vector X in Q2n = {−1, 1}2 , define: X̂ = √12n Hn X, where Hn is the
Walsh-Hadamard matrix, recursively defined by:
» –
Hn−1 Hn−1
Hn = , H0 = [1].
Hn−1 −Hn−1

The vectors X such that X̂ belongs to Q2n are called bent sequences. They are the images
by the character χ = (−1)· of the bent functions on Fn 2.
22
The characterization of Proposition 19 leads to a generalization of the notion of bent
function to non-binary functions. In fact, several generalizations exist [3, 165, 183] (see [65]
for a survey); the equivalence between being bent and being perfect nonlinear is no more
valid if we consider functions defined over residue class rings (see [67]).
23
Thus, bent functions are also related to designs, since any difference set can be used
to construct a symmetric design, see [7], pages 274-278. The notion of difference set
is anterior to that of bent function, but it had not been much studied in the case of
elementary 2-groups before the introduction of bent functions.

64
H is a linear hyperplane of Fn2 , are characterized in [32, 33] for every n; they
are all bent if n is even. The functions whose derivatives Da f , a ∈ E, a 6= 0
are all balanced, where E is a vector subspace of Fn2 of dimension n − 2, are
also characterized in these two papers.

A last way of looking at bent functions deals with linear codes: let f be any
n-variable Boolean function (n even). Denote its support {x ∈ Fn2 | f (x) = 1}
by Sf and write Sf = {u1 , . . . , uwH (f ) }. Consider a matrix G whose columns
are all the vectors of Sf , without repetition, and let C be the linear code
generated by the lines of this matrix. Thus, C is the set of all the vectors
Uv = (v · u1 , . . . , v · uwH (f ) ), where v ranges over Fn2 . Then:

Proposition 20 Let n be any even positive integer. Any n-variable Boolean

function f is bent if and only if the linear code C defined above has dimen-
sion n (i.e. G is a generator matrix of C) and has exactly two nonzero
Hamming weights: 2n−2 and wH (f ) − 2n−2 .
v·x
f (x) 1−(−1) fb(0)−fb(v)
P P
Indeed, wH (Uv ) equals x∈Fn f (x)×v·x = x∈Fn 2 = 2 .
2 2
fb (v)−fb (0)
Hence, according to Relation (9), it equals 2n−2 + χ 4 χ , for every
nonzero vector v. Thus, C has dimension n and has the two nonzero Ham-
ming weights 2n−2 and wH (f ) − 2n−2 if and only if, for every v 6= 0, Uv is
nonzero and fbχ (v) = fbχ (0) or fbχ (v) = fbχ (0)+4wH (f )−2n+1 = fbχ (0)−2fbχ (0) =
−fbχ (0). If f is bent, then this condition is clearly satisfied. Conversely, ac-
cording to Parseval’s Relation (20), if this condition is satisfied, then fbχ (v)
equals ±2n/2 for every v, i.e. f is bent.

There exist two other characterizations [260] dealing with C:

1. C has dimension n and C has exactly two weights, whose sum equals
wH (f );
2. The length wH (f ) of C is even, C has exactly two weights, and one of
these weights is 2n−2 .

6.1 The dual

If f is bent, then the dual function fe of f , defined on Fn2 by:

fbχ (u) = 2n/2 (−1)f (u)

e

is also bent and its own dual is f itself. Indeed, Relation (16) applied to ϕ =
fe(u)⊕a·u =
P
fχ (the sign function of f ) gives, for every vector a: u∈Fn (−1)
2

65
2n/2 fχ (a) = 2n/2 (−1)f (a) .
Let f and g be two bent functions, then Relation (19) applied with ϕ = fχ
and ψ = gχ shows that

F(fe ⊕ ge) = F(f ⊕ g). (39)

Thus, f ⊕ g and fe ⊕ ge have the same weight and the mapping f 7→ fe is an

isometry.
According to Proposition 4, for every a, b ∈ Fn2 and for every bent function
f , the dual of the function f (x + b) ⊕ a · x equals fe(x + a) ⊕ b · (x + a) =
fe(x + a) ⊕ b · x ⊕ a · b. Denoting b · x by `b (x), Relation (39), applied with
g(x) = f (x + b) ⊕ a · x, gives F(Da fe⊕ `b ) = (−1)a·b F(Db f ⊕ `a ), and applied
with g(x) = f (x+b)⊕`a (x+b), it gives the following property, first observed
in [52] (see also [34]):

F(Da fe ⊕ `b ) = F(Db f ⊕ `a ) (40)

(from these two relations, we deduce that, if a · b = 1, then F(Db f ⊕ `a ) = 0

and thus that Db f is balanced on a⊥ and on its complement; notice also
that, for every a and b, Db f = `a ⊕  if and only if Da fe = `b ⊕ ).
Moreover, if a pair of Boolean functions f and f 0 satisfies the relation
F(Da f 0 ⊕ `b ) = F(Db f ⊕ `a ), then these functions are bent (indeed, taking
a = 0 shows that Db f is balanced for every b 6= 0 and taking b = 0 shows that
Da f 0 is balanced for every a 6= 0), and are then the duals of each other up to
the addition of a constant. Indeed, summing up the relation F(Da f 0 ⊕ `b ) =
F(Db f ⊕ `a ) for b ranging P over Fn2 shows that f 0 (0) ⊕ f 0 (a) = fe(0) ⊕ fe(a)
0 0 0 0
for every a, since we have x,b∈Fn (−1)f (x)⊕f (x+a)⊕b·x = 2n (−1)f (0)⊕f (a) ,
2
f (x)⊕f (x+b)⊕a·x = fb (0) × fb (a).
P
and x,b∈F2 n (−1) χ χ

The NNF of fe (which will be useful later) can be deduced from the NNF
fe
of f . Indeed, using Relation (9) and equality fe = 1−(−1)
2 , we have fe =
1
−2 −n/2−1 1
fb = − 2 n/2−1 δ0 + 2−n/2 fb. Applying now Relation (27) to
2 χ 2
ϕ = f , we deduce:
1 X
fe(x) = − 2n/2−1 δ0 (x) + (−1)wH (x) 2n/2−|I| λI .
2
I∈P(N ) | supp(x)⊆I

Changing I into N \I in this relation, and observing that supp(x) is included

in N \ I if and only if xi = 0, ∀i ∈ I, we obtain the NNF of fe by expanding

66
the following relation:
n
1 Y X Y
f (x) = − 2
e n/2−1
(1 − xi ) + (−1)wH (x) 2|I|−n/2 λN \I (1 − xi ).
2
i=1 I∈P(N ) i∈I

We deduce (as shown in [73]):

Proposition 21 Let f be any n-variable bent function (n even). For every

I 6= N such that |I| > n/2, the coefficient of xI in the NNF of fe (resp. of f )
is divisible by 2|I|−n/2 .

Using Relation (6), this property can be related to the main result of [144]
(but this result by Hou was stated in a complex way).

Relation (14) applied to ϕ = fχ gives (see [45])

X X
(−1)f (x)⊕b·x = 2−n/2 |E| (−1)a·b (−1)f (x)⊕a·x . (41)
e

x∈a+E x∈b+E ⊥

6.2 Bent functions of low algebraic degrees

Obviously, no affine function can be bent. All the quadratic bent functions
are known: according to the properties recalled at Subsection 5.1, any such
function
M
f (x) = ai,j xi xj ⊕ h(x) (h affine, ai,j ∈ F2 )
1≤i<j≤n

is bent if and only if one of the following equivalent properties is satisfied:

1. its Hamming weight is equal to 2n−1 ± 2n/2−1 ;

2. its associated symplectic form: ϕf : (x, y) 7→ f (0) ⊕ f (x) ⊕ f (y) ⊕

f (x + y) is non-degenerate (i.e. has kernel {0});

3. the skew-symmetric matrix M = (mi,j )i,j∈{1,...,n} over F2 , defined by:

mi,j = ai,j if i < j, mi,j = 0 if i = j, and mi,j = aj,i if i > j,
is regular (i.e. has determinant 1); indeed, M is the matrix of the
bilinear form ϕf ;

4. f (x) is equivalent, up to an affine nonsingular transformation, to the

function: x1 x2 ⊕ x3 x4 ⊕ · · · ⊕ xn−1 xn ⊕ ε (ε ∈ F2 ).

67
Open problem: characterize the bent functions of algebraic degrees ≥ 3
(that is, classify them under the action of the general affine group). This
has been done for n ≤ 6 in [231] (see also [225] where the number of bent
functions is computed for these values of n). For n = 8, it has been done
in [140], for functions of algebraic degrees at most 3 only; all of these func-
tions have at least one affine derivative Da f , a 6= 0 (it has been proved
in [34] that this happens for n ≤ 8 only).

6.3 Bound on algebraic degree

The algebraic degree of any Boolean function f being equal to the maximum
size of the multi-index I such that xI has an odd coefficient in the NNF of f ,
Proposition 21 applied to fe gives:

Proposition 22 Let n be any even integer greater than or equal to 4. The

algebraic degree of any bent function on Fn2 is at most n/2.

This property (which is obviously also true for fe) was first proved in [231]
and will be called Rothaus’ bound in the sequel. It can also be proved (see
below) by using a similar method as in the proof of Proposition 9. This
same method also permits to obtain a bound, shown in [143], relating the
gaps between n/2 and the algebraic degrees of f and fe:

Proposition 23 The algebraic degrees of any n-variable bent function and

of its dual satisfy:
n/2 − d◦ fe
n/2 − d◦ f ≥ . (42)
d◦ fe − 1
A proof of Proposition 23 and a second proof of Proposition 22. Denote by d
(resp. by d)e the algebraic degree of f (resp. of fe). Consider a term xI of
degree d in the ANF of f . Relation (15) applied to ϕ = fχ (or Relation (41)
with a = b = 0) and to the vectorspace E = {u ∈ Fn2 / ∀i ∈ I, ui = 0}
gives u∈E (−1)f (u) = 2n/2−d x∈E ⊥ fχ (x). The orthogonal E ⊥ of E equals
P e P
{u ∈ Fn2 / ∀i 6∈ I, ui = 0}. According to Relation (3), the restriction of f
to E ⊥ has odd weight w, thus x∈E ⊥ fχ (x) = 2d − 2w is not divisible by
P
fe(u) is not divisible by 2n/2−d+2 . If d > n/2, then
P
4. Hence, u∈E (−1)
n/2+1 ; a contradiction with the fact that
P
u∈E fχ (u) is not divisible by 2
b
E has an even size. This proves Proposition 22. Moreover, according l to
m
n−d
fe(u)
P
McEliece’s theorem (or Ax’s theorem), u∈E (−1) is divisible by 2 d .
e

n−d
We deduce the inequality n/2 − d + 1 ≥ e , which is equivalent to (42). 
d

68
Using Relation (4) instead of Relation (3) gives a more precise result than
Proposition 22, first shown in [73], which will be given at Subsection 6.6.
Proposition 23 can also be deduced from Proposition 21 and from some
divisibility properties, shown in [73], of the coefficients of the NNFs of
Boolean functions of degree d.

6.4 Constructions
There does not exist a classification of bent functions under the action of the
general affine group. In order to know as many bent functions as possible,
we can try to design constructions of bent functions. Some of the known
constructions lead to classes of bent functions without using known ones.
We will call primary constructions these direct constructions. The others,
leading to recursive constructions, will be called secondary constructions.

6.4.1 Primary constructions

1. The Maiorana-McFarland original class M (see [104, 201]) is the set of
n/2
all the Boolean functions on Fn2 = {(x, y), x, y ∈ F2 }, of the form:

f (x, y) = x · π(y) ⊕ g(y) (43)

n/2 n/2
where π is any permutation on F2 and g any Boolean function on F2
n/2
(“·” denotes here the inner product in F2 ). Any such function is bent.
More precisely, the bijectivity of π is a necessary and sufficient condition
for f being bent, according to Relation (44) applied with r = n/2. The
dual function fe(x, y) equals: y · π −1 (x) ⊕ g(π −1 (x)), where π −1 is the inverse
permutation of π. The completed class of M (that is, the smallest possible
complete class including M) contains all the quadratic bent functions (ac-
cording to Alinea 4 of the characterization of quadratic bent functions given
at Subsection 6.2; take π = id and g constant in (43)).
The fundamental idea of Maiorana-McFarland’s construction consists in con-
catenating affine functions. Indeed, if we order all the binary words of
length n in lexicographic order, with the bit of higher weight on the right (for
instance), then the truth-table of f is the concatenation of the restrictions
n/2
of f obtained by setting the value of y and letting x freely range over F2 .
These restrictions are affine. In fact, Maiorana-McFarland’s construction is
a particular case of a more general construction of bent functions [56]:

69
Proposition 24 Let n = r + s (r ≤ s) be even. Let φ be any mapping
from Fs2 to Fr2 such that, for every a ∈ Fr2 , the set φ−1 (a) is an (n − 2r)-
dimensional affine subspace of Fs2 . Let g be any Boolean function on Fs2
whose restriction to φ−1 (a) (viewed as a Boolean function on Fn−2r2 via an
affine isomorphism between φ−1 (a) and this vectorspace) is bent for every
a ∈ Fr2 , if n > 2r (no condition on g being imposed if n = 2r). Then the
function fφ,g = x · φ(y) ⊕ g(y) is bent on Fn2 .

Proof. This is a direct consequence of the equality (valid for every φ and
every g): X
r
fd
φ,g χ (a, b) = 2 (−1)g(y)⊕b·y , (44)
y∈φ−1 (a)

which comes from the fact that every function x 7→ fφ,g (x, y) ⊕ a · x ⊕ b · y
being affine, and P thus constant or balanced, it contributes for a nonzero
value in the sum x∈Fr ,y∈Fs (−1)fφ,g (x,y)⊕x·a⊕y·b only if φ(y) = a. Accord-
2 2
ing to Relation (44), the function fφ,g is bent if and only if r ≤ n/2 and
g(y)⊕b·y n/2−r for every a ∈ Fr2 and every b ∈ Fs2 . The
P
y∈φ−1 (a) (−1) = ±2
hypothesis in Proposition 24 is a sufficient condition for that (but it is not
a necessary one). 
This construction is a secondary one for r < n/2 and a primary one for
r = n/2. Notice that it is pretty general: the choice of any partition of Fs2
in 2r flats of dimension (n − 2r) and of an (n − 2r)-variable bent function
on each of these flats leads to an n-variable bent function.
Obviously, every Boolean function can be reprensented in the form fφ,g for
some values of r ≥ 1 and s. It has been shown in [183] that, if a bent
function has the form fφ,g , then φ is balanced (i.e. is uniformly distributed
over Fr2 ). This is a direct consequence of the fact that, for every nonzero
a ∈ Fr2 , the Boolean function a · φ is balanced, since it equals the derivative
D(a,0) fφ,g .

2. The Partial Spreads class PS, introduced in [104] by J. Dillon, is

the set of all the sums (modulo 2) of the indicators of 2n/2−1 or 2n/2−1 + 1
“disjoint” n/2-dimensional subspaces of Fn2 (“disjoint” meaning that any
two of these spaces intersect in 0 only, and therefore that their sum is direct
and equals Fn2 ). The bentness of such function is a direct consequence of
Theorem 5 below. This is why we omit the proof of this fact here. The
dual of such a function has the same form, all the n/2-dimensional spaces E
being replaced by their orthogonals (see also Theorem 5). J. Dillon denotes
by PS − (resp. PS + ) the class of those bent functions for which the number

70
of n/2-dimensional subspaces is 2n/2−1 (resp. 2n/2−1 + 1). All the elements
of PS − have algebraic degree n/2 exactly, but not all those of PS + (which
contains for instance all the quadratic functions, if n/2 is even). It is an
open problem to characterize the algebraic normal forms of the elements of
class PS, and it is not a simple matter to construct, practically, elements of
this class. J. Dillon exhibits in [104] a subclass of PS − , denoted by PS ap ,
whose elements (that we shall call Dillon’s functions) are defined in an ex-
n/2
plicit form: F2 is identified to the Galois field F2n/2 (an inner product in
this field being defined as x · y = tr(xy), where tr is the trace function from
F2n/2 to F2 ; we know that the notion of bent function is independent of the
choice of the inner product); the space Fn2 ≈ F2n/2 × F2n/2 , viewed24 as a 2-
dimensional F2n/2 -vectorspace, is equal to the “disjoint” union of its 2n/2 + 1
lines through the origin; these lines are n/2-dimensional F2 -subspaces of Fn2 .
Choosing any 2n/2−1 of the lines, and taking them different from those of
equations x = 0 and y = 0, leads, by definition,
 to an
 element
n/2 −2
 PS ap , that
 of
x x
is, to a function of the form f (x, y) = g x y 2 , i.e. g y with y =0
n/2
if y = 0, where g is a balanced
  Boolean function on which vanishes
F2
at 0. The complements g y ⊕ 1 of these functions are the functions g( xy )
x

where g is balanced and does not vanish at 0; they belong to the class PS + .
In both cases, the dual of g( xy ) is g( xy ). The elements of PS ap are, equiva-
lently, those Boolean functions f of weight 2n−1 − 2n/2−1 on F2n such that
f (0) = f (1) = 0, and that, denoting by α a primitive element of this field,
n/2
f (α2 +1 x) = f (x) for every x ∈ F2n (see [104, 68]).
Denoting by tr the trace function from F2n to its prime field F2 (i.e. tr(x) =
n−1
x+x2 +x4 +· · ·+x2 ), the Boolean functions f (x) = tr(axi ), where a ∈ F2n
and where i is a multiple of 2n/2 −1, satisfy this last condition. Some of them
belong to PS ap . Other examples of bent functions of the same form exist.
For instance (see [106, 36]), if n is not divisible by 3 and if k is co-prime
2k k
with n, then, for every a ∈ F2n \ {x3 | x ∈ F2n }, the function tr(ax2 −2 +1 )
is bent. This gives an infinite class of bent functions (other examples of
similar bent functions exist).

3. Dobbertin gives in [107] the construction of a class of bent functions

that contains both PS ap and M.The elements
 of this class are the func-
x+ψ(y)
tions f defined by f (x, φ(y)) = g y , where g is a balanced Boolean
24
Let ω be an element of F2n \ F2n/2 ; the pair (1, ω) is a basis of the F2n/2 -vectorspace
F2n ; hence, we have F2n = F2n/2 + ωF2n/2 .

71
function on F2n/2 and φ, ψ are two mappings from F2n/2 to itself such that,
if T denotes the affine subspace of F2n/2 spanned by the support of the func-
tion gc g
χ (where gχ = (−1) ), then, for any a in F2n/2 , the functions φ and ψ
are affine on aT = {ax, x ∈ T }. The mapping φ must additionally be one
to one. The proof of the bentness of such functions cannot be given here
because of length constraints. The elements of this class do not have an
explicit form, but Dobbertin gives two explicit examples of bent functions
constructed this way. In both, φ is a power function (see below).

The bent sequences given in [262] are particular cases of the constructions
given above (using also some of the secondary constructions given below).
in [81] are constructed homogeneous bent functions (i.e. bent functions
whose ANFs are the sums of monomials of the same degree) on 12 (and
less) variables by using the invariant theory (which makes feasible the com-
puter searchs).

4. If n/2 is odd, then it is possible to deduce a bent Boolean function

n/2 n/2
on Fn2 from any almost bent function from F2 to F2 . The definition of
almost bent functions, the description of the related Boolean function and
the proof of its bentness are given in the chapter “Vectorial Boolean Func-
tions for Cryptography”.

5. Some infinite classes of bent functions have also been obtained, thanks
to the identification between the vectorspace Fn2 and the field F2n , as power
functions, that is, functions of the form tr(axi ), a 6= 0, where tr is the trace
function on F2n and where a and x belong to this same field. And some are
defined as the sums of a few power functions; see [35, 104, 106, 175, 176].
Power functions are also called monomial functions. They represent for the
designer of the cryptosystem using them the interest of being more eas-
ily computable than general functions (which allows using them with more
variables while keeping a good efficiency). They have the peculiarity that,
denoting the image {xi ; x ∈ F2n } of the power mapping x → xi by U , two
functions tr(axi ) and tr(bxi ) such that a/b ∈ U are linearly equivalent. In
particular, if the power mapping is a permutation, i.e. if gcd(i, 2n − 1) = 1,
then all the power functions with the same exponent are linearly equivalent.
It is not clear whether this is more an advantage for the designer or for the
attacker.
Obviously, a power function tr(axi ) can be bent only if the mapping x → xi
is not one to one (otherwise, the function would be balanced, a contradic-

72
tion), that is, if i is not co-prime with 2n − 1. It has been proved in [31] that
i must be co-prime either with 2n/2 − 1 or with 2n/2 + 1. The exponents of
the known classes of power bent functions are multiples of 2n/2 − 1 (this cor-
responds to the PS ap class), or equal 22k − 2k + 1 with gcd(k, n) = 1 (this is
n
the so-called Kasami functions), or equal 2i +1 with gcd(n,i) even (Gold func-
tions), (2n/4 +1)2 with n divisible by 4 (Leander functions) or 2n/3 +2n/6 +1
with n divisible by 6 (Canteaut-Charpin-Kyureghyan functions). The three
last cases enter in fact in the Maiorana-McFarland completed class.

6.4.2 Secondary constructions

1. The first secondary construction given by J. Dillon and O. Rothaus
in [104, 231] is very simple: let f be a bent function on Fn2 (n even) and
n+m
g a bent function on Fm 2 (m even) then the function h defined on F2
by h(x, y) = f (x) ⊕ g(y) is bent. Indeed, we have clearly h c (a, b) =
χ

fbχ (a) × gc
χ (b). This construction has unfortunately no great interest from
a cryptographic point of view, since it produces decomposable functions (a
Boolean function is called decomposable if it is equivalent to the sum of two
functions that depend on two disjoint subsets of coordinates; such property
is easy to detect and can be used for designing divide-and-conquer attacks).

2. A more interesting result, by the same authors, is the following: if g, h,

k and g ⊕ h ⊕ k are bent on Fn2 (n even), then the function defined at every
element (x1 , x2 , x) of Fn+2
2 (x1 , x2 ∈ F2 , x ∈ Fn2 ) by:

f (x1 , x2 , x) =

g(x)h(x) ⊕ g(x)k(x) ⊕ h(x)k(x) ⊕ [g(x) ⊕ h(x)]x1 ⊕ [g(x) ⊕ k(x)]x2 ⊕ x1 x2

is bent (this is a particular case of Theorem 3). No general class of bent
functions has been deduced from this construction.

3. Two classes of bent functions have been derived in [45] from Maiorana-
McFarland’s class, by adding to some functions of this class the indicators
of some vector subspaces:
- the class D0 whose elements are the functions of the form f (x, y) =
x · π(y) ⊕ δ0 (x) (recall that δ0 is the Dirac symbol; the ANF of δ0 (x) is
Qn/2 −1
i=1 (xi ⊕1)). The dual of such a function f is the function y·π (x)⊕δ0 (y).
It is proved in [45] that this class is not included in the completed versions of
classes M and PS (i.e.the smallest possible classes including them). Class
D0 is a subclass of the class denoted by D, whose elements are the functions

73
of the form f (x, y) = x · π(y) ⊕ 1E1 (x)1E2 (y), where π is any permutation
n/2 n/2
on F2 and where E1 , E2 are two linear subspaces of F2 such that π(E2 ) =
E1 ⊥ (1E1 and 1E2 denote their indicators). The dual of f belongs to the
completed version of this same class;
- the class C of all the functions of the form x · π(y) ⊕ 1L (x), where L is
n/2 n/2
any linear subspace of F2 and π any permutation on F2 such that, for
n/2
any element a of F2 , the set π −1 (a + L⊥ ) is a flat. It is a simple matter
to see, as shown in [36], that, under the same hypothesis on π, if g is a
Boolean function whose restriction to every flat π −1 (a + L⊥ ) is affine, then
the function x · π(y) ⊕ 1L (x) ⊕ g(y) is also bent.
The fact that any function in class D or class C is bent comes from the
following theorem proved in [45], which has its own interest:

Theorem 2 Let b + E be any flat in Fn2 (E is a linear subspace of Fn2 ).

Let f be any bent function on Fn2 . The function f ? = f ⊕ 1b+E is bent if and
only if one of the following equivalent conditions is satisfied:

1. For any a in Fn2 \ E, the function Da f is balanced on b + E;

2. The restriction of the function fe(x) ⊕ b · x to any coset of E ⊥ is either

constant or balanced.

If f and f ? are bent, then E has dimension greater than or equal to n/2
and the algebraic degree of the restriction of f to b + E is at most dim(E) −
n/2 + 1.
If f is bent, if E has dimension n/2, and if the restriction of f to b + E has
algebraic degree at most dim(E) − n/2 + 1 = 1, i.e. is affine, then conversely
f ? is bent too.

Proof. Recall that a function is bent if and only if it satisfies P C(n). The
equivalence between Condition 1. and the bentness of f ? comes then from
the
P fact that D F(Da f ? ) equals F(Da f ) if a ∈ E, and equals F(Da f ) −
4 x∈b+E (−1) a f (x) otherwise.
?
We have fbχ (a) − fbχ (a) = 2 x∈b+E (−1)f (x)⊕a·x . Using Relation (41), ap-
P

plied with E ⊥ in the place of E, we deduce that for every a ∈ Fn2 :

?
X ⊥
 
(−1)f (u)⊕b·u = 2dim(E )−n/2−1 (−1)a·b fbχ (a) − fbχ (a) ,
e

u∈a+E ⊥

?
and fbχ (a) − fbχ (a) can take value 0 or ±2n/2+1 if and only if Condition 2.
is satisfied. So Condition 2. is necessary. It is also sufficient, according to

74
Lemma 2.
Let us now assume that f and f ? are bent. Then 1b+E = f ? ⊕f has algebraic
degree at most n/2, according to Rothaus’ bound, and thus dim(E) ≥ n/2.
The values of the Walsh  transform of the restriction of f to b+E being equal
1 b ?
to those of 2 fχ − fχ , they are divisible by 2n/2 and thus the restriction
c
of f to b + E has algebraic degree at most dim(E) − n/2 + 1, according to
Proposition 9.
If f is bent, if E has dimension n/2, and if the restriction of f to b + E is
?
affine, then the relation fbχ (a) − fbχ (a) = 2 x∈b+E (−1)f (x)⊕a·x shows that
P
f ? is bent too, according to Lemma 2. 

Remarks.
- Relation (41) applied to E ⊥ in the place of E, where E is some n/2-
dimensional subspace, shows straightforwardly that, if f is a bent function
on Fn2 , then f (x) ⊕ a · x is constant on b + E if and only if fe(x) ⊕ b · x
is constant on a + E ⊥ . The same relation shows that f (x) ⊕ a · x is then
balanced on every other coset of E and fe(x)⊕b·x is balanced on every other
coset of E ⊥ . Notice that Relation (41) shows also that f (x) ⊕ a · x cannot be
constant on a flat of dimension strictly greater than n/2 (i.e. that f cannot
be k-weakly-normal with k > n/2).
- Let f be bent on Fn2 . Let a and a0 be two linearly independent elements
of Fn2 . Let us denote by E the orthogonal of the subspace spanned by a and
a0 . According to condition 2. of Theorem 2, the function f ⊕ 1E is bent
if and only if Da Da0 fe is null (indeed, a 2-variable function is constant or
balanced if and only if it has even weight, and fe has even weight on any
coset of the vector subspace spanned by a and a0 if and only if, for every
vector x, we have f (x) ⊕ f (x + a) ⊕ f (x + a0 ) ⊕ f (x + a + a0 ) = 0). This
result has been restated in [34] and used in [36] to design (potentially) new
bent functions.

4. Other classes of bent functions have been deduced from a construction

given in [48], which generalizes the secondary constructions given in 1 and 2
above:

Theorem 3 Let n and m be two even positive integers. Let f be a Boolean

function on Fn+m
2 = Fn2 ×Fm m
2 such that, for any element y of F2 , the function
on Fn2 :
fy : x 7→ f (x, y)

75
is bent. Then f is bent if and only if, for any element s of Fn2 , the function

ϕs : y 7→ fey (s)

is bent on Fm 2 . If this condition is satisfied, then the dual of f is the function

fs (t) (taking as inner product in Fn2 ×Fm
f (s, t) = ϕ
e
2 : (x, y)·(s, t) = x·s⊕y ·t).

This very general result is, in fact, easy to prove, using that, for every s ∈ Fn2 ,
X
(−1)f (x,y)⊕x·s = 2n/2 (−1)fy (s) = 2n/2 (−1)ϕs (y) ,
f

x∈Fn
2

and thus that X

fbχ (s, t) = 2n/2 (−1)ϕs (y)⊕y·t .
y∈Fm
2

This construction has also been considered by Adams and Tavares [1] under
the name of bent-based functions, and later studied by J. Seberry and X.-M.
Zhang in [240] in particular cases.
A particular case of this construction is nicely simple: let f1 and f2 be two
n-variable bent functions (n even) and let g1 and g2 be two m-variable bent
functions (m even). Define h(x, y) = f1 (x) ⊕ g1 (y) ⊕ (f1 ⊕ f2 )(x) (g1 ⊕ g2 )(y),
x ∈ Fn2 , y ∈ Fm2 (this construction (f1 , f2 , g1 , g2 ) 7→ h will appear again below
to construct resilient functions; see Theorem 8). For every y, hy equals f1
plus a constant or f2 plus a constant (depending on the values of y) and thus
is bent; and ϕs equals g1 plus a constant or g2 plus a constant (depending
on the values of u), and thus is bent too. According to Theorem 3, h is then
bent. Its dual e h can be obtained from fe1 , fe2 , ge1 and ge2 exactly in the same
manner as h is obtained from f1 , f2 , g1 and g2 . What is interesting in this
particular case is that we only assume the bentness of f1 , f2 , g1 , and g2 for
deducing the bentness of h; no extra condition is needed, contrary to the
general construction.
Several classes have been deduced from Theorem 3 in [48], and later
in [143].
- Let n and m be two even positive integers. The elements of Fn+m 2 are
n/2
written (x, y, z, τ ), where x, y are elements of F2 and z, τ are elements
m/2 n/2 m/2
of F2 . Let π and π 0 be permutations on F2 and F2 (respectively)
m/2
and h a Boolean function on F2 . Then, the following Boolean function
on Fn+m
2 is bent:

f (x, y, z, τ ) = x · π(y) ⊕ z · π 0 (τ ) ⊕ δ0 (x)h(τ )

76
(recall that δ0 (x) equals 1 if x = 0 and is null otherwise). It is possible
to prove, see [48], that such a function does not belong, in general, to the
completed version of class M. It is also easy to prove that f does not belong,
in general, to the completed version of class D0 , since any element of D0 has
algebraic degree n+m 2 , and it is a simple matter to produce examples of
functions f whose algebraic degree is smaller than n+m 2 .
n/2 m/2
- Let n and m be two even positive integers. We identify F2 (resp. F2 )
with the Galois field F2n/2 (resp. with F2m/2 ). Let k be a Boolean function
on F2n/2 × F2m/2 such that, for any element x of F2n/2 , the function z 7→
k(x, z) is balanced on F2m/2 , and for any element z of F2m/2 , the function
x 7→ k(x, z) is balanced on F2n/2 . Then the function
x z
f (x, y, z, τ ) = k( , )
y τ
is bent on Fn+m
2 .
- Let r be a positive integer. We identify Fr2 with F2r . Let π and π 0 be
two permutations on F2r and g a balanced Boolean function on F2r . The
following Boolean function on F4r r 4
2 = (F2 ) :
    
0 x x
f (x, y, z, τ ) = z · π τ + π ⊕ δ0 (z)g
y y
is a bent function.

More recently, a particular case of the construction given in Theorem 3

was pointed out in [58]: let f1 and f2 be two r-variable bent functions (r
even) and let g1 and g2 be two s-variable bent functions (s even). Let us
denote their duals by fe1 , fe2 , ge1 and ge2 . Define25
f (x, y) = f1 (x) ⊕ g1 (y) ⊕ (f1 ⊕ f2 )(x) (g1 ⊕ g2 )(y),
for every x ∈ Fr2 and y ∈ Fs2 . Then, with no extra condition on f1 , f2 , g1 and
g2 , the function f satisfies the hypothesis of Theorem 3 and its dual is
fe(a, b) = fe1 (a) ⊕ ge1 (b) ⊕ (fe1 ⊕ fe2 )(a)(e
g1 ⊕ ge2 )(b).
We see that fe can be obtained from fe1 , fe2 , ge1 and ge2 exactly in the same
manner as f is obtained from f1 , f2 , g1 and g2 .

5. X.-D. Hou and P. Langevin have made in [145] a very simple observation
which leads to potentially new bent functions:
25
f is then the concatenation of the four functions f1 , f1 ⊕ 1, f2 and f2 ⊕ 1, in an order
controled by g1 (y) and g2 (y).

77
Proposition 25 Let f be a Boolean function on Fn2 , n even. Let σ be a
permutation on Fn2 . Denote its coordinate functions by σ1 , . . . , σn . Assume
that
Mn
dH (f, ai σi ) = 2n−1 ± 2n/2−1 / ∀a ∈ Fn2 .
i=1

Then f ◦ σ −1 is bent.
−1 and the linear function
Indeed, the Hamming distanceLn between f ◦ σ
`a (x) = a · x equals dH (f, i=1 ai σi ).
Hou and Langevin deduced that, if h is an affine function on Fn2 , if f1 , f2
and g are Boolean functions on Fn2 , and if the following function is bent:

f (x1 , x2 , x) = x1 x2 h(x) ⊕ x1 f1 (x) ⊕ x2 f2 (x) ⊕ g(x)/ x ∈ Fn2 , x1 , x2 ∈ F2 ,

then the function

f (x1 , x2 , x) ⊕ (h(x) ⊕ 1) f1 (x)f2 (x) ⊕ f1 (x) ⊕ (x1 ⊕ h(x) ⊕ 1) f2 (x) ⊕ x2 h(x)

is bent.
They also deduced that, if f is a bent function on Fn2 whose algebraic degree
is at most 3, and if σ is a permutation on Fn2 such that, for every i = 1, . . . , n,
there exists a subset Ui of Fn2 and an affine function hi such that:
M
σi (x) = (f (x) ⊕ f (x + u)) ⊕ hi (x),
u∈Ui

then f ◦ σ −1 is bent.
n/2
Finally, X.-D. Hou [143] deduced that if f (x, y) (x, y ∈ F2 ) is a Maiorana-
McFarland’s function of the particular form x · y ⊕ g(y) and if σ1 , . . . , σn are
all of the form 1≤i<j≤n/2 ai,j xi yj ⊕ b · x ⊕ c · y ⊕ h(y), then f ◦ σ −1 is bent.
L
He gave several examples of application of this result.

6. A binary secondary construction without extension of the number of

variables was introduced in [61]. It is based on the following result:

Proposition 26 Let f1 , f2 and f3 be three Boolean functions on Fn2 . Denote

by s1 the Boolean function equal to f1 ⊕f2 ⊕f3 and by s2 the Boolean function
equal to f1 f2 ⊕f1 f3 ⊕f2 f3 . Then we have f1 +f2 +f3 = s1 +2s2 . This implies
the following equality between the Fourier transforms: fb1 + fb2 + fb3 = sb1 + 2sb2
and the similar equality between the Walsh transforms:

fc
1 χ + f2 χ + f3 χ = sc
c c 1 χ + 2 sc
2χ . (45)

78
Proof. The fact that f1 + f2 + f3 = s1 + 2s2 (the sums being computed in Z
and not modulo 2) can be checked easily. The linearity of the Fourier trans-
form with respect to the addition in Z implies then fb1 +fb2 +fb3 = sb1 +2sb2 . The
equality f1 +f2 +f3 = s1 +2s2 also directly implies f1 χ +f2 χ +f3 χ = s1 χ +2s2 χ ,
thanks to the equality fχ = 1 − 2f valid for every Boolean function, which
implies Relation (45). 

Proposition 26 leads to the following double construction of bent func-

tions:

Corollary 4 Let f1 , f2 and f3 be three n-variable bent functions, n even.

Denote by s1 the function f1 ⊕f2 ⊕f3 and by s2 the function f1 f2 ⊕f1 f3 ⊕f2 f3 .
Then:
- if s1 is bent and if s˜1 = f˜1 ⊕ f˜2 ⊕ f˜3 , then s2 is bent, and s˜2 = f˜1 f˜2 ⊕
f˜1 f˜3 ⊕ f˜2 f˜3 ;
- if sc n/2 for every a (e.g. if s is bent, or if it is
2 χ (a) is divisible by 2 2
quadratic, or more generally if it is plateaued; see the definition at Subsec-
tion 6.8), then s1 is bent.

Proof. - If s1 is bent and if s˜1 = f˜1 ⊕ f˜2 ⊕ f˜3 , then, for every a, Relation (45)
implies:
h i n−2
˜ ˜ ˜ ˜ ˜ ˜
sc
2 χ (a) = (−1)f1 (a) + (−1)f2 (a) + (−1)f3 (a) − (−1)f1 (a)⊕f2 (a)⊕f3 (a) 2 2
˜ ˜ ˜ ˜ ˜ ˜
= (−1)f1 (a)f2 (a)⊕f1 (a)f3 (a)⊕f2 (a)f3 (a) 2n/2 .

- If sc n/2 for every a, then the number sc (a), which

2 χ (a) is divisible by 2 1χ
h i
˜1 (a)
f f˜2 (a) f˜3 (a) n/2
is equal to (−1) + (−1) + (−1) 2 − 2 sc
2 χ (a), according to

Relation (45), is congruent with 2n/2 modulo 2n/2+1 for every a. This is
sufficient to imply that s1 is bent, according to Lemma 2. 

6.4.3 Decompositions of bent functions

The following theorem, proved in [33], is a direct consequence of Rela-
tion (25), applied to f ⊕ ` where ` is linear, and to a 1-dimensional subspace
E of Fn2 , and of the well-known (easy to prove) fact that, for every even
integer n ≥ 4, the sum of the squares of two integers equals 2n (resp. 2n+1 )
if and only if one of these squares is null and the other one equals 2n (resp.
both squares equal 2n ):

79
Theorem 4 Let n be an even integer, n ≥ 4, and let f be an n-variable
Boolean function. Then the following properties are equivalent.

1. f is bent.

2. For every (resp. for some) linear hyperplane E of Fn2 , the Walsh trans-
forms of the restrictions h1 , h2 of f to E and to its complement (viewed
as Boolean functions on Fn−12 ) take values ±2n/2 and 0 only, and the
disjoint union of their supports equals the whole space Fn−1 2 .

Hence, a simple way of obtaining a plateaued function in an odd number of

variables and with optimal nonlinearity is to take the restriction of a bent
function to an affine hyperplane. Note that we have also (see [33]) that,
if a function in an odd number of variables is such that, for some nonzero
a ∈ Fn2 , every derivative Du f , u 6= 0, u ∈ a⊥ , is balanced, then its restriction
to the linear hyperplane a⊥ or to its complement is bent.
It is also proved in [33] that the Walsh transforms of the four restrictions of
a bent function to an (n − 2)-dimensional vector subspace E of Fn2 and to its
cosets have the same sets of magnitudes. It is a simple matter to see that,
denoting by a and b two vectors such that E ⊥ is the linear space spanned
by a and b, these four restrictions are bent if and only if Da Db fe takes on
constant value 1.
More on decomposing bent functions can be found in [33, 34, 82].

6.5 On the number of bent functions

The class of bent functions produced by the original Maiorana-McFarland’s
construction is far the widest class, compared to the classes obtained from
the other usual constructions.
n/2
The number of bent functions of the form (43) equals (2n/2 )! × 22 , and
 n/2+1 2n/2 √
is asymptotically equivalent to 2 e 2n/2+1 π (according to Stir-
ling’s formula) while the only other important construction of bent functions,
2n/2 + 1
2n/2
≈ 2√ n/22 functions. However, the number of


PS ap , leads only to 2n/2−1
π2
provably bent Maiorana-McFarland’s functions seems negligible with respect
to the total number of bent functions. The number of (bent) functions which
are affinely equivalent to Maiorana-McFarland’s functions is unknown; it is
at most equal to the number of Maiorana-McFarland’s functions times the
number of affine automorphisms, that equals 2n (2n −1)(2n −2) . . . (2n −2n−1 ).
It seems also negligible with respect to the total number of bent functions.

80
The problem of determining an efficient lower bound on the number of n-
variable bent functions is open.
Rothaus’ inequality recalled at Subsection 6.3 states that any bent function
has algebraic degree at most n/2. Thus, the number of bent functions is at
most n n
2
1+n+...+(n/2 ) = 22n−1 + 21 (n/2 ).

We shall call this upper bound the naive bound . We know that for n = 6
(the highest number of variables for which the number of bent functions
is known), the number of bent functions is approximately equal to 232
5 1 6
(see [225]), which is much less than 22 + 2 (3) = 242 . Also, it has been
checked experimentally that there is no hope of obtaining a bent function
on 8 variables by just picking at random a Boolean function of algebraic
degree upper bounded by 4 (but more clever methods exist, see [97, 68]).
An upper bound improving upon the naive bound has been found recently
[75]. It is exponentially better than the naive bound since it divides it by ap-
n/2
proximately 22 −n/2−1 . But it seems to be still far from the exact number
of bent functions.

6.6 Characterizations
Proposition 27 Let f (x) = I∈P(N ) λI xI be the NNF of a Boolean func-
P
tion f on Fn2 . Then f is bent if and only if:
1. for every I such that n/2 < |I| < n, the coefficient λI is divisible
by 2|I|−n/2 ;
2. λN (with N = {1, . . . , n}) is congruent with 2n/2−1 modulo 2n/2 .

Proof. According to Lemma 2, f is bent if and only if, for every a ∈ Fn2 ,
fb(a) ≡ 2n/2−1 mod 2n/2 . We deduce that, according to Relation (27) ap-
 

plied with ϕ = f , Conditions 1. and 2. imply that f is bent.

Conversely, Condition 1. is necessary, according to Proposition 21. Condi-
tion 2. is also necessary since fb(1, . . . , 1) = (−1)n λN (from Relation (27)).

Proposition 27 and Relation (6) imply some restrictions on the coefficients
of the ANFs of bent functions, observed and used in [75] (and also partially
observed by Hou and Langevin in [145]).
Rothaus’ bound is a direct consequence of Proposition P 27 since the algebraic
degree of a Boolean function whose NNF is f (x) = I∈P(N ) λI xI equals
the maximum size of I, such that λI is odd. Proposition 27 also permits to
prove the following characterization:

81
Theorem 5 [71] Let f be a Boolean function on Fn2 . Then f is bent if and
only if there exist n/2-dimensional subspaces E1 , . . . , Ek of Fn2 (there is no
constraint on the number k) and integers m1 , . . . , mk (positive or negative)
such that, for any element x of Fn2 :
k
X h i
f (x) ≡ mi 1Ei (x) − 2n/2−1 δ0 (x) mod 2n/2 . (46)
i=1

Proof (sketch of). Relation (46) is a sufficient condition for f being bent,
according to Lemma 2 and to Relation (13).
Conversely, if f is bent, then Proposition 27 permits to deduce Relation (46),
by expressing all the monomials xI by means of the indicators of subspaces
(indeed, the NNF Q of the indicatorPof the subspace {x ∈ Fn2 / xi = 0, ∀i ∈ I}
being equal to i∈I (1 − xi ) = |J| J I
J⊆I (−1) x , the monomial x can be
J
expressed by means of this indicator and of the monomials x , where J is
strictly included in I) and by using Lemma 3 below. 
Lemma 3 Let F be any d-dimensional subspace of Fn2 . There exist n/2-
dimensional subspaces E1 , . . . , Ek of Fn2 and integers m, m1 , . . . , mk such
that, for any element x of Fn2 :
k
X h i
n/2−d n/2
2 1F (x) ≡ m + mi 1Ei (x) mod 2 if d < n/2, and
i=1

k
X h i
1F (x) ≡ mi 1Ei (x) mod 2n/2 if d > n/2.
i=1

The class of those functions f which satisfy the relation obtained from (46)
by withdrawing “[mod 2n/2 ]” Pis denoted by GPS. The dual fe of such func-
tion f of GPS equals fe(x) = ki=1 mi 1E ⊥ (x) − 2n/2−1 δ0 (x).
i

There is no uniqueness of the representation of a given bent function in

the form (46). But there exists another characterization:

Theorem 6 [72] Let f be a Boolean function on Fn2 . Then f is bent if and

only if there exist vector subspaces E1 , . . . , Ek of Fn2 of dimensions n/2 or
n/2 + 1 and integers m1 , . . . , mk (positive or negative) such that for any
element x of Fn2 :
k
X
f (x) = mi 1Ei (x) ± 2n/2−1 δ0 (x). (47)
i=1

82
 There is not a unique way, either, to choose these spaces Ei among all
n/2-dimensional and (n/2 + 1)-dimensional vector subspaces of Fn2 . But
it is possible to define some subclass of n/2-dimensional and (n/2 + 1)-
dimensional spaces such that there is uniqueness, if the spaces Ei are chosen
in this subclass.
P. Guillot has proved later [122] that, up to composition by a mapping
x 7→ x + a, every bent function belongs to GPS.

A characterization of bent functions through Cayley graphs also exists,

see [14].

6.7 Subclasses: hyper-bent functions

in [47] (see also [51, 52]) have been determined those Boolean functions on Fn2
such that, for a given even integer k (2 ≤ k ≤ n−2), any of the Boolean func-
tions on Fn−k
2 , obtained by keeping constant k coordinates among x1 , . . . , xn ,
is bent (i.e. those functions which satisfy the propagation criterion of degree
n − k and order k, see Section 8). These functions (which were called hyper-
bent in [47], but we will keep this term for a notion introduced by Youssef
and Gong ; see below) are the four symmetric bent functions (see Section 9).

In [263], A. Youssef and G. Gong study the Boolean functions f on the

field F2n (n even) whose Hamming distances to all functions tr(a xi ) ⊕ ε
(a ∈ F2n , ε ∈ F2 ), where tr denotes the trace function from F2n to F2 and
where i is co-prime with 2n −1, equal 2n−1 ±2n/2−1 . These functions are bent,
since every affine function has the form tr(a x)⊕ε.
P They aref (x)⊕tr(a
called hyper-bent
functions. The (equivalent) condition that x∈F2n (−1) xi ) equals

±2n/2 for every a ∈ F2n and every i co-prime with 2n − 1, seems difficult to
satisfy, since it is equivalent to the fact that the function f (xi ) is bent for
every such i. However, A. Youssef and G. Gong show in [263] that hyper-
bent functions exist. Their result is equivalent to the following (see [68]):

Proposition 28 All the functions of class PS ap are hyper-bent.

Let us give here a direct proof of this fact.

Proof. Let ω be any element in F2n \ F2n/2 . The pair (1, ω) is a basis of
the F2n/2 -vectorspace F2n . Hence, we have F2n = F2n/2 + ωF2n/2 . Moreover,
n/2
every element y of F2n/2 satisfies y 2 = y and therefore tr(y) = y + y 2 +
2 n/2−1 2 2 n/2−1
···+y +y +y +···+y = 0. Consider the inner product in F2n
0 0
defined by: y · y = tr(y y ); the subspace F2n/2 is then its own orthogonal;

83
 tr(λy)
P
hence, according to Relation (13), any sum of the form y∈F2n/2 (−1)
is null if λ 6∈ F2n/2 and equals 2n/2 if λ ∈ F2n/2 .
Consider any element of the class PS ap , i.e. choose a balanced
 0Boolean

n/2
function g on F2 , vanishing at 0, and define f (y + ω y) = g yy , with
0

y0
y = 0 if y = 0. For every a ∈ F2n , we have
y0
“ ”
f (x)⊕tr(a xi ) g ⊕tr(a (y 0 +ωy)i )
X X
(−1) = (−1) y
.
x∈F2n y,y 0 ∈F2n/2

y0
Denoting y by z, we see that:
y0
“ ”
g ⊕tr(a (y 0 +ωy)i ) i (z+ω)i )
X X
(−1) y
= (−1)g(z)⊕tr(a y .
y∈F∗n/2 ,y 0 ∈F2n/2 z∈F2n/2 ,y∈F∗n/2
2 2

g(0)⊕tr(a y 0i )
X
The sum (−1) equals (−1)g(0) 2n/2 if a ∈ F2n/2 and is null
y 0 ∈F2n/2
otherwise.
i
X
Thus, (−1)f (x)⊕tr(a x ) equals:
x∈F2n
i yi )
X X X
(−1)g(z) (−1)tr(a(z+ω) − (−1)g(z) +(−1)g(0) 2n/2 1F (a).
2n/2
z∈F2n/2 y∈F2n/2 z∈F2n/2

g(z) is null since g is balanced.

P
The sum z∈F2n/2 (−1)
g(z) tr(a(z+ω)i y i )
equals ±2n/2 if a 6∈
P P
The sum z∈F2n/2 (−1) y∈F2n/2 (−1)
F2n/2 , since we prove in the next Lemma that there exists exactly one
z ∈ F2n/2 such that a(z + ω)i ∈ F2n/2 ; and this sum is null if a ∈ F2n/2
(this can be checked, if a = 0 thanks to the balancedness of g, and if a 6= 0
because y i ranges over F2n/2 and a(z + ω)i 6∈ F2n/2 ). This completes the
proof. 
Lemma 4 Let n be any positive integer. Let a and ω be two elements of
the set F2n \ F2n/2 and let i be co-prime with 2n − 1. There exists a unique
n/2 n/2
element z ∈ F2 such that a(z + ω)i ∈ F2 .
n/2
Proof. Let j be the inverse of i modulo 2n − 1. We have a(z + ω)i ∈ F2 if
n/2 n/2 n/2
and only if z ∈ ω + a−j × F2 . The sets ω + a−j × F2 and F2 are two
n/2 n/2
flats whose directions a−j × F2 and F2 are subspaces whose sum is di-
rect and equals F2n . Hence, they have a unique vector in their intersection. 

84
6.8 Superclasses: partially-bent functions, partial bent func-
tions and plateaued functions
We have seen that bent functions can never be balanced, which makes them
improper for a direct cryptographic use. This has led to a research of super-
classes of the class of bent functions, whose elements can have high nonlin-
earities, but can also be balanced (and possibly, be m-resilient with large
m or satisfy P C(l) with large l). A first super-class having these proper-
ties has been obtained as the set of those functions that achieve a bound
expressing some trade-off between the number of non-balanced derivatives
(i.e. of nonzero auto-correlation coefficients) of a Boolean function and the
number of nonzero values of its Walsh transform. This bound, given in the
next proposition, had been conjectured in [224] by B. Preneel and it has
been proved later in [44].

Proposition 29 Let n be any positive integer. Let f be any Boolean func-

n n
n on F2 . Denoteo the cardinalities of the sets {b ∈ F2 | F(Db f ) 6= 0} and
tion
b ∈ Fn | fb (b) 6= 0 by N∆ and N b , respectively. Then:
2 χ f fχ

N∆f × Nfb ≥ 2n . (48)

χ

Moreover, N∆f × Nfb = 2n if and only if Db f is either balanced or con-

χ
stant, for every b. This is equivalent to the fact that there exist two linear
subspaces E (of even dimension) and E 0 of Fn2 , whose direct sum equals Fn2 ,
and Boolean functions g, bent on E, and h, affine on E 0 , such that:

∀x ∈ E, ∀y ∈ E 0 , f (x + y) = g(x) ⊕ h(y). (49)

Inequality (48) comes directly from Relation (22): since the value of the
auto-correlation coefficient F(Db f ) lies between −2n and 2n for every b,
2
we have N∆f ≥ 2−n b∈Fn (−1)u·b F(Db f ) = 2−n fbχ (u), for every u ∈ Fn2 ,
P
2
2
P
fχ b 2 (u)
u∈Fn
and thus N∆f ≥ 2−n max u∈Fn
2
fbχ (u). And we have Nfb ≥ 2
2 =
χ maxu∈Fn fbχ (u)
2
22n
2 . This proves Inequality (48). This inequality is an equality
maxu∈Fn fbχ (u)
2
if and only if both inequalities above are equalities, that is, if and only if,
for every b, the auto-correlation coefficient F(Db f ) equals 0 or 2n (−1)u0 ·b ,
2 2
where maxu∈Fn fb (u) = fb (u0 ), and if f is plateaued. The condition that
2 χ χ
Db f is either balanced or constant, for every b, is in fact sufficient to imply
that f has the form (49): E 0 is the linear kernel of f and the restriction of f

85
to E has balanced derivatives. Conversely, any function of the form (49) is
such that Relation (48) is an equality. 
Note that E 0 is then the linear kernel of the function.
The functions such that N∆f × Nfb = 2n are called partially-bent functions.
χ
Every quadratic function is partially-bent. Partially-bent functions share
with quadratic functions almost all of their nice properties (Walsh spec-
trum easier to calculate, potential good nonlinearity and good resiliency
order), see [44]. In particular, the values of the Walsh transform equal 0 or
0
±2dim(E )+dim(E)/2 .

A generalization of Relation (48) has been obtained in [227]:

Proposition 30 Let ϕ be any nonzero n-variable pseudo-Boolean function.

Let Nϕ = |{x ∈ Fn2 / ϕ(x) 6= 0}| and Nϕb = |{u ∈ Fn2 / ϕ(u)
b 6= 0}|, then
n
Nϕ × Nϕb ≥ 2 .
Equality occurs if and only if there exists a number λ and a flat F of Fn2
such that ϕ(x) = λ(−1)u·x if x ∈ F and ϕ(x) = 0 otherwise.

Proof. Denoting by 1ϕ the indicator of the support {x ∈ Fn2 / ϕ(x) 6= 0}

of ϕ, and replacing ϕ(x) P by 1ϕ (x) ϕ(x) in the definition of ϕ,
b gives, for
n
every u ∈ F2 : ϕ(u)
b u·x
= x∈Fn 1ϕ (x)ϕ(x)(−1) . Applying then Cauchy’s
2P
b (u) ≤ Nϕ x∈Fn ϕ2 (x) = 2−n Nϕ v∈Fn ϕ
2 b2 (v) (accord-
P
inequality gives ϕ
2 2
ing to Parseval’s relation (3)). Hence, ϕ b2 (u) ≤ 2−n Nϕ × Nϕb maxv∈Fn2 ϕ b2 (v).
Choosing u such that ϕ 2
b (u) is maximum gives the desired inequality, since,
according to Parseval’s inequality, and ϕ being nonzero, this maximum can-
not be null.
Equality occurs if and only if all of the inequalities above are equalities, that
b2 (v) takes only one nonzero value (say µ) and there exists a number λ
is, ϕ
such that, for every u such that ϕ b2 (u) = µ, we have ϕ(x) 6= 0 ⇒ ϕ(x) =
u·x
λ(−1) . This is equivalent to the condition stated at the end of Proposi-
tion 30. 

Partially-bent functions must not be mistaken for partial bent functions,

studied by P. Guillot in [123]. The Fourier transforms of partial bent func-
tions take exactly two values26 λ and λ + 2n/2 on Fn2 ∗ (n even). Rothaus’
bound on the degree generalizes to partial bent functions. The dual fe of f ,
defined by fe(u) = 0 if fb(u) = λ and fe(u) = 1 if fb(u) = λ + 2n/2 , is also
partial bent; and its own dual is f . Two kinds of partial bent functions
26
Partial bent functions are the indicators of partial difference sets.

86
f exist: those such that fb(0) − f (0) = −λ(2n/2 − 1) and those such that
fb(0) − f (0) = (2n/2 − λ)(2n/2 + 1). This can be proved by applying Parse-
val’s Relation (20). The sum of two partial bent functions of the same kind,
whose supports have at most the zero vector in common, is partial bent. A
potential interest of partial bent functions is in the possibility of using them
as building blocks for constructing bent functions.
In spite of their good properties, partially-bent functions, when they are
not bent, have by definition nonzero linear structures and so do not give full
satisfaction. The class of plateaued functions, already encountered above, at
Subsection 4.1 (and sometimes called three-valued functions) is a natural ex-
tension of that of partially-bent functions, first studied by Zheng and Zhang
in [269]. A function is called plateaued if its squared Walsh transform takes
at most one nonzero value, that is, if its Walsh transform takes at most three
values 0 and ±λ (where λ is some positive integer, that we call the ampli-
tude of the plateaued function). Bent functions are plateaued and, according
to Parseval’s Relation (20), a plateaued function is bent if and only if its
Walsh transform never takes the value 0. Also because of Parseval’s relation,
λ must be of the form 2r where r ≥ n/2. Hence, the values of the Walsh
transform of a plateaued function are divisible by 2n/2 if n is even and by
2(n+1)/2 if n is odd. The class of plateaued functions contains those functions
that achieve the best possible trade-offs between resiliency, nonlinearity and
algebraic degree: the order of resiliency and the nonlinearity of any Boolean
function are bounded by Sarkar et al.’s bound (see Section 7 below) and the
best compromise between those two criteria is achieved by plateaued func-
tions only; the third criterion – the algebraic degree – is then also optimum.
Also, according to Parseval’s relation, if we denote again by Nfb the cardi-
χ

nality of the support {a ∈ Fn / fb (a) 6= 0} of the Walsh transform of a given

2 χ
2
n-variable Boolean function f , we have Nfb × maxa∈Fn2 fbχ (a) ≥ 22n and
χ !
therefore, according to Relation (31): N L(f ) ≤ 2n−1 1− q1 . Equal-
Nfc
χ
ity is achieved if and only if f is plateaued. Other properties of plateaued
functions can be found in [33].
Plateaued functions can be characterized by second-order covering sequences
(see [77]):
Theorem 7 A Boolean function f on Fn2 is plateaued if and only if there
exists θ such that, for every x ∈ Fn2 :
X
(−1)Da Db f (x) = θ. (50)
a,b∈Fn
2

87
If this condition
√ is satisfied, then the amplitude of the plateaued function
f equals θ, and θ is therefore a power of 2 whose exponent is even and
greater than or equal to n.
Proof. f satisfies (50) for a given vector x if and only if
X
(−1)f (x+a)⊕f (x+b)⊕f (x+a+b) = θ(−1)f (x) .
a,b∈Fn
2

Applying three times the inverse Fourier formula (16), we have

X
(−1)f (x+a)⊕f (x+b)⊕f (x+a+b)
a,b∈Fn
2

X
= 2−3n fbχ (u) fbχ (v) fbχ (w) (−1)(x+a)·u⊕(x+b)·v⊕(x+a+b)·w
u,v,w,a,b∈Fn
2
X
= 2−3n fbχ (u) fbχ (v) fbχ (w) (−1)x·(u+v+w)⊕a·(u+w)⊕b·(v+w) .
u,v,w,a,b∈Fn
2

(−1)a·(u+w) is null if u 6= w, and b∈Fn (−1)b·(v+w) is null

P P
Since a∈Fn
2 2

6 w, we deduce that a,b∈Fn (−1)Da Db f (x) = θ if and only if

P
if v =
2

X
2−n fbχ 3 (u) (−1)x·u = θ(−1)f (x) .
u∈Fn
2

Hence, according to the inverse Fourier formula (16) again, Relation (50)
is satisfied for every x ∈ Fn2 if and only if:

∀u ∈ Fn2 , fbχ 3 (u) = θ fbχ (u) ,

√
that is, if fbχ (u) equals ± θ or 0 for every u ∈ Fn2 . 

The fact that quadratic functions are plateaued is a direct consequence

of Theorem 7, since their second-order derivatives are constant. And The-
orem 7 gives more insight on the relationship between the nonlinearity of
a quadratic function and the number of its nonzero second-order derivatives.

P. Langevin proved in [172] that, if f is a plateaued function, then the coset

f ⊕ R(1, n) of the Reed-Muller code of order 1, is an orphan of R(1, n). The
notion of orphan has been introduced in [128] with the “urcoset” terminol-
ogy, and studied in [21]. A coset of R(1, n) is an orphan if it is maximum

88
with respect to the following partial order relation: g ⊕ R(1, n) is smaller
than f ⊕ R(1, n) if there exists in g ⊕ R(1, n) an element g1 of weight N L(g)
(that is, of minimum weight in g ⊕ R(1, n)), and in f ⊕ R(1, n) an element
f1 of weight N L(f ), such that supp(g1 ) ⊆ supp(f1 ). Clearly, if f is a func-
tion of maximum nonlinearity, then f ⊕ R(1, n) is an orphan of R(1, n) (the
converse is false, since plateaued functions with non-optimum nonlinearity
exist). The notion of orphan can be used in algorithms searching for func-
tions with high nonlinearities.

6.9 Normal and non-normal bent functions

The definition of normality has been given at Definition 3. As observed
in [45] (see Theorem 2 above), if a bent function f is normal (resp. weakly-
normal), that is, constant (resp. affine) on an n/2-dimensional flat b + E
(where E is a subspace of Fn2 ), then its dual fe is such that fe(u) ⊕ b · u is
constant on E ⊥ (resp. on a + E ⊥ , where a is a vector such that f (x) ⊕ a · x
is constant on E). Thus, fe is weakly-normal. Moreover, we have already
seen that f (resp. f (x) ⊕ a · x) is balanced on each of the other cosets of the
flat. H. Dobbertin used this idea to construct balanced functions with high
nonlinearities from normal bent functions (see Subsection 7.3.1).
A proof of the existence of non-(weakly)-normal bent functions, i.e. bent
functions which are non-constant (non-affine) on every n/2-dimensional flat,
has been obtained recently (see [36]), contradicting a conjecture made by
several authors that such bent function did not exist. Other non-normal bent
functions have been found in [68]. But cubic bent functions on 8 variables
are all normal, as shown in [82].
The stability of the class of non-normal bent functions with respect to the
construction of functions called direct sum (see Subsection 7.3.2) has been
studied in [66].

6.10 Kerdock codes

For every even n, the Kerdock code Kn [158] is a supercode of R(1, n) (i.e.
contains R(1, n) as a subset) and is a subcode of R(2, n). More precisely
Kn is a union of cosets fu ⊕ R(1, n) of R(1, n), where the functions fu are
quadratic (one of them is null). The difference fu ⊕ fv between two distinct
functions fu and fv being bent, Kn has minimum distance 2n−1 − 2n/2−1
(n even), which is the best possible minimum distance for a code equal to
a union of cosets of R(1, n). The size of Kn equals 22n . This is the best
possible size for such minimum distance (see [99]). We recall now briefly

89
how the construction of Kerdock codes can be simply described.

6.10.1 Construction of the Kerdock code

The function M
f (x) = xi xj (51)
1≤i<j≤n

(which can also be defined as f (x) = wH2(x) [mod 2]) is bent because the


M
kernel of it associated symplectic form ϕ(x, y) = xi yj is {0}. Thus,
1≤i6=j≤n
the linear code R(1, n) ∪ (f ⊕ R(1, n)) has minimum distance 2n−1 − 2n/2−1 .
We want to construct a code of size 22n with this same minimum distance.
We use the structure of field to this aim. We have recalled at Subsection 2.1
some properties of the field F2m with 2m elements. Other properties of this
field are the following:
m
- there exists α ∈ F2m such that F2m = {0, α, α2 , . . . , α2 −1 } (α is called a
primitive element);
2 m−1
- moreover, there exists α, primitive element, such that (α, α2 , α2 , . . . , α2 )
is a basis of the vectorspace F2 (called a normal basis);
m

- if m is odd, then there exists a self-dual normal basis, that is a normal

i j i j
basis such that: tr(α2 +2 ) = 1 if i = j; and tr(α2 +2 ) = 0 otherwise, where
tr is the trace function.
m−1
Consequence: ∀x = x1 α + · · · + xm α2 ∈ F2m ,
m m
2j +1
M M
tr(x) = xi tr(x )= xi xi+j ,
i=1 i=1

(where the indices are computed modulo m).

The function f of Relation (51), viewed as a function on F2m × F2 , where
m = n − 1 is odd – say m = 2t + 1 – can now be written as:
t
j
X
f (x, xn ) = tr( x2 +1 ) ⊕ xn tr(x).
j=1

Notice that the associated symplectic form associated to f equals f (x, xn ) ⊕

t
j j
X
f (y, yn ) ⊕ f (x + y, xn ⊕ yn ) = tr( (x2 y + xy 2 )) ⊕ xn tr(y) ⊕ yn tr(x) =
j=1
t
j m−j
X
tr( (x2 y + x2 y)) ⊕ xn tr(y) ⊕ yn tr(x) = tr(x)tr(y) ⊕ tr(xy) ⊕ xn tr(y) ⊕
j=1

90
yn tr(x).

Let us denote f (ux, xn ) by fu (x, xn ) (u ∈ F2m ), then Kn is defined as the

union, when u ranges over F2m , of the cosets fu ⊕ R(1, n).
Kn contains 2n+1 affine functions and 22n − 2n+1 quadratic bent functions.
Its minimum distance equals 2n−1 − 2n/2−1 because the sum of two distinct
functions fu and fv is bent. Indeed, the kernel of the associated symplec-
tic form equals the set of all ordered pairs (x, xn ) verifying tr(ux)tr(uy) ⊕
tr(u2 xy) ⊕ xn tr(uy) ⊕ yn tr(ux) = tr(vx)tr(vy) ⊕ tr(v 2 xy) ⊕ xn tr(vy) ⊕
yn tr(vx) for every y, that is, utr(ux) + u2 x + xn u = vtr(vx) + v 2 x + xn v
and tr(ux) = tr(vx); it is a simple matter to show that it equals {(0, 0)}.

Open problem: Other examples of codes having the same parameters

exist [153]. All are equal to subcodes of the Reed-Muller code of order 2, up
to affine equivalence. We do not know how to obtain the same parameters
with non-quadratic functions. This would be useful for cryptographic pur-
poses as well as for the design of sequences for code division multiple access
(CDMA) in telecommunications.

Remarks.
1. The Kerdock codes are not linear. However, they share some nice prop-
erties with linear codes: the distance distribution between any codeword
and all the other codewords does not depend on the choice of the codeword
(we say that the Kerdock codes are distance-invariant; this results in the
fact that their distance enumerators are equal to their weight enumerators);
and, as proved by Semakov and Zinoviev [243], the weight enumerators of
the Kerdock codes satisfy a relation similar to Relation (30), in which C is
replaced by Kn and C ⊥ is replaced by the so-called Preparata code of the
same length (we say that the Kerdock codes and the Preparata codes are for-
mally dual). An explanation of this astonishing property has been recently
obtained [126]: the Kerdock code is stable under an addition inherited of
the addition in Z4 = Z/4Z (we say it is Z4 -linear). Such an explanation had
been an open problem for two decades.
2. Another example of quadratic bent function whose definition uses two
trace functions, the trace function trn on the whole P field iF2 and the trace
n
n/2
function trn/2 on the subfield F2n/2 , is: f (x) = trn ( ti=1 x2 +1 )⊕trn/2 (x2 +1 ),
t = n/2 − 1.

91
7 Resilient functions
We have seen at Subsection 4.1 that combining functions in stream ciphers
must be m-resilient with large m. But, as any cryptographic functions, they
must also have high algebraic degrees and high nonlinearities.

Notation: by an (n, m, d, N )- function, we mean an n-variable, m-resilient

function having algebraic degree at least d and nonlinearity at least N .

There are necessary trade-offs between the number of variables, the algebraic
degree, the nonlinearity and the resiliency order of a function.

7.1 Bound on algebraic degree

Siegenthaler’s bound states that any m-resilient function (0 ≤ m < n − 1)
has algebraic degree smaller than or equal to n − m − 1 and that any (n −
1)-resilient function is affine27 . This can be proved by using Relation (3)
and
L the original definition of resiliency given by Siegenthaler, since the bit
x∈Fn f (x) equals the parity of the weight of the restriction of f
2 / supp(x)⊆I
obtained by setting to 0 the coordinates of x which lie outside I. Instead
of this original Siegenthaler’s definition, we can also use its characterization
by Xiao and Massey, recalled in Proposition 13, together with Relation (15)
applied to ϕ = f and with E ⊥ = {x ∈ Fn2 | supp(x) ⊆ I}, where I has size
strictly greater than n − m − 1. But Siegenthaler’s bound is also a direct
consequence of a characterization of resilient functions28 through their NNFs
and of the fact that the algebraic degrees of Boolean functions are smaller
than or equal to their numerical degrees:

Proposition 31 [74] A Boolean function f on Fn2 is m-resilient if and only

if the NNF of the function f (x) ⊕ x1 ⊕ · · · ⊕ xn has degree at most n − m − 1.

Proof. Let us denote by g(x) the function f (x) ⊕ x1 ⊕ · · · ⊕ xn . For each

vector a ∈ Fn2 , we denote by a the componentwise complement of a equal to
a + (1, . . . , 1). We have fbχ (a) = gc
χ (a). Thus, f is m-resilient if and only if,
for each word u of weight greater than or equal to n − m, the number gc χ (u)

27
Siegenthaler also proved that any n-variable m-th order correlation-immune function
has degree at most n − m. This can be shown by using similar methods as for resilient
functions. Moreover, if such function has weight divisible by 2m+1 then it satisfies the
same bound as m-resilient functions.
28
A similar characterization of correlation-immune functions can be found in [54].

92
is null. Consider the NNF of g:
X
g(x) = λI xI .
I∈P(N )

According to Relations (27) and (28) applied to g, we have for nonzero u:

X
wH (u)+1
gc
χ (u) = (−1) 2n−|I|+1 λI ,
I∈P(N ) | supp(u)⊆I

and for nonempty I:

X
λI = 2−n (−2)|I|−1 gc
χ (u).
u∈Fn
2 | I⊆supp(u)

We deduce that gc χ (u) is null for every word u of weight greater than or
equal to n − m if and only if the NNF of g has degree at most n − m − 1.

Thus, according to Relation (5), f isP m-resilient if and only if the function
g(x) = f (x) ⊕ x1 ⊕ · · · ⊕ xn satisfies x∈Fn | supp(x)⊆I (−1)wH (x) g(x) = 0, for
2
all I ∈ P(N ) of size at least n − m.

Proposition 31 has been used by X.-D. Hou in [141] for constructing resilient
functions. Siegenthaler’s bound gives an example of the trade-offs which
must be accepted in the design of combiner generators29 . Sarkar and Maitra
showed in [236] that the values of the Walsh Transform of an n-variable,
m-resilient (resp. m-th order correlation-immune) function are divisible
by 2m+2 (resp. 2m+1 ) if m ≤ n − 2 (a proof of a slightly more precise result
is given in the next subsection, at Proposition 32)30 . This Sarkar-Maitra’s
divisibility bound (which implies in particular that the weight of any m-th
order correlation-immune function is divisible by 2m ) permits also to deduce
Siegenthaler’s bound, thanks to Proposition 9 applied with k = m + 2 (resp.
k = m + 1).

7.2 Nonlinearity
Sarkar-Maitra’s divisibility bound, recalled at the end of the previous subsec-
tion, has provided a nontrivial upper bound on the nonlinearity of resilient
29
One approach to avoid such trade-off is to allow memory in the nonlinear combination
generator, that is, to replace the combining function by a finite state machine, see [205].
30
More is proved in [54, 78]; in particular that, if the weight of an m-th order correlation-
immune is divisible by 2m+1 , then the values of its Walsh Transform are divisible by 2m+2 .

93
functions, independently obtained by Tarannikov [253] and by Zheng and
Zhang [272]: their nonlinearity is upper bounded by 2n−1 − 2m+1 . This
bound is tight, at least when m ≥ 0.6 n, see [253, 254]31 . We shall call
it Sarkar et al.’s bound . Notice that, if an m-resilient function f achieves
nonlinearity 2n−1 − 2m+1 , then f is plateaued. Indeed, the distances be-
tween f and affine functions lie then between 2n−1 − 2m+1 and 2n−1 + 2m+1
and must be therefore equal to 2n−1 − 2m+1 , 2n−1 and 2n−1 + 2m+1 because
of the divisibility result of Sarkar and Maitra. Thus, the Walsh transform
of f takes three values 0 and ±2m+2 . Moreover, it is proved in [253] that
such function f also achieves Siegenthaler’s bound (and as proved in [190],
achieves minimum sum-of-squares indicator). These last properties can also
be deduced from a more precise divisibility bound shown later in [54]:

Proposition 32 Let f be any n-variable m-resilient function and let d be

its algebraic degree. The values of the Walsh transform of f are divisible
n−m−2 n−m−2
by 2m+2+b d c . Hence the nonlinearity of f is divisible by 2m+1+b d c .

The approach for proving this result was first to use the numerical normal
form (see [54]). Later, a second proof using only the properties of the Fourier
transform was given in [78]:
Proof. Relation (15) applied to ϕ = fχ and to the vectorspace E = {u ∈
Fn2 / ∀i ∈ N, ui ≤ vi } where v is some vector of Fn2 , whose orthogonal equals
E ⊥ = {u ∈ Fn2 / ∀i ∈ N, ui ≤ vi ⊕1}, gives u∈E fbχ (u) = 2wH (v) x∈E ⊥ fχ (x).
P P
It is then a simple matter to prove the result by induction on the weight
of v, starting with the words of weight m + 1 (since it is obvious for the
words of weights at most m), and using McEliece’s divisibility property (see
Subsection 3.1). 
A similar proof shows that the values of the Walsh transform of any m-
n−m−1
th order correlation-immune function are divisible by 2m+1+b d c (and
n−m−2 n−m−2
by 2m+2+b d c if its weight is divisible 2m+1+b d c , see [78]).
Proposition 32 gives directly a more precise upper bound on the nonlinearity
of any m-resilient function of degree d: this nonlinearity is upper bounded
n−m−2
by 2n−1 − 2m+1+b d c . This gives a simpler proof that it can be equal to
2n−1 − 2m+1 only if d = n − m − 1, i.e. if Siegenthaler’s bound is achieved.
Moreover, the proof above also shows that the nonlinearity of any m-resilient
31
Also Zheng and Zhang [272], showed that the upper bound on the nonlinearity of
correlation-immune functions of high orders is the same as the upper bound on the non-
linearity of resilient functions of the same orders. The distances between resilient functions
and Reed-Muller codes of orders greater than 1 have also been studied by Kurosawa et al.
[168].

94
 n−m−2
n-variable Boolean function is upper bounded by 2n−1 − 2m+1+b d c
where d is the minimum algebraic degree of the restrictions of f to the
subspaces {u ∈ Fn2 / ∀i ∈ N, ui ≤ vi ⊕ 1} such that v has weight m + 1 and
fbχ (v) 6= 0.

If 2n−1 − 2m+1 is greater than the best possible nonlinearity of all balanced
functions (and in particular if it is greater than the best possible nonlinearity
2n−1 − 2n/2−1 of all Boolean functions) then, obviously, a better bound
exists. In the case of n even, the best possible nonlinearity of all balanced
functions being smaller than 2n−1 − 2n/2−1 , Sarkar and Maitra deduce that
N L(f ) ≤ 2n−1 − 2n/2−1 − 2m+1 for every m-resilient function f with m ≤
n/2 − 2. In the case of n odd, they state that N L(f ) is smaller than or
equal to the highest multiple of 2m+1 , which is less than or equal to the
best possible nonlinearity of all Boolean functions. But a potentially better
upper bound can be given, whatever is the evenness of n. Indeed, Sarkar-
Maitra’s divisibility bound shows that fbχ (a) = ϕ(a) × 2m+2 where ϕ(a) is
integer-valued. But Parseval’s Relation (20) and the fact that fbχ (a) is null
for every word a of weight ≤ m imply
X
ϕ2 (a) = 22n−2m−4
a/ wH (a)>m

and, thus,
s
22n−2m−4 2n−m−2
maxn |ϕ(a)| ≥ =
.
2n − m n
P
q
a∈F2
2n − m n
P
i=0 i
i=0 i
& '
n−m−2
Hence, we have maxa∈Fn2 |ϕ(a)| ≥ q 2 P (where due denotes the
n
2n − m
i=0 ( i )

smallest integer greater than or equal to u), and this implies:

 
2n−m−2
N L(f ) ≤ 2n−1 − 2m+1  q n Pm n
 .
 (52)
 2 − i=0 
i

When n is even and m ≤ n/2 − 2, this number is always less than or equal
to the number 2n−1 − 2n/2−1 − 2m+1 (given by Sarkar and Maitra), because
n−m−2
q 2 P is strictly greater than 2n/2−m−2 and 2n/2−m−2 is an integer,
n
2 − m
n
i=0 ( i )
& '
n−m−2
and, thus, q 2 P is at least 2n/2−m−2 + 1. And when n increases,
n
2n − m
i=0 ( i )

95
the right hand-side of Relation (52) is smaller than 2n−1 − 2n/2−1 − 2m+1 for
an increasing number of values of m ≤ n/2 − 2 (but this improvement does
not appear when we compare the values we obtain with this bound to the
values indicated in the table given by Sarkar and Maitra in [236], because
the values of n they consider in this table are small).
When n is odd, it is difficult to say if Inequality (52) is better than the
bound given by Sarkar and Maitra, because their bound involves a value
which is unknown for n ≥ 9 (the best possible nonlinearity of all balanced
Boolean functions). In any case, this makes (52) better usable than their
bound.
nH (m/n)
We know (see [187], page 310) that m n √2 2
P

i=0 i ≥ , where H2 (x) =
8m(1−n/m)
−x log2 (x) − (1 − x) log2 (1 − x) is the so-called entropy function and satisfies
H2 ( 12 − x) = 1 − 2x2 log2 e + o(x2 ). Thus, we have
 
2n−m−2
N L(f ) ≤ 2n−1 − 2m+1 
 
r . (53)
 2n − √2nH2 (m/n) 
 
 8m(1−m/n) 

Maximum correlation An upper bound on the maximum correlation

of m-resilient functions with respect to subsets I of N can be directly de-
duced from Relation (35) and from Sarkar et al.’s bound. Note that we get
an improvement by using that the support of fbχ , restricted to the set of vec-
P|I|
tors u ∈ Fn2 such that ui = 0, ∀i 6∈ I, contains at most i=m+1 |I|


i vectors.
In particular, if |I| = m + 1, the maximum correlation of f with respect to
I equals 2−n |fbχ (u)|, where u is the vector of support I, see [28, 29, 38, 264].
The optimal number of LFSRs that should be considered together in a cor-
relation attack on a cryptosystem using an m-resilient combining function
is m + 1, see [28, 29].

Other criteria The relationships between resiliency and other criteria

have been studied in [83, 190, 256, 271]. For instance, m-resilient P C(l)
functions can exist only if m + l ≤ n − 1. This is a direct consequence of
Relation (24), applied with a = b = 0, E = {x ∈ Fn2 ; xi = 0, ∀i ∈ I} and
E ⊥ = {x ∈ Fn2 ; xi = 0, ∀i 6∈ I}, where I has size n − m. And equality is
possible only if l = n − 1, n is odd and m = 0 [271, 83]. The known upper
bounds on the nonlinearity (see Section 7) can then be improved with the
same argument.

96
 The definition of resiliency has been weakened (or maybe should we write
“specified”) in [19]. This has the advantage of relaxing some of the trade-offs
recalled above.

7.3 Constructions
High order resilient functions with high degrees and high nonlinearities are
needed for applications in stream ciphers. But designing constructions of
Boolean functions meeting these cryptographic criteria is still a crucial chal-
lenge nowadays. The primary constructions (which permit to design re-
silient functions without using known ones) lead potentially to wider classes
of functions than secondary (i.e. recursive) constructions (recall that the
number of Boolean functions on n − 1 variables is only equal to the square
root of the number of n-variable Boolean functions). Unfortunately, the
known primary constructions of such Boolean functions [49] do not lead to
very large classes of functions. In fact, only one reasonably large class of
Boolean functions is known, whose elements can be analyzed with respect
to the cryptographic criteria recalled at Subsection 4.1. So we observe some
imbalance in the knowledge on cryptographic functions for stream ciphers:
after the results recently published [235, 236, 54, 78], much is known on
the properties of resilient functions; but little is known on how constructing
them. Examples of m-resilient functions achieving the best possible nonlin-
earity 2n−1 − 2m+1 (and thus the best algebraic degree) have been obtained
for n ≤ 10 in [217, 235, 236] and for every m ≥ 0.6 n [253, 254] (n being
then not limited). But these examples give very limited numbers of functions
(they are often defined recursively or obtained after a computer search) and
many of these functions have cryptographic weaknesses such as linear struc-
tures (see [83, 190]). Numerous examples of (balanced) Boolean functions
with high nonlinearities have been obtained by C. Fontaine in [113] and by
E. Filiol and C. Fontaine in [112], who made a computer investigation, for
n = 7, 9, on the corpus of idempotent functions. These functions are those
whose ANFs are invariant under the cyclic shifts of the coordinates xi . They
found new weight distributions of cosets of R(1, 7), with (optimum) mini-
mum weight 56. They also obtained numerous weight distributions of cosets
of R(1, 9), with (best known) minimum weight 240. Other works are also
interesting, see e.g. [195, 191, 218].
But designing constructions leading to large numbers of functions achieving
good trade-offs between the nonlinearity, the algebraic degree and the re-
siliency order (if possible, on any numbers of variables) are still necessary
for permitting to choose in applications cryptographic functions satisfying

97
specific constraints.

7.3.1 Primary constructions

Maiorana-McFarland’s class: An extension of Maiorana-McFarland’s
original class of bent functions has been given in [25], based on the same
principle of concatenating affine functions (we have already met this gener-
alization at Section 6): Let r be a positive integer smaller than n; denote
n − r by s; let g be any Boolean function on Fs2 and let φ be a mapping from
Fs2 to Fr2 . Then, define the function:
r
M
fφ,g (x, y) = x · φ(y) ⊕ g(y) = xi φi (y) ⊕ g(y), x ∈ Fr2 , y ∈ Fs2 (54)
i=1

where φi (y) is the i-th coordinate function of φ(y).

Remark. These functions have also been studied under the name of linear-
based functions in [1, 262].
For every a ∈ Fr2 and every b ∈ Fs2 , we have seen at Subsection 6.4 that
X
r
fd
χ φ,g (a, b) = 2 (−1)g(y)⊕b·y . (55)
y∈φ−1 (a)

The extension of Maiorana-McFarland construction can be used to de-

sign resilient functions: if every element in φ(Fs2 ) has Hamming weight
strictly greater than k, then fφ,g is m-resilient with m ≥ k. In particu-
lar, if φ(Fs2 ) does not contain the null vector, then fφ,g is balanced. This
is a direct consequence of Relation (55). It can also be deduced from the
facts that any affine function x ∈ Fr2 7→ a · x ⊕ ε (a ∈ Fr2 nonzero, ε ∈ F2 )
is (wH (a) − 1)-resilient, and that any Boolean function equal to the con-
catenation of k-resilient functions is a k-resilient function (see secondary
construction 3 below).

Degree: The degree of fφ,g is at most s + 1 = n − r + 1. It equals s + 1 if

and only if φ has degree s (i.e. if at least one of its coordinate functions has
degree s). If we assume that every element in φ(Fs2 ) has Hamming weight
strictly greater than k, then φ can have degree s only if k ≤ r − 2, since if
k = r − 1 then φ is constant. Thus, if m = k then the degree of fφ,g reachs
Siegenthaler’s bound n − m − 1 if and only if either m = r − 2 and φ has
degree s = n − m − 2 or m = r − 1 and g has degree s = n − m − 1. There

98
are cases where m > k (see [90, 56]).

Nonlinearity: Relations (31) and (55) lead straightforwardly to a general

lower bound on the nonlinearity of Maiorana-McFarland’s functions (first
observed in [241]):

N L(fφ,g ) ≥ 2n−1 − 2r−1 maxr |φ−1 (a)| (56)

a∈F2

(where |φ−1 (a)| denotes the size of φ−1 (a)). A recent upper bound
& '
r
n−1 r−1 −1
N L(fφ,g ) ≤ 2 −2 maxr |φ (a)| (57)
a∈F2

obtained in [55] strengthens the bound N L(fφ,g ) ≤ 2n−1 − 2r−1 previously

obtained in [84, 85].
P 2
g(y)+b·y
P
Proof. The sum b∈Fs y∈φ−1 (a) (−1) , that is clearly equal to
P 2 
g(y)+g(z)+b·(y+z) , equals 2s |φ−1 (a)| (since the sum
P
b∈Fs y,z∈φ−1 (a) (−1)
P 2 b·(y+z) is null if y 6= z). The maximum of a set of values being
b∈Fs2 (−1)
always greater than or equal to its mean, we deduce
X p
maxs | (−1)g(y)+b·y | ≥ |φ−1 (a)|
b∈F2
y∈φ−1 (a)

and thus, according to Relation (55):

& '
r
max |fbχ φ,g (a, b)| ≥ 2r maxr |φ−1 (a)| .
a∈Fr2 ;b∈Fs2 a∈F2

lq m
Hence, according to Relation (31): N L(fφ,g ) ≤ 2n−1 −2r−1 maxa∈Fr2 |φ−1 (a)| .

This new bound permitted to characterize the Maiorana-McFarland’s func-
tions fφ,g such that wH (φ(y)) > k for every y and achieving nonlinearity
s −1
r+ 2
2
2n−1 − 2k+1 : the inequality N L(fφ,g ) ≤ 2n−1 − qP implies either
r
i=k+1 (ri)
that r = k + 1 or r = k + 2.
If r = k + 1, then φ is the constant (1, . . . , 1) and n ≤ k + 3. Either s = 1
and g(y) is then any function on one variable, or s = 2 and g is then any
function of the form y1 y2 ⊕ `(y) where ` is affine (thus, f is quadratic).
If r = k + 2, then φ is injective, n ≤ k + 2 + log2 (k + 3), g is any function
on n − k − 2 variables and d◦ fφ,g ≤ 1 + log2 (k + 3).

99
 A simple example of k-resilient Maiorana-McFarland’s functions such
that N L(fφ,g ) = 2n−1 − 2k+1 (and thus achieving Sarkar et al.’s bound) can
be given for any r ≥ 2s − 1 and for k = r − 2 (see [55]). And, for every
even n ≤ 10, Sarkar et al.’s bound with m = n/2 − 2 can be achieved by
Maiorana-McFarland’s functions. Also, functions with high nonlinearities
but achieving not Sarkar et al.’s bound exist in Maiorana-McFarland’s class
(for instance, for every n ≡ 1 [ mod 4], there exist such n−1
4 -resilient functions
n−1
n
on F2 with nonlinearity 2 n−1 − 2 2 ).
in [55] are also studied functions fφ,g , such that φ(Fs2 ) is included in {x ∈
Fn2 ; wH (x) > k}, whose resiliency orders are strictly greater than k.

Generalizations of Maiorana-McFarland’s construction have been

introduced in [55], [59] and [77]. A motivation for introducing such gener-
alizations is that Maiorana-McFarland’s functions have the weakness that
x 7→ fφ,g (x, y) is affine for every y ∈ Fs2 and have high divisibilities of their
Fourier spectra (indeed, if we want to ensure that f is m-resilient with large
value of m, then we need to choose r large; then the Walsh spectrum of f
is divisible by 2r according to Relation (55); there is also a risk that this
property can be used in attacks, as it is used in [39] to attack block ciphers).
The functions constructed in [55, 77] are concatenations of quadratic func-
tions instead of affine functions. This makes them harder to study than
Maiorana-McFarland’s functions. But they are more numerous and more
general. Two classes of such functions have been studied:
- the functions of the first class are defined as:
t
M
fψ,φ,g (x, y) = x2i−1 x2i ψi (y) ⊕ x · φ(y) ⊕ g(y),
i=1

with x ∈ Fr2 , y ∈ Fs2 , where n = r + s, t = 2r , and where ψ : Fs2 → Ft2 ,

 

φ : Fs2 → Fr2 and g : Fs2 → F2 can be chosen arbitrarily;

- the functions of the second class are defined as:

fφ1 ,φ2 ,φ3 ,g (x, y) = (x · φ1 (y)) (x · φ2 (y)) ⊕ x · φ3 (y) ⊕ g(y),

with x ∈ Fr2 , y ∈ Fs2 , where n = r + s, φ1 , φ2 and φ3 are three functions from

Fs2 into Fr2 and g is any Boolean function on Fs2 . The size of this class equals
 r 2s 3 s s s s s
(2 ) × 22 = 2(3r+1)2 and is larger than the size (2t )2 × (2r )2 × 22 =
s
2(t+r+1)2 of the first class.
There exist formulae for the Walsh transforms of the functions of these two
classes, which result in sufficient conditions for their resiliency and in bounds

100
on their nonlinearities.
The second construction has been generalized in [59]. The functions of this
generalized class are the following concatenations of functions equal to the
sums of r-variable affine functions and of flat-indicators:
ϕ(y)
Y
∀(x, y) ∈ Fr2 × Fs2 , f (x, y) = (x · φi (y) ⊕ gi (y) ⊕ 1) ⊕ x · φ(y) ⊕ g(y),
i=1

where n = r + s, ϕ is a function from Fs2 into {0, 1, . . . , r}, φ1 , . . . , φr and

φ are functions from Fs2 into Fr2 such that, for every y ∈ Fs2 , the vectors
φ1 (y), . . . , φϕ(y) (y) are linearly independent, and g1 , . . . , gr and g are Boolean
functions on Fs2 .

Other constructions: We first make a preliminary observation. Let

k < n and let g be any k-variable function, L : Fn2 → Fk2 any surjective
linear mapping and s any element of Fn2 ; the function f (x) = g ◦ L(x) ⊕ s · x
is (d − 1)-resilient, where d is the Hamming distance between s and the lin-
ear code C whose generator matrix equals the matrix of L. Indeed, for any
vector a ∈ Fn2 of Hamming weight at most d − 1, the vector s + a does not
belong to C. This implies that the Boolean function f (x) ⊕ a · x is linearly
equivalent to the function g(x1 , . . . , xk ) ⊕ xk+1 , since we may assume with-
out loss of generality that L is systematic (i.e. has the form [Idk |N ]); it is
therefore balanced. But such function f having nonzero linear structures, it
does not give full satisfaction.

A construction derived from PS ap construction is introduced in [49] to obtain

resilient functions: let k and r be positive integers and n ≥ r; denote n − r
by s; the vectorspace Fr2 is identified to the Galois field F2r . Let g be any
Boolean function on F2r and φ a F2 -linear mapping from Fs2 to F2r ; set
a ∈ F2r and b ∈ Fs2 such that, for every y in Fs2 and every z in F2r , a + φ(y)
is nonzero and φ∗ (z) + b has weight greater than k, where φ∗ is the adjoint
of φ. Then, the function
 
x
f (x, y) = g ⊕ b · y, where x ∈ F2r , y ∈ Fs2 , (58)
a + φ(y)
is m-resilient with m ≥ k. There exist bounds on the nonlinearities of these
functions (see [56]), similar to those existing for Maiorana-McFarland’s func-
tions. But this class has much fewer elements than Maiorana-McFarland’s
class, because φ must be linear.

101
Dobbertin’s construction: in [107]is given a nice generalization of a method,
introduced by Seberry et al. in [242], for modifying bent functions into
balanced functions with high nonlinearities. He observes that most known
bent functions on Fn2 (n even) are normal (that is, constant on at least one
n/2-dimensional flat). Up to affine equivalence, we can then assume that
n/2 n/2
f (x, y), x ∈ F2 , y ∈ F2 is such that f (x, 0) = ε (ε ∈ F2 ) for every
n/2
x ∈ F2 and that ε = 0 (otherwise, consider f ⊕ 1).
n/2 n/2
Proposition 33 Let f (x, y), x ∈ F2 , y ∈ F2 be any bent function such
n/2
that f (x, 0) = 0 for every x ∈ F2 and let g be any balanced function
n/2
on F2 . Then the Wlash transform of the function h(x, y) = f (x, y) ⊕
δ0 (y)g(x), where δ0 is the Dirac symbol, satisfies:
h
c (u, v) = 0 if u = 0 and h
χ
c (u, v) = fb (u, v) + gc(u) otherwise.
χ χ χ (59)

Proof. We have hc (u, v) = fb (u, v)−P n/2 (−1)u·x +P n/2 (−1)g(x)⊕u·x =

χ χ x∈F x∈F
2 2
fbχ (u, v) − 2n/2 δ0 (u) + gc
χ (u). The function g being balanced, we have gcχ (0) =
n/2 n/2
0. And f (0, v) equals 2
χ
b for every v, since f is null on F × {0} and
2
n/2
according to Relation (41) applied to E = {0} × F2 and a = b = 0 (or see
the remark after Theorem 2). 

We deduce that:
max |h
c (u, v)| ≤ max |fb (u, v)| + max |c
χ χ gχ (u)|,
n/2 n/2 n/2
u,v∈F2 u,v∈F2 u∈F2

i.e. that 2n − 2N L(h) ≤ 2n − 2N L(f ) + 2n/2 − 2N L(g), that is:

N L(h) ≥ N L(f ) + N L(g) − 2n/2−1 = 2n−1 − 2n/2 + N L(g).
Applying recursively this principle (if n/2 is even, g can be constructed in
the same way), we see that if n = 2k n0 (n0 ≤ 13 odd), the best known (but
perhaps not the best possible) nonlinearity that can be obtained by using
n n
−1 n0 −1
Dobbertin’s method is 2n−1 − 2n/2−1 − 2 4 −1 − . . . − 2 2k − 2 2 . Indeed,
0
for every odd n0 , there exists a balanced (quadratic) function on Fn2 with
0 n0 −1
nonlinearity 2n −1 −2 2 , and no balanced function with better nonlinearity
is known if n0 ≤ 13.
Unfortunately, according to Relation (59), Dobbertin’s construction can-
not produce m-resilient functions with m > 0 since, g being a function de-
n/2
fined on F2 , there cannot exist more than one vector a such that gc χ (a)
n/2
equals ±2 .

102
7.3.2 Secondary constructions
There exist several simple secondary constructions, which can be combined
to obtain resilient functions achieving the bounds of Sarkar et al. and Siegen-
thaler.

I Direct sums of functions

A. Adding a variable
Let f be an r-variable t-resilient function. The Boolean function on Fr+1
2 :

h(x1 , . . . , xr , xr+1 ) = f (x1 , . . . , xr ) ⊕ xr+1

is (t + 1)-resilient [245]. If f is an (r, t, r − t − 1, 2r−1 − 2t+1 ) function32 ,
then h is an (r + 1, t + 1, r − t − 1, 2r − 2t+2 ) function, and thus achieves
Siegenthaler’s and Sarkar et al.’s bounds. But h has the linear structure
(0, . . . , 0, 1).
B. Generalization
If f is an r-variable t-resilient function and if g is an s-variable m-resilient
function, then the function:
h(x1 , . . . , xr , xr+1 , . . . , xr+s ) = f (x1 , . . . , xr ) ⊕ g(xr+1 , . . . , xr+s )
is (t+m+1)-resilient. This comes from the easily provable relation h c (a, b) =
χ

fbχ (a) × gc r s
χ (b), a ∈ F2 , b ∈ F2 . We have also d◦ h = max(d◦ f, d◦ g) and,
thanks to Relation (31), Nh = 2r+s−1 − 12 (2r − 2Nf )(2s − 2Ng ) = 2r Ng +
2s Nf − 2Nf Ng . Such function does not give full satisfaction (J. Dillon
already pointed out in [105] that such decomposable functions have weak-
nesses; their property can be used for designing divide-and-conquer attacks).
Moreover, h has low degree, in general. And if Nf = 2r−1 − 2t+1 and
Ng = 2s−1 − 2m+1 (i.e. if Nf and Ng have maximum possible values), then
Nh = 2r+s−1 − 2t+m+3 and h does not achieve Sarkar’s and Maitra’s bound
(note that this is not in contradiction with the properties of the construc-
tion recalled in I.A, since the function g(xr+1 ) = xr+1 is 0-resilient, that is,
balanced, but has nonlinearity 0, which is greater than 20 − 21 ).
Function h has no nonzero linear structure if and only if f and g both have
no nonzero linear structure.

II. Siegenthaler’s construction

Let f and g be two Boolean functions on Fr2 . Consider the function
h(x1 , . . . , xr , xr+1 ) = (xr+1 ⊕ 1)f (x1 , . . . , xr ) ⊕ xr+1 g(x1 , . . . , xr )
32
Recall that, by an (n, m, d, N )- function, we mean an n-variable, m-resilient function
having algebraic degree at least d and nonlinearity at least N .

103
on Fr+12 . Note that the truth-table of h can be obtained by concatenating
the truth-tables of f and g. Then: h c (a1 , . . . , ar , ar+1 ) = fb (a1 , . . . , ar ) +
χ χ
(−1) a r+1 gc (a , . . . , a ). Thus:
χ 1 r
1. If f and g are m-resilient, then h is m-resilient [245]; moreover, if
for every a ∈ Fr2 of Hamming weight m + 1, we have fbχ (a) + gc χ (a) = 0,
then h is (m + 1)-resilient. Note that the construction recalled in I.A
corresponds to g = f ⊕ 1 and satisfies this condition. Another possible
choice of a function g satisfying this condition (first pointed out in [25])
is g(x) = f (x1 ⊕ 1, . . . , xr ⊕ 1) ⊕ , where  = m [ mod 2], since gc χ (a) =
f (x)⊕⊕(x⊕(1,...,1))·a +w (a)
P
x∈Fr2 (−1) = (−1) fχ (a). It leads to a function h
H b
having also a nonzero linear structure (namely, the vector (1, . . . , 1));
2. The maximum maxa1 ,...,ar+1 ∈F2 |h c (a1 , . . . , ar , ar+1 )| is upper bounded
χ

by maxa1 ,...,ar ∈F2 |fbχ (a1 , . . . , ar )| + maxa1 ,...,ar ∈F2 |cgχ (a1 , . . . , ar )|; this implies
2 r+1 − 2Nh ≤ 2 r+1 − 2Nf − 2Ng , that is Nh ≥ Nf + Ng ;
a. if f and g achieve maximum possible nonlinearity 2r−1 − 2m+1 and if h is
(m + 1)-resilient, then the nonlinearity 2r − 2m+2 of h is the best possible;
b. if f and g are such that, for every word a, at least one of the numbers
fbχ (a), gc χ (a) is null (in other words, if the supports of the Walsh transforms

 g are disjoint), then we have maxa1 ,...,ar+1 ∈F2 |hχ (a1 , . . . , ar , ar+1 )| =
of f and c
max maxa ,...,a ∈F |fb (a1 , . . . , ar )|; maxa ,...,a ∈F |c
1 r 2 χ 1 r 2 g (a1 , . . . , ar )| . Hence we
χ

have 2r+1 − 2Nh = 2r− 2 min(Nf , Ng ) and Nh equals therefore 2r−1 +

min(Nf , Ng ); thus, if f and g achieve maximum possible nonlinearity 2r−1 −
2m+1 , then h achieves best possible nonlinearity 2r − 2m+1 ;
3. If the monomials of highest degree in the algebraic normal forms of f
and g are not all the same, then d◦ h = 1 + max(d◦ f, d◦ g). Note that this
condition is not satisfied in the two cases indicated above in 1, for which h
is (m + 1)-resilient.
4. For every a = (a1 , . . . , ar ) ∈ Fr2 and every ar+1 ∈ F2 , we have, de-
noting (x1 , . . . , xr ) by x: D(a,ar+1 ) h(x, xr+1 ) = Da f (x) ⊕ ar+1 (f ⊕ g)(x) ⊕
xr+1 Da (f ⊕ g)(x) ⊕ ar+1 Da (f ⊕ g)(x). If d◦ (f ⊕ g) ≥ d◦ f , then D(a,1) h is
non-constant, for every a. And if, additionally, there does not exist a 6= 0
such that Da f and Da g are constant and equal to each other, then h admits
no nonzero linear structure.
This construction permits to obtain:
- from any two m-resilient functions f and g having disjoint Walsh spectra,
achieving nonlinearity 2r−1 − 2m+1 and such that d◦ (f ⊕ g) = r − m − 1, an
m-resilient function h having degree r−m and having nonlinearity 2r −2m+1 ,
that is, achieving Siegenthaler’s and Sarkar et al.’s bounds; note that this

104
construction increases (by 1) the degrees of f and g;
- from any m-resilient function f achieving degree r −m−1 and nonlinearity
2r−1 − 2m+1 , a function h having resiliency order m + 1 and nonlinearity
2r − 2m+2 , that is, achieving Siegenthaler’s and Sarkar et al.’s bounds and
having same degree as f (but having nonzero linear structures).
So it permits, when combining these two methods, to keep best tradeoffs
between resiliency order, degree and nonlinearity, and to increase by 1 the
degree and the resiliency order.
Generalization: let (fy )y∈Fs2 be a family of r-variable m-resilient functions;
then the function on Fr+s2 defined by f (x, y) = fy (x) (x ∈ Fr2 , y ∈ Fs2 ) is
m-resilient. Indeed, we have fbχ (a, b) = y∈Fs (−1)b·y fc
P
y χ (a). The function f
2
corresponds to the concatenation of the functions fy ; hence, this secondary
construction can be viewed as a generalization of Maiorana-McFarland’s
construction (in which the functions fy are m-resilient affine functions).

III. Tarannikov’s elementary construction

Let g be any Boolean function on Fr2 . Define the Boolean function h
on Fr+1
2 by h(x1 , . . . , xr , xr+1 ) = xr+1 ⊕ g(x1 , . . . , xr−1 , xr ⊕ xr+1 ). For ev-
ery (a1 , . . . , ar+1 ) ∈ Fr+1
2 , the Walsh transform hχ (a1 , . . . , ar+1 ) is equal to
c
X
(−1)a·x⊕g(x1 ,...,xr )⊕ar xr ⊕(ar ⊕ar+1 ⊕1)xr+1 , where a = (a1 , . . . , ar−1 )
x1 ,...,xr+1 ∈F2
and x = (x1 , . . . , xr−1 ); it is null if ar+1 = ar and it equals 2 gc χ (a1 , . . . , ar−1 , ar )
if ar = ar+1 ⊕ 1. Thus:
1. Nh = 2 Ng ;
2. If g is m-resilient, then h is m-resilient. If, additionally, gc χ (a1 , . . . , ar−1 , 1)
is null for every vector (a1 , . . . , ar−1 ) of weight at most m, then h is (m + 1)-
resilient; note that, in such case, if g has nonlinearity 2r−1 − 2m+1 then the
nonlinearity of h, which equals 2r −2m+2 achieves then Sarkar et al.’s bound.
The condition that gc χ (a1 , . . . , ar−1 , 1) is null for every vector (a1 , . . . , ar−1 )
of weight at most m is achieved if g does not actually depend on its last
input bit; but the construction is then a particular case of the construction
recalled in I.A. The condition is also achieved if g is obtained from two
m-resilient functions, by using Siegenthaler’s construction (recalled in II).
3. d◦ f = d◦ g if d◦ g ≥ 1.
4. h has the nonzero linear structure (0, . . . , 0, 1, 1).

Tarannikov combined in [253] this construction with the constructions re-

called in I and II, to build a more complex secondary construction, which
permits to increase in the same time the resiliency order and the degree of

105
the functions and which leads to an infinite sequence of functions achiev-
ing Siegenthaler’s and Sarkar et al.’s bounds. Increasing then, by using
the construction recalled in I.A, the set of ordered pairs (r, m) for which
such functions can be constructed, he deduced the existence of r-variable
m-resilient functions achieving Siegenthaler’s and Sarkar et al.’s bounds for
any number of variables r and any resiliency order m such that m ≥ 2r−7 3
and m > 2r − 2 (but the use of Construction I.A gives then functions with
nonzero linear structures). in [217], Pasalic et al. slightly modified this
more complex Tarannikov’s construction into a construction that we shall
call Tarannikov et al.’s construction, which permitted, when iterating it to-
gether with the construction recalled in I.A, to relax slightly the condition
on m into m ≥ 2r−103 and m > 2r − 2.
Tarannikov et al.’s construction has been in its turn generalized (see [58]):

Theorem 8 Let r, s, t and m be positive integers such that t < r and

m < s. Let f1 and f2 be two r-variable t-resilient functions. Let g1 and g2
be two s-variable m-resilient functions. Then the function h(x, y) = f1 (x) ⊕
g1 (y)⊕(f1 ⊕f2 )(x) (g1 ⊕g2 )(y), x ∈ Fr2 , y ∈ Fs2 is an (r+s)-variable (t+m+1)-
resilient function. If f1 and f2 are distinct and if g1 and g2 are distinct, then
the algebraic degree of h equals max(d◦ f1 , d◦ g1 , d◦ (f1 ⊕ f2 ) + d◦ (g1 ⊕ g2 ));
otherwise, it equals max(d◦ f1 , d◦ g1 ). The Walsh transform of h takes value

c (a, b) = 1 fc
h i 1 h i
h 1 χ (a) g 1 χ (b) + g 2 χ (b) + f2 χ (a) g 1 χ (b) − g 2 χ (b) . (60)
c
χ d d d d
2 2
If the Walsh transforms of f1 and f2 have disjoint supports and if the Walsh
transforms of g1 and g2 have disjoint supports, then

Nh = min 2r+s−2 + 2r−1 Ngj + 2s−1 Nfi − Nfi Ngj .

(61)
i,j∈{1,2}

In particular, if f1 and f2 are two (r, t, −, 2r−1 −2t+1 ) functions with disjoint
Walsh supports, if g1 and g2 are two (s, m, −, 2s−1 − 2m+1 ) functions with
disjoint Walsh supports, and if f1 + f2 has degree r − t − 1 and g1 + g2 has
degree s−m−1, then h is a (r +s, t+m+1, r +s−t−m−2, 2r+s−1 −2t+m+2 )
function, and thus achieves Siegenthaler’s and Sarkar et al.’s bounds.

Note that function h, defined this way, is the concatenation of the four func-
tions f1 , f1 ⊕ 1, f2 and f2 ⊕ 1, in an order controled by g1 (y) and g2 (y).
The proof of this theorem and examples of such pairs (f1 , f2 ) (or (g1 , g2 ))
can be found in [58].

106
IV. Let g and h be two Boolean functions on Fn2 with disjoint supports
and let f be equal to g ⊕ h = g + h. Then, f is balanced if and only if
wH (g) + wH (h) = 2n−1 . We assume now that this condition is satisfied. By
linearity of the Fourier transform, we have: fb = gb + b h. Thus, if g and h
are m-th order correlation-immune, then f is m-resilient. For every nonzero
a ∈ Fn2 , we have |fbχ (a)| = 2 |fb(a)| ≤ 2 |b
g (a)| + 2 |b
h(a)| = |c
gχ (a)| + |h
c (a)|.
χ
Thus, N L(f ) ≥ N L(g) + N L(h) − 2 n−1 . The algebraic degree of f is upper
bounded by (and can be equal to) the maximum of the algebraic degrees
of g and h.

V. The most part of the secondary constructions of bent functions described

in Section 6.4 can be altered into constructions of correlation-immune and
resilient functions, see [49].

VI. Proposition 26 leads to the following construction:

Corollary 5 Let n be any positive integer and k any non-negative integer

such that k ≤ n. Let f1 , f2 and f3 be three k-th order correlation immune
(resp. k-resilient) functions. Then the function s1 = f1 ⊕ f2 ⊕ f3 is k-
th order correlation immune (resp. k-resilient) if and only if the function
s2 = f1 f2 ⊕ f1 f3 ⊕ f2 f3 is k-th order correlation immune (resp. k-resilient).

Proof. Relation (45) and the fact that, for every (nonzero) vector a of weight
at most k, we have fc i χ (a) = 0 for i = 1, 2, 3 imply that sc
1 χ (a) = 0 if and
2 χ (a) = 0. 
only if sc

Note that this secondary construction is proper to permit achieving high

algebraic immunity with s2 , given functions with lower algebraic immuni-
ties f1 , f2 , f3 and s1 , since the support of s2 can be made more complex
than those of these functions. This is done without changing the number of
variables and keeping similar resiliency order and nonlinearity.

More on the resilient functions, achieving high nonlinearities, and con-

structed by using, among others, the secondary constructions above (as well
as algorithmic methods) can be found in [163, 216].

7.4 On the number of resilient functions

It is important to ensure that the selected criteria for the Boolean functions,
supposed to be used in some cryptosystems, do not restrict the choice of the
functions too severely. Hence, the set of functions should be enumerated.

107
But this enumeration is unknown for most criteria, and the case of resilient
functions is not an exception in this matter. We recall below what is known.
As for bent functions, the class of balanced or resilient functions produced
by Maiorana-McFarland’s construction is far the widest class, compared to
the classes obtained from the other usual constructions, and the number of
provably balanced or resilient Maiorana-McFarland’s functions seems negli-
gible with respect to the total number of functions with the same properties.
For balanced functions, this can be checked: for every positive r, the num-
ber of balanced Maiorana-McFarland’s functions (54) obtained by choosing
s
φ such that φ(y) 6= 0, for every y, equals (2r+1 − 2)2 , and is smaller than
n−1
or equal to 22 (since r ≥ 1). It is quite negligible with respect to the
2n + 1
2n 2√
number 2n−1 ≈ π2n2 of all balanced functions on Fn2 . The number of k-

resilient Maiorana-McFarland’s functions obtained by choosing φ such that

h Pr
2 2r

i2n−r
wH (φ(y)) > k for every y equals 2 i=k+1 i , and is probably also
very small compared to the number of all k-resilient functions. But this
number is unknown.
The exact numbers of m-resilient functions is known for m ≥ n − 3 (see [25],
where (n−3)-resilient functions are characterized) and (n−4)-resilient func-
tions have been partially characterized [63]. Asymptotic formulae for the
numbers of k-resilient and k-th order correlation-immune functions, where
√
k = o( n), were given by O. Denisov in [101]. Also, Y. Tarannikov and
D. Kirienko showed in [255] that, for every positive integer k, there exists a
number p(k) such that any (n − k)-resilient function f (x1 , . . . , xn ) is equiv-
alent, up to permutation of its input coordinates, to a function of the form
g(x1 , . . . , xp(k) ) ⊕ xp(k)+1 ⊕ · · · ⊕ xn . It is then a simple matter to deduce
that the number of (n − k)-resilient functions is at most Ak np(k) , where Ak
depends on k only. It is proved in [256] that 3 · 2k−2 ≤ p(k) ≤ (k − 1)2k−2
and in [255] that p(4) = 10.
in 1990, Yang and Guo published the first upper bound on first-order correlation-
immune (and thus on resilient) functions. Park, Lee, Sung and Kim [219]
proceeded further and improved upon Yang-Guo’s bound. in 1995, Schnei-
der [239] used a new idea to improve upon previous bounds and to general-
ize them to every m. He proved that the number of m-resilient n-variable
Boolean functions is less than:
 n−i−1
2i ( m−1 )
n−m
Y 
.
2i−1
i=1

108
He also obtained bounds for the number of mth-order correlation-immune
functions. A general upper bound on the number of Boolean functions whose
distances to affine functions are all divisible by 2m has been obtained in [75].
It implies an upper bound on the number of m-resilient functions which im-
proves upon Schneider’s bound for about half the values ofP(n, m) (it is
n−m−1 n
better for m large). This bound divides the naive bound 2 i=0 ( i ) by
Pn−m−1 m−1
approximately 2 i=0 ( i )−1 if m ≥ n/2 and by approximately 22
2m+1 −1

if m < n/2.
An upper bound on m-resilient functions (m ≥ n/2 − 1) improving upon
Schneider’s bound and partially improving upon this latter bound was ob-
tained for n/2 − 1 ≤ m < n − 2 in [70]: the number of n-variable m-resilient
functions is lower than:
n

n−m 
i
(n−i−1
m−1 )
Pn−m−2 n
( ) n−m−1
Y 2
2 i=0 i +
m+1 i−1
.
2(n−m−1)+1 i=1 2

The expressions of these bounds seem difficult to compare mathematically.

Tables have been computed in [70].

8 Functions satisfying the strict avalanche and prop-

agation criteria
In this section, we are interested in the functions (and more particularly, in
the balanced functions) which achieve P C(l) for some l < n (the functions
achieving P C(n) are the bent functions and they cannot be balanced).

8.1 P C(l) criterion

It is shown in [51, 52, 130] that, if n is even, then P C(n−2) implies P C(n); so
we can find balanced n-variable P C(l) functions for n even only if l ≤ n − 3.
For odd n ≥ 3, it is also known that the functions which satisfy P C(n − 1)
are those functions of the form g(x1 ⊕ xn , . . . , xn−1 ⊕ xn ) ⊕ `(x), where g is
bent and ` is affine, and that the P C(n − 2) functions are those functions
of a similar form, but where, for at most one index i, the term xi ⊕ xn may
be replaced by xi or by xn (other equivalent characterizations exist [52]).
The only known upper bound on the degrees of P C(l) functions is n − 1.
A lower bound on the nonlinearity of functions satisfying the propagation
criterion exists [266] and can be very easily proved: if there exists an l-
dimensional subspace F such that, for every nonzero a ∈ F , the derivative

109
 1
Da f is balanced, then N L(f ) ≥ 2n−1 − 2n− 2 l−1 ; Relation (24), applied to
2
any a ∈ Fn , with b = 0 and E = F ⊥ , shows indeed that every value fb (u) is
2 χ
upper bounded by 22n−l ; it implies that P C(l) functions have nonlinearities
1
lower bounded by 2n−1 − 2n− 2 l−1 . Equality can occur only if l = n − 1 (n
odd) and l = n (n even).
The maximum correlation of Boolean functions satisfying P C(l) (and in
particular, of bent functions) can be directly deduced from Relations (35)
and (24), see [28, 29].

8.1.1 Characterizations
There exist characterizations of the propagation criterion. A first obvious
one is that, according to Relation (21), f satisfies P C(l) if and only if
2
(−1)a·u fbχ (u) = 0 for every nonzero vector a of weight at most l. A
P
u∈Fn
2
second one is:
Proposition 34 [52] Any n-variable Boolean function f satisfies P C(l) if
and only if, for every vector u of weight at least n − `, and every vector v:
X 2
fbχ (w + v) = 2n+wH (u) .
w u

This is a direct consequence of Relation (24). A third characterization is

given at Subsection 8.2 below (apply it to k = 0).

8.1.2 Constructions
Maiorana-McFarland’s construction can be used to produce functions satis-
fying the propagation criterion: the derivative D(a,b) (x, y) of a function of
the form (54) being equal to x · Db φ(y) ⊕ a · φ(y + b) ⊕ Db g(y), the function
satisfies P C(l) under the sufficient condition that:
1. for every nonzero b ∈ Fs2 of weight smaller than or equal to l, and ev-
ery vector y ∈ Fs2 , the vector Db φ(y) is nonzero (or equivalently every set
φ−1 (u), u ∈ Fr2 , either is empty or is a singleton or has minimum distance
strictly greater than l);
2. every linear combination of at least one and at most l coordinate func-
tions of φ is balanced.
Constructions of such functions have been given in [51, 52, 167].
According to Proposition 34, Dobbertin’s construction cannot produce
functions satisfying P C(l) with l ≥ n/2. Indeed, if u is for instance the
vector with n/2 first coordinates equal to 0, and with n/2 last coordinates
equal to 1, we have, according to Relation (59): h c 2 (w) = 0 for every w  u.
χ

110
8.2 P C(l) of order k and EP C(l) of order k criteria
According to the characterization of resilient functions and to the definitions
of P C and EP C criteria, we have:
Proposition 35 [225] A function f satisfies EP C(l) (resp. P C(l)) of or-
der k if and only if, for any word a of Hamming weight smaller than or
equal to l and any word b of Hamming weight smaller than or equal to k, if
(a, b) 6= (0, 0) (resp. if (a, b) 6= (0, 0) and if a and b have disjoint supports)
then: X
(−1)f (x)⊕f (x+a)⊕b·x = 0.
x∈Fn
2

A recent paper [228] gives the following characterization:

Proposition 36 Any n-variable Boolean function f satisfies EP C(l) (resp.
P C(l)) of order k if and only if, for every vector u of weight at least n − l,
and every vector v of weight at least n − k (resp. of weight at least n − k
and such that v and u have disjoint supports):
X
gχ (w) = 2wH (u)+wH (v) ,
fbχ (w)c
w u

where g is the restriction of f to the vectorspace {x ∈ Fn2 / x  v}.

This can be proved by applying Poisson summation formula (14) to the
function (a, b) 7→ D[ a fχ (b).
Preneel showed in [223] that SAC(k) functions have algebraic degrees at
most n−k−1 (indeed, all of their restrictions have degrees at most n−k−1).
In [184], the criterion SAC(n−3) was characterized through the ANF of the
function, and its properties were further studied. A construction of P C(l) of
order k functions based on Maiorana-McFarland’s method is given in [167]
(the mapping φ being linear and constructed from linear codes) and gen-
eralized in [51, 52] (the mapping φ being not linear and constructed from
nonlinear codes). A construction of n-variable balanced functions satisfying
SAC(k) and having degree n − k − 1 is given, for n − k − 1 odd, in [167]
and, for n − k − 1 even, in [235] (where balancedness and nonlinearity are
conjointly considered).
It is shown in [52] that, for every positive even l ≤ n − 4 (with n ≥ 6) and
every odd l such that 5 ≤ l ≤ n − 5 (with n ≥ 10), the functions which
satisfy P C(l) of order n − l − 2 are the functions of the form:
M
xi xj ⊕ h(x1 , · · · , xn )
1≤i<j≤n

111
where h is affine.

9 Symmetric functions
A Boolean function is called a symmetric function if it is invariant under
the action of the symmetric group (i.e. if its output is invariant under per-
mutation of its input bits). Its output depends then only on the Hamming
weight of the input. So, in other words, f is symmetric if and only if there
exists a function f # from {0, 1, . . . , n} to F2 such that f (x) = f # (wH (x)).
Such functions are of some interest to cryptography, as they allow to imple-
ment in an efficient way nonlinear functions on large numbers of variables.
Let us consider for example an LFSR filtered by a 63 variable symmetric
function f , which input is the content of an interval of 63 consecutive flip-
flops of the LFSR. This device may be implemented with a cost similar to
that of a 6 variable Boolean function, thanks to a 6 bit counter calculating
the weight of the input to f (this counter is incremented if a 1 is shifted in
the interval and decremented if a 1 is shifted out). However, the pseudo-
random sequence obtained this way has correlation with transitions (sums
of consecutive bits), and it is not clear whether a balance, between the ad-
vantage of allowing much more variables and the cryptographic weaknesses
these symmetric functions may introduce, can be found in more sophisti-
cated devices.

9.1 Representation
Let r = 0, . . . , n and let ϕr be the Boolean function whose support is the
set of all words of weight r in Fn2 . Then, according to Relation (5), the
coefficient of xI , I ∈ P(N ) in the NNF of ϕr is:
 
|I|
λI = (−1)|I|−r . (62)
r

Note I
 that the coefficient aI of x in the ANF of ϕr equals then 1 if and only
|I|
if is odd, that is, according to Lucas’ theorem [187], if and only if
r
the binary expansion of r is covered by the binary expansion of |I|.
Xn
The symmetric function f being equal to f # (r) ϕr , its NNF is easy to
r=0
n
X
compute. It can be also written in the form ci σi (x) where ci ∈ Z and
i=0

112
σi (x) is the i-th elementary symmetric pseudo-Boolean function
 whose
 NNF
wH (x)
is I∈P(N )/ |I|=i xI . Hence, σi (x) equals 1 if and only if
P
is odd,
i
that is, according to Lucas’ theorem again, if and only if the binary expan-
sion of i is covered by x. Notice that the degree of the NNF of σi being
Xn
equal to i, the degree of the NNF of ci σi (x) equals max{i/ ci 6= 0}. We
i=0
have clearly σi (x) = wHi(x) = wH (x) (wH (x)−1)...(w H (x)−i+1)
. We see that f #


Pn i! j
Pn j (j−1)...(j−i+1)
admits the polynomial representation i=0 ci i = i=0 ci i!
on one variable j over Z, whose degree equals the degree of the NNF of f .
Since this degree is at most n, and the values taken by this polynomial at
n + 1 points are set, this polynomial representation is unique.

Note that a symmetric function f has degree 1 if and only if the function
f # (r) equals r [mod 2] or r + 1
[mod 2], and that
it is quadraticr
if and only
# r r
if the function f (r) equals 2 [mod 2] or 2 + r [mod 2] or 2 + 1 [mod
2] or 2r + r + 1 [mod 2], that is, satisfies f # (r + 2) = f # (r) ⊕ 1.

It has been proved in [40] that the algebraic degree of a symmetric func-
tion f is at most 2t −1, for some positive integer t, if and only if the sequence
(f # (r))r≥0 is periodic with period 2t . It is not clear whether this is a greater
advantage for the designer of a cryptosystem using such symmetric function
f (since, to compute the image of a vector x by f , it is enough to compute
the number of nonzero coordinates x1 , . . . , xt only) or for the attacker.

9.2 Fourier and Walsh transforms

Since the functions ϕr have disjoint supports, the Fourier transform of any
Xn n
X
symmetric function f # (r) ϕr equals f # (r) ϕ
cr .
r=0 r=0
For every vector a ∈ Fn2 , denoting by ` the Hamming weight of a, we have
n   
X
a·x
X
j ` n−`
ϕ
cr (a) = (−1) = (−1) . The polynomials
n
j r−j
x∈F2 | wH (x)=r j=0
Kn,r (X) = nj=0 (−1)j Xj n−X
P


r−j are called Krawtchouk polynomials. They
are caracterized by their generating series:
n
X
Kn,r (`)z r = (1 − z)` (1 + z)n−` .
r=0

From the Fourier transform, we can deduce the Walsh transform thanks

113
to Relation (9).

9.3 Nonlinearity
If n is even, then the restriction of every symmetric function f on Fn2 to the
n/2-dimensional flat:

A = {(x1 , . . . , xn ) ∈ Fn2 ; xi+n/2 = xi ⊕ 1, ∀i ≤ n/2}

is constant, since all the elements of A have the same weight n/2. Thus, f is
n/2-normal33 (see Definition 3). But Relation (37) gives nothing more than
the covering radius bound (32). The symmetric functions which achieve
this bound, i.e. which are bent, have been first characterized by L P. Savicky
in [238]: the bent symmetric functions are the function f1 (x) = 1≤i<j≤n xi xj
(introduced to generate the Kerdock code), and the functions f2 (x) =
f1 (x) ⊕ 1, f3 (x) = f1 (x) ⊕ x1 ⊕ · · · ⊕ xn and f4 (x) = f3 (x) ⊕ 1. A stronger
result can be proved in a very simple way [121]:

Theorem 9 For every positive even n, the P C(2) n-variable symmetric

functions are the functions f1 , f2 , f3 and f4 above.

Proof. Let f be any P C(2) n-variable symmetric function and let i < j
be two indices in the range [1; n]. Let us denote by x0 the following vec-
tor: x0 = (x1 , . . . , xi−1 , xi+1 , . . . , xj−1 , xj+1 , . . . , xn ). Since f (x) is symmet-
ric, it has the form xi xj g(x0 ) ⊕ (xi ⊕ xj ) h(x0 ) ⊕ k(x0 ). Let us denote by ei,j
the vector of weight 2 whose nonzero coordinates stand at positions i and
j. The derivative Dei,j f of f with respect to ei,j equals (xi ⊕ xj ⊕ 1)g(x0 ).
Since this derivative is balanced, by hypothesis, then g must be equal to
the
L constant function 1. Hence, the degree-2-part of the ANF of f equals
1≤i<j≤n xi xj . 
Some more results on the propagation criterion for symmetric functions can
be found in [40].

If n is odd, then the restriction of any symmetric function f to the

n+1
2 -dimensional flat

A = {(x1 , . . . , xn ) ∈ Fn2 ; xi+ n−1 = xi ⊕ 1, ∀i ≤ n/2}

2

33
This is more generally valid for every function which is constant on the set {x ∈
Fn
2 ; wH (x) = n/2}.

114
is affine, since the weight function wH is constant on the hyperplane of A
of equation xn = 0 and on its complement34 . Thus, f is n+1 2 -weakly-
normal. According to Relation (37), this implies that its nonlinearity is
n−1
upper bounded by 2n−1 − 2 2 . It also permits to show [57] that the only
symmetric functions achieving this bound are the same as the 4 functions
f1 , f2 , f3 and f4 above, but with n odd (this has been first proved by Maitra
and Sarkar [193], in a more complex way). Indeed, Relation (37) implies the
following result:

Theorem 10 [57] Let n be any positive integer and let f be any symmetric
function on Fn2 . Let l be any integer satisfying 0 < l ≤ n/2. Denote by hl the
symmetric Boolean function on n−2l variables defined by hl (y1 , . . . , yn−2l ) =
f (x1 , . . . , xl , x1 ⊕ 1, . . . , xl ⊕ 1, y1 , . . . , yn−2l ), where the values of x1 , . . . , xl
are arbitrary (equivalently, hl can be defined by h# #
l (r) = f (r + l), for every
0 ≤ r ≤ n − 2l). Then N L(f ) ≤ 2 n−1 −2 n−l−1 l
+ 2 N L(hl ).

Proof: Let A = {(x1 , . . . , xn ) ∈ Fn2 | xi+l = xi ⊕1, ∀i ≤ l}. For every element
x ∈ A, we have f (x) = hl (x2l+1 , . . . , xn ). Let us consider the restriction g
of f to A as a Boolean function on Fn−l 2 , say g(x1 , . . . , xl , x2l+1 , . . . , xn ).
Then, since g(x1 , . . . , xl , x2l+1 , . . . , xn ) = hl (x2l+1 , . . . , xn ), g has nonlinear-
ity 2l N L(hl ). According to Relation (37) applied with ha = g, we have
N L(f ) ≤ 2n−1 − 2n−l−1 + 2l N L(hl ). 
Then, the characterizations recalled above of those symmetric functions
achieving best possible nonlinearity can be straightforwardly deduced. Note
that these characetrizations imply that, if f is symmetric and not quadratic,
n−1
then N L(f ) ≤ 2n−1 − 2b 2 c − 1. Moreover, if additionally, f has degree
n−1
strictly smaller than n, then N L(f ) ≤ 2n−1 − 2b 2 c − 2 (indeed, since we
n−1
have necessarily n ≥ 3, the number 2n−1 − 2b 2 c is even, and we know that
N L(f ) is then also even and is strictly smaller than this number). These
properties applied to the function hl of Theorem  n−110
 imply that:
- if, for some integer l such that 0 ≤ l < 2 , the nonlinearity of an
n−1
n-variable symmetric function f is strictly greater than 2n−1 − 2b 2 c − 2l ,
then f # satisfies f # (r+2) = f # (r)⊕1, for all l ≤ r ≤ n−2−l (this property
has been observed in [40, Theorem 6], but proved slightly differently);
n−1
- if the nonlinearity of f is strictly greater than 2n−1 − 2b 2 c − 2l+1 , then
either f # satisfies f # (r + 2) = f # (r) ⊕ 1 for all l ≤ r ≤ n − 2 − l, or hl has
34
This is more generally valid for every function which is constant on the sets {x ∈
Fn
2; wH (x) = n−1
2
} and {x ∈ Fn n+1
2 ; wH (x) = 2 }.

115
odd weight.

Further properties of the nonlinearities of symmetric functions can be

found in [57].

9.4 Resiliency
There exists a joint conjecture on symmetric Boolean functions and on func-
tions defined over {0, 1, . . . , n} and valued in F2 : if f is a non-constant sym-
metric Boolean function, then the degree of the polynomial representation
on one variable of f # (which equals the numerical degree of f ) is greater
than or equal to n − 3. It is a simple matter to show that this numerical
2
degree is greater than or equal to n/2 (otherwise, the polynomial f # − f #
would have degree at most n, and being null at n + 1 points, it would equal
the null polynomial, a contradiction with the fact that f is assumed not to
be constant), but the gap between n/2 + 1 and n − 3 is open. According
to Proposition 31, the conjecture is equivalent to saying that there does not
exist any symmetric 3-resilient function. And proving this conjecture is also
a problem on binomial coefficients since, according to Relation (62) and to
Xn
the equality f = f # (r) ϕr , the numerical degree of f is upper bounded
r=0
by d if and only if:
k  
X
r k #
∀k > d, k ≤ n, (−1) f (r) = 0. (63)
r
r=0

Hence, the conjecture is equivalent to saying that Relation (63), with d =

n − 4, has no binary solution f # (0), . . . , f # (n).
J. von zur Gathen and J. R. Roche [116] observed that all symmetric n-
variable Boolean functions have numerical degrees greater than or equal
to n − 3, for any n ≤ 128 (they exhibited Boolean functions with nu-
merical degree n − 3; see also [120]). They proved that, if the number
m = n + 1 is a prime, then all non-constant n-variable symmetric Boolean
functions have numerical degree n (and therefore, all non-affine n-variable
symmetric Boolean functions are unbalanced): indeed, the binomial coeffi-
(−1)(−2)...(−r)
cient nr being = (−1)r , modulo m, the sum


P n r

congruent with
n #
1·2...rP
n #
r=0 (−1) r f (r) is congruent with r=0 f (r), modulo m; and Rela-
tion (63) with k = n implies then that f # must be constant. Notice that,
applying Relation (63) with k = p − 1 where p is a prime less than or equal

116
to n+1, shows that the degree of any symmetric non-constant Boolean func-
tion is greater than or equal to p − 1, where p is the largest prime less than
or equal to n + 1 (or equivalently, no symmetric non-affine Boolean function
is (n − p + 1)-resilient): otherwise, the string f # (0), . . . , f # (k) would be
constant, and f # having degree less than or equal to k, the function f # ,
and thus f itself, would be constant.
Some results on symmetric functions with sub-optimal nonlinearity and on
the balancedness and resiliency of symmetric functions can be found in [40].

A super-class of symmetric functions, called idempotent or rotation sym-

metric functions, has been investigated with respect to the criteria of bent-
ness and correlation immunity (see e.g. [112, 247]).

Acknowledgement

We thank Caroline Fontaine for her careful reading of a previous draft of

this chapter.

References
[1] C.M. Adams and S.E. Tavares. Generating and Counting Binary Bent
Sequences, IEEE Trans. Inf. Theory, vol 36, no. 5, pp. 1170-1173, 1990.

[2] N. Alon, O. Goldreich, J. Hastad and R. Peralta. Simple constructions

of almost k-wise independent random variables. Random Stuctures and
Algorithms, Vol 3, No 3, pp 289-304, 1992.

[3] A.S. Ambrosimov. Properties of bent functions of q-valued logic over

finite fields. Discrete Math. Appl. vol 4, no. 4, pp. 341-350, 1994.

[4] F. Armknecht. Improving fast algebraic attacks. In Fast Software En-

cryption 2004, no. 3017 in LNCS, pp. 65-82, 2004.

[5] F. Armknecht, C. Carlet, P. Gaborit, S. Knzli, W. Meier and O. Ruatta.

Efficient computation of algebraic immunity for algebraic and fast al-
gebraic attacks. Advances in Cryptology, EUROCRYPT 2006, Lecture
Notes in Computer Science 4004 , pp. 147-164, 2006.

[6] E.F. Assmus. On the Reed-Muller codes. Discrete Mathematics

106/107, pp. 25-33, 1992.

117
 [7] E.F. Assmus and J. D. Key. Designs and their Codes, Cambridge Univ.
Press., Cambridge, 1992.

[8] J. Ax. Zeroes of polynomials over finite fields. Amer. J. Math. no. 86,
pp. 255-261, 1964.

[9] T. Baignères, P. Junod and S. Vaudenay. How far can we go beyond

linear cryptanalysis? Proceedings of ASIACRYPT 2002, Advances in
Cryptology, LNCS 3329, pp. 432-450, 2004.

[10] B. Barak, G. Kindler, R. Shaltiel, B. Sudakov and A. Wigder-

son. Simulating Independence: New Constructions of Condensers,
Ramsey Graphs, Dispersers, and Extractors. Preprint available at
http://www.math.ias.edu/ boaz/Papers/BKSSW.html

[11] E. Berlekamp, Algebraic Coding Theory, McGraw-Hill, New York, 1968.

[12] E.R. Berlekamp and N.J.A. Sloane. Restrictions on the weight distri-
butions of the Reed-Muller codes. Information and Control 14, pp. 442-
446, 1969.

[13] E.R. Berlekamp and L.R. Welch. Weight distributions of the cosets of
the (32,6) Reed-Muller code. IEEE Trans. Inform. Theory, 18(1), pp.
203-207, 1972.

[14] A. Bernasconi and B. Codenotti. Spectral analysis of Boolean functions

as a graph eigenvalue problem. IEEE Transactions on computers 48 (3),
pp. 345-351, 1999.

[15] A. Bernasconi and I. Shparlinski. Circuit complexity of testing square-

free numbers. Pro. of STACS 99, 16th Annual Symposium on Theo-
retical Aspects of Computer Science, 1999, Lecture Notes in Computer
Science 1563, Springer, pp. 47-56, 1999.

[16] J. Bierbrauer, K. Gopalakrishnan and D.R. Stinson. Bounds for re-

silient functions and orthogonal arrays. Advances in Cryptology -
CRYPTO’94, Lecture Notes in Computer Science 839, pp. 247-256,
1994.

[17] Y. Borissov, N. Manev and S. Nikova. On the non-minimal codewords

of weight 2dmin in the binary Reed-Muller code. Proceedings of the
Workshop on Coding and Cryptography 2001, published by Electronic
Notes in Discrete Mathematics, Elsevier, vo. 6, pp. 103-110, 2001.

118
[18] J. Bourgain. On the construction of affine extractors. Preprint 2005.

[19] A. Braeken, V. Nikov, S. Nikova and B. Preneel. On Boolean func-

tions with generalized cryptographic properties. Proceedings of IN-
DOCRYPT’2004, Lecture Notes in Computer Science 3348, pp. 120-
135, 2004.

[20] E. Brier and P. Langevin. Classification of cubic Boolean functions of

9 variables. Proceedings of 2003 IEEE Information Theory Workshop,
Paris, France, 2003.

[21] R. A. Brualdi, N. Cai and V. S. Pless. Orphans of the first order Reed-
Muller codes. IEEE Transactions on Information Theory 36, pp. 399-
401, 1990.

[22] P. Camion and A. Canteaut. Construction of t-resilient functions over

a finite alphabet, Advances in Cryptology, EUROCRYPT’96, Lecture
Notes in Computer Sciences, Springer Verlag no. 1070, pp. 283-293,
1996.

[23] P. Camion and A. Canteaut. Generalization of Siegenthaler inequality

and Schnorr-Vaudenay multipermutations. Advances in Cryptology -
CRYPTO’96, Lecture Notes in Computer Science no. 1109, pp. 372–
386 Springer-Verlag, 1996.

[24] P. Camion and A. Canteaut. Correlation-immune and resilient functions

over finite alphabets and their applications in cryptography. Designs,
Codes and Cryptography 16, 1999.

[25] P. Camion, C. Carlet, P. Charpin, N. Sendrier. On correlation-immune

functions, Advances in Cryptology: Crypto ’91, Proceedings, Lecture
Notes in Computer Science, vol. 576, pp. 86-100, 1991.

[26] A. Canteaut. On the weight distributions of optimal cosets of the first-

order Reed-Muller code. IEEE Transactions on Information Theory,
47(1), pp. 407-413, 2001.

[27] A. Canteaut. Cryptographic functions and design criteria for block

ciphers. Progress in Cryptology - INDOCRYPT 2001, LNCS 2247,
Springer-Verlag, pp. 1-16, 2001.

[28] A. Canteaut. Approximations of nonlinear combining functions in

stream ciphers. Preprint, 2002

119
[29] A. Canteaut. On the correlations between a combining function and
functions of fewer variables. Proceedings of the Information Theory
Workshop’02, Bangalore, 2002.

[30] A. Canteaut. Open problems related to algebraic attacks on stream

ciphers. Proceedings of WCC 2005, pp. 1-10, 2005.

[31] A. Canteaut. Analysis and design of symmetric ciphers. Habilitation for

directing Theses, University of Paris 6, 2006.

[32] A. Canteaut, C. Carlet, P. Charpin and C. Fontaine. Propagation char-

acteristics and correlation-immunity of highly nonlinear Boolean func-
tions. Proceedings of EUROCRYPT’2000, Advances in Cryptology, Lec-
ture Notes in Computer Science n 187, pp. 507-522 (2000)

[33] A. Canteaut, C. Carlet, P. Charpin and C. Fontaine. On cryptographic

properties of the cosets of R(1, m). IEEE Transactions on Information
Theory vol. 47, no 4, pp. 1494-1513, 2001.

[34] A. Canteaut and P. Charpin. Decomposing bent functions. In Proceed-

ings 2002 IEEE International Symposium on Information Theory, Lau-
sanne, 2002. And IEEE Transactions on Information Theory 49, pp.
2004-2019, 2003.

[35] A. Canteaut and P. Charpin and G. Kyureghyan. A new class of mono-

mial bent functions. Proceedings of the 2006 IEEE International Sym-
posium on Information Theory - ISIT 2006, Seattle, USA, 2006.

[36] A. Canteaut, M. Daum, H. Dobbertin and G. Leander. Normal and

Non-Normal Bent Functions. Proceedings of the Workshop on Coding
and Cryptography 2003, pp. 91-100, 2003.

[37] A. Canteaut and E. Filiol. Ciphertext only reconstruction of stream

ciphers based on combination generators. In Fast Software Encryption
2000, no. 1978 in LNCS, pp. 165-180. Springer-Verlag, 2001.

[38] A. Canteaut and M. Trabbia. Improved fast correlation attacks us-

ing parity-check equations of weight 4 and 5, Advanced in Cryptology-
EUROCRYPT 2000. Lecture notes in computer science 1807, pp. 573-
588, 2000.

[39] A. Canteaut and M. Videau. Degree of Composition of Highly Non-

linear Functions and Applications to Higher Order Differential Crypt-

120
 analysis, Advances in Cryptology, EUROCRYPT2002, Lecture Notes in
Computer Science 2332, Springer Verlag, pp. 518-533, 2002.

[40] A. Canteaut and M. Videau. Symmetric Boolean functions. IEEE

Transactions on Information Theory 51(8), pp. 2791-2811, 2005.

[41] Jean Robert Du Carlet. La Cryptographie, contenant une très subtile

manière descrire secrètement, composée par Maistre Jean Robert Du
Carlet, 1644. A manuscript exists at the Bibliothèque Nationale (Très
Grande Bibliothèque), Paris, France.

[42] C. Carlet. Codes de Reed-Muller, codes de Kerdock et de Preparata,

PhD thesis, Publication of LITP, Institut Blaise Pascal, Université Paris
6, 90.59, 1990.

[43] C. Carlet. A transformation on Boolean functions, its consequences

on some problems related to Reed-Muller codes, EUROCODE’90, G.
Cohen, P. Charpin eds, LNCS 514, Springer Verlag, pp. 42-50, 1991.

[44] C. Carlet. Partially-bent functions, Designs Codes and Cryptography,

3, pp. 135-145 (1993) and proceedings of CRYPTO’ 92, Advances in
Cryptology, Lecture Notes in Computer Science 740, Springer Verlag,
pp. 280-291, 1993.

[45] C. Carlet. Two new classes of bent functions. In Advances in Cryptology

- EUROCRYPT’93, no. 765 in Lecture Notes in Computer Science, pp.
77-101. Springer-Verlag, 1994.

[46] C. Carlet. Generalized Partial Spreads, IEEE Transactions on Infor-

mation Theory, vol. 41, no. 5, pp. 1482-1487, 1995.

[47] C. Carlet. Hyper-bent functions. PRAGOCRYPT’96, Czech Technical

University Publishing House, pp. 145-155, 1996.

[48] C. Carlet. A construction of bent functions. Finite Fields and Appli-

cations, London Mathematical Society, Lecture Series 233, Cambridge
University Press, pp. 47-58, 1996.

[49] C. Carlet. More correlation-immune and resilient functions over Galois

fields and Galois rings. Advances in Cryptology, EUROCRYPT’ 97,
Lecture Notes in Computer Science 1233, Springer Verlag pp. 422-433,
1997.

121
[50] C. Carlet. On Kerdock codes, American Mathematical Society (Pro-
ceedings of the conference Finite Fields and Applications Fq4) Con-
temporary Mathematics 225, pp. 155-163, 1999.

[51] C. Carlet. On the propagation criterion of degree ` and order k. Ad-

vances in Cryptology - EUROCRYPT’98, no. 1403 in Lecture Notes in
Computer Science, pp. 462-474. Springer-Verlag, 1998.

[52] C. Carlet. On cryptographic propagation criteria for Boolean functions.

Information and Computation , vol. 151, Academic Press pp. 32-56,
1999.

[53] C. Carlet. Recent results on binary bent functions. Proceedings of the

International Conference on Combinatorics, Information Theory and
Statistics; Journal of Combinatorics, Information and System Sciences,
Vol. 25, Nos. 1-4, pp. 133-149, 2000.

[54] C. Carlet. On the coset weight divisibility and nonlinearity of resilient

and correlation-immune functions, Proceedings of SETA’01 (Sequences
and their Applications 2001), Discrete Mathematics and Theoretical
Computer Science, Springer, pp. 131-144, 2001.

[55] C. Carlet. A larger Class of Cryptographic Boolean Functions via a

Study of the Maiorana-McFarland Construction. Advances in Cryptol-
ogy - CRYPT0 2002, no. 2442 in Lecture Notes in Computer Science,
pp. 549-564, 2002.

[56] C. Carlet. On the confusion and diffusion properties of Maiorana-

McFarland’s and extended Maiorana-McFarland’s functions. Special Is-
sue “Complexity Issues in Coding and Cryptography”, dedicated to Prof.
Harald Niederreiter on the occasion of his 60th birthday, Journal of
Complexity 20, pp. 182-204, 2004.

[57] C. Carlet. On the degree, nonlinearity, algebraic thickness and non-

normality of Boolean functions, with developments on symmetric func-
tions. IEEE Transactions on Information Theory, vol. 50, pp. 2178-
2185, 2004.

[58] C. Carlet. On the secondary constructions of resilient and bent func-

tions. Proceedings of the Workshop on Coding, Cryptography and Com-
binatorics 2003, published by Birkhäuser Verlag, K. Feng, H. Niederre-
iter and C. Xing Eds., pp. 3-28, 2004.

122
[59] C. Carlet. Concatenating indicators of flats for designing cryptographic
functions. Design, Codes and Cryptography volume 36, Number 2,
pp.189 - 202, 2005.

[60] C. Carlet. Partial covering sequences. Preprint.

[61] C. Carlet. On bent and highly nonlinear balanced/resilient functions

and their algebraic immunities. Proceedings of AAECC 16, LNCS 3857,
pp. 1-28, 2006.

[62] C. Carlet. On the higher order nonlinearities of algebraic immune func-

tions. Advances in cryptology–CRYPTO 2006, Lecture Notes in Com-
puter Science 4117, pp. 584-601, 2006..

[63] C. Carlet and P. Charpin. Cubic Boolean functions with highest re-
siliency. IEEE Transactions on Information Theory, vol. 51, no. 2, pp.
562-571, 2005.

[64] C. Carlet, D. Dalai, K. Gupta and S. Maitra. Algebraic Immunity for

Cryptographically Significant Boolean Functions: Analysis and Con-
struction. IEEE Transactions on Information Theory, vol. 52, no. 7,
pp. 3105-3121, July 2006.

[65] C. Carlet and C. Ding. Highly Nonlinear Mappings. Special Issue “Com-
plexity Issues in Coding and Cryptography”, dedicated to Prof. Harald
Niederreiter on the occasion of his 60th birthday, Journal of Complexity
20, pp. 205-244, 2004.

[66] C. Carlet, H. Dobbertin and G. Leander. Normal extensions of bent

functions. IEEE Transactions on Information Theory, vol. 50, no. 11,
pp. 2880-2885, 2004.

[67] C. Carlet and S. Dubuc. On generalized bent and q-ary perfect nonlinear
functions. D. Jungnickel and H. Niederreiter Eds. Proceedings of Finite
Fields and Applications Fq5, Augsburg, Germany, Springer, pp. 81-94,
2000.

[68] C. Carlet and P. Gaborit. Hyper-bent functions and cyclic codes. To

appear in the Journal of Combinatorial Theory, Series A, 2005.

[69] C. Carlet and P. Gaborit. On the construction of balanced Boolean

functions with a good algebraic immunity. Proceedings of International
Symposium on Information Theory, ISIT, Adelaide, Australia, 2005.

123
[70] C. Carlet and A. Gouget. An upper bound on the number of m-resilient
Boolean functions. Proceedings of ASIACRYPT 2002, Advances in
Cryptology, LNCS 2501, pp. 484-496, 2002.

[71] C. Carlet and P. Guillot. A characterization of binary bent functions,

Journal of Combinatorial Theory, Series A, vol. 76, No. 2, pp. 328-335,
1996.

[72] C. Carlet and P. Guillot. An alternate characterization of the bentness

of binary functions, with uniqueness, Designs, Codes and Cryptography,
14, pp. 133-140, 1998.

[73] C. Carlet and P. Guillot. A new representation of Boolean functions,

Proceedings of AAECC’13, Lecture Notes in Computer Science 1719,
pp. 94-103, 1999.

[74] C. Carlet and P. Guillot. Bent, resilient functions and the Numerical
Normal Form. DIMACS Series in Discrete Mathematics and Theoretical
Computer Science, 56, pp. 87-96, 2001.

[75] C. Carlet and A. Klapper. Upper bounds on the numbers of resilient

functions and of bent functions. Springer-Verlag, Lecture Notes dedi-
cated to Philippe Delsarte (to appear). A shorter version has appeared
in the Proceedings of the 23rd Symposium on Information Theory in
the Benelux, Louvain-La-Neuve, Belgian, 2002.

[76] C. Carlet and S. Mesnager. Improving the upper bounds on the covering
radii of binary Reed-Muller codes. C. Carlet et S. Mesnager. To appear
in IEEE Transactions on Information Theory, 2006.

[77] C. Carlet and E. Prouff. On plateaued functions and their construc-

tions. Proceedings of Fast Software Encryption 2003, Lecture notes in
computer science 2887, pp. 54-73, 2003.

[78] C. Carlet and P. Sarkar. Spectral Domain Analysis of Correlation Im-

mune and Resilient Boolean Functions. Finite fields and Applications
8, pp. 120-130, 2002.

[79] C. Carlet and Y. V. Tarannikov. Covering sequences of Boolean func-

tions and their cryptographic significance. Designs, Codes and Cryp-
tography, 25, pp. 263-279, 2002.

124
[80] A.H. Chan and R.A. Games. On the quadratic spans of De Bruijn
sequences. IEEE Transactions on Information Theory, vol. 36, no. 4,
pp. 822-829, 1990.

[81] C. Charnes, M. Rötteler and T. Beth. Homogeneous bent functions,

invariants, and designs. Designs, Codes and Cryptography, 26, pp. 139-
154, 2002.

[82] P. Charpin. Normal Boolean functions. Special Issue “Complexity Issues

in Coding and Cryptography”, dedicated to Prof. Harald Niederreiter on
the occasion of his 60th birthday, Journal of Complexity 20, pp. 245-265,
2004.

[83] P. Charpin and E. Pasalic. On propagations characteristics of resilient

functions. Advances in Cryptology - SAC 2002, Lecture Notes in Com-
puter Science 2595, pages 356–365. Springer-Verlag, 2002.

[84] S. Chee, S. Lee, K. Kim and D. Kim. Correlation immune functions

with controlable nonlinearity. ETRI Journal, vol 19, no 4, pp. 389-401,
1997.

[85] S. Chee, S. Lee, D. Lee and S. H. Sung. On the correlation immune

functions and their nonlinearity. Proceedings of Asiacrypt’96, LNCS
1163, pp. 232-243.

[86] B. Chor, O. Goldreich, J. Hastad, J. Freidmann, S. Rudich and R.

Smolensky. The bit extraction problem or t-resilient functions. Proc.
26th IEEE Symposium on Foundations of Computer Science, pp. 396-
407, 1985.

[87] G. Cohen, I. Honkala, S. Litsyn and A. Lobstein. Covering codes. North-

Holland, 1997.

[88] N. Courtois. Fast Algebraic Attacks on Stream Ciphers with Linear

Feedback. Advances in cryptology–CRYPTO 2003, Lecture Notes in
Computer Science 2729, pp. 177-194, Springer, 2003.

[89] N. Courtois and W. Meier. Algebraic Attacks on Stream Ciphers with

Linear Feedback. Advances in cryptology–EUROCRYPT 2003, Lecture
Notes in Computer Science 2656, pp. 346-359, Springer, 2002.

[90] T. W. Cusick. On constructing balanced correlation immune functions.

Proceedings of SETA’98 (Sequences and their Applications 1998), Dis-

125
 crete Mathematics and Theoretical Computer Science, Springer, pp.
184-190, 1999.

[91] T. W. Cusick, C. Ding and A. Renvall, Stream Ciphers and Number

Theory, North-Holland Mathematical Library 55. Amsterdam: North-
Holland/Elsevier, 1998.

[92] D.M. Cvetkovic, M. Doob and H. Sachs. Spectra of graphs. Academic

Press, 1979.

[93] D. K. Dalai, K. C. Gupta and S. Maitra. Results on Algebraic Immunity

for Cryptographically Significant Boolean Functions. Indocrypt 2004,
Chennai, India, December 20–22, pages 92–106, number 3348 in Lecture
Notes in Computer Science, Springer Verlag, 2004

[94] D. K. Dalai, K. C. Gupta and S. Maitra. Cryptographically Significant

Boolean functions: Construction and Analysis in terms of Algebraic
Immunity. Fast Software Encryption 2005, Lecture Notes in Computer
Science 3557, pp. 98-111, 2005.

[95] D. K. Dalai, S. Maitra and S. Sarkar. Basic Theory in Construction

of Boolean Functions with Maximum Possible Annihilator Immunity.
Designs, Codes and Cryptography, Volume 40, Number 1, Pages 41–
58, July 2006. Cryptology ePrint Archive, http://eprint.iacr.org/, No.
2005/229, 15 July, 2005.

[96] M. Daum, H. Dobbertin and G. Leander. An algorithm for checking

normality of Boolean functions. Proceedings of the Workshop on Coding
and Cryptography 2003, pp. 133-142, 2003.

[97] M. Daum, H. Dobbertin and G. Leander. Short description of an algo-

rithm to create bent functions. Private communication.

[98] E. Dawson and C.-K. Wu. Construction of correlation immune Boolean

functions. Proceedings of ICICS 1997, pp. 170-180, 1997.

[99] P. Delsarte. An algebraic approach to the association schemes of coding

theory. PhD thesis. Université Catholique de Louvain (1973)

[100] P. Delsarte. Four fundamental parameters of a code and their combi-

natorial significance. Information and Control, vol. 23 (5), pp. 407-438,
1973.

126
[101] O. Denisov. A local limit theorem for the distribution of a part of
the spectrum of a random binary function. Discrete Mathematics and
Applications, V. 10, No 1, pp. 87-102, 2000.

[102] F. Didier. A new upper bound on the block error probability after
decoding over the erasure channel. Preprint available at http://www-
rocq.inria.fr/codes/Frederic.Didier/
A revised version will appear in IEEE Transactions on Information
Theory, 2006.

[103] J. Dillon. A survey of bent functions. NSA Technical Journal Special

Issue, pp. 191-215, 1972.

[104] J. F. Dillon. Elementary Hadamard Difference sets. Ph. D. Thesis,

Univ. of Maryland, 1974.

[105] J. F. Dillon. Elementary Hadamard Difference sets, Proc. Sixth S-

E Conf. Comb. Graph Theory and Comp., F. Hoffman et al. (Eds),
Winnipeg Utilitas Math, pp. 237-249, 1975.

[106] J. F. Dillon and H. Dobbertin. New cyclic difference sets with Singer
parameters. Finite Fields and Their Applications 10, pp. 342-389, 2004.

[107] H. Dobbertin. Construction of bent functions and balanced Boolean

functions with high nonlinearity. Fast Software Encryption, Second In-
ternational Workshop, Lecture Notes in Computer Science 1008, pp.
61-74, 1995.

[108] H. Dobbertin, G. Leander, A. Canteaut, C. Carlet, P. Felke and P.

Gaborit. Construction of Bent Functions via Niho Power Functions. To
appear in the Journal of Combinatorial Theory, Series A, 2005.

[109] S. Dubuc. Characterization of linear structures. Designs, Codes and

Cryptography vol. 22, pp. 33-45, 2001.

[110] J. H. Evertse. Linear structures in block ciphers. In Advances in

Cryptology - EUROCRYPT’ 87, no. 304 in Lecture Notes in Computer
Science, Springer Verlag, pp. 249-266, 1988.

[111] J.-C. Faugère and G. Ars. An Algebraic Cryptanalysis of Nonlinear

Filter Generators using Gröbner bases. Rapport de Recherche INRIA
4739, 2003.

127
[112] E. Filiol and C. Fontaine. Highly nonlinear balanced Boolean func-
tions with a good correlation-immunity. Advances in Cryptology - EU-
ROCRYPT’98, no. 1403 in Lecture Notes in Computer Science, pp.
475-488. Springer-Verlag, 1998.

[113] C. Fontaine. On some cosets of the First-Order Reed-Muller code with

high minimum weight. IEEE Trans. Inform. Theory, vol. 45 (4), pp.
1237-1243, 1999.

[114] R. Forré. The strict avalanche criterion: spectral properties of

Boolean functions and an extended definition. Advances in Cryptology
– CRYPTO’88, LNCS 403, Springer-Verlag, pp. 450-468, 1989.

[115] R. Forré. A fast correlation attack on nonlinearly feedforward filtered

shift register sequences. Advances in cryptology –EUROCRYPT ’89,
Lecture Notes in Comput. Sci. 434, pp. 586-595, Springer, 1990.

[116] J. von zur Gathen and J. R. Roche. Polynomials with two values.
Combinatorica 17(3), pp. 345-362, 1997.

[117] J. Golić. Fast low order approximation of cryptographic functions.

Advanced in Cryptology-EUROCRYPT’96. Lecture notes in computer
science, LNCS 1070, pp. 268-282, 1996.

[118] J. Golić. On the security of nonlinear filter generators. Fast Software

Encryption’96, Lecture Notes in Computer Science 1039, pp. 173-188,
1996.

[119] S.W. Golomb. Shift Register Sequences. Aegean Park Press, 1982.

[120] K. Gopalakrishnan, D. G. Hoffman and D. R. Stinson. A Note on

a Conjecture Concerning Symmetric Resilient Functions. Information
Processing Letters 47 (3), pp. 139-143, 1993.

[121] A. Gouget. On the propagation criterion of Boolean functions. Pro-

ceedings of the Workshop on Coding, Cryptography and Combinatorics
2003, published by Birkhäuser Verlag, K. Feng, H. Niederreiter and C.
Xing Eds., pp. 153-168, 2004.

[122] P. Guillot. Completed GPS Covers All Bent Functions. Journal of

Combinatorial Theory, Series A 93, pp. 242-260, 2001.

[123] P. Guillot. Partial bent functions. Proceedings of the World Multicon-

ference on Systemics, Cybernetics and Informatics, SCI 2000, 2000.

128
[124] Xiao Guo-Zhen, C. Ding and W. Shan. The stability theory of stream
ciphers, vol. LNCS 561, Springer Verlag, 1991.

[125] Xiao Guo-Zhen and J. L. Massey. A Spectral Characterization of

Correlation-Immune Combining Functions. IEEE Trans. Inf. Theory,
vol. IT 34, no. 3, pp. 569-571, 1988.

[126] A. R. Hammons Jr., P. V. Kumar, A. R. Calderbank, N. J. A. Sloane

and P. Solé. The Z4 -linearity of Kerdock, Preparata, Goethals and re-
lated codes. IEEE Transactions on Information Theory, vol. 40, pp.
301-319, 1994.

[127] T. Helleseth, T. Kløve, and J. Mykkelveit. On the covering radius

of binary codes. IEEE Trans. Inform. Theory, IT-24(5), pp. 627-628,
1978.

[128] T. Helleseth and H.F. Mattson Jr. On the cosets of the simplex code.
Discr. Math. 56, pp. 169-189, 1985.

[129] S. Hirose and K. Ikeda. Nonlinearity criteria of Boolean functions.

KUIS Technical Report, KUIS-94-0002, 1994.

[130] S. Hirose and K. Ikeda. Complexity of Boolean functions satisfying

the propagation criterion. The Proc. of the 1995 Symposium on Cryp-
tography and Information Security, SCIS95-B3.3, (1995).

[131] I. Honkala and A. Klapper. Bounds for the multicovering radii of Reed-
Muller codes with applications to stream ciphers. Designs, Codes and
Cryptography 23, pp. 131-145, 2001.

[132] X.-D. Hou. Some results on the covering radii of Reed-Muller codes.
IEEE Trans. Inform. Theory, vol. IT-39, no. 2, pp. 366-378, 1993.

[133] X.-D. Hou. Classification of cosets of the Reed-Muller code R(m −

3, m). Discrete Math., 128, pp. 203-224, 1994.

[134] X.-D. Hou. The covering radius of R(1, 9) in R(4, 9). Designs, Codes
and Cryptography 8 (3), pp. 285-292, 1995.

[135] X.-D. Hou. AGL(m, 2) acting on R(r, m)/R(s, m). Journal of Algebra
171, pp. 921-938, 1995.

[136] X.-D. Hou. Covering radius of the Reed-Muller code R(1, 7) - a simpler
proof. J. Combin. Theory, Series A 74, pp. 337-341, 1996.

129
[137] X.-D. Hou. GL(m, 2) acting on R(r, m)/R(r − 1, m). Discrete Math.
149, pp. 99-122, 1996.
[138] X.-D. Hou. On the covering radius of R(1, m) in R(3, m). IEEE Trans.
Inform. Theory, 42(3), pp. 1035-1037, 1996.
[139] X.-D. Hou. The Reed-Muller code R(1, 7) is normal. Designs, Codes
and Cryptography 12, pp. 75-82, 1997.
[140] X.-D. Hou. Cubic bent functions. Discrete Mathematics vol. 189, pp.
149-161, 1998.
[141] X.-D. Hou. On Binary Resilient Functions. Des. Codes Cryptography
28(1), pp. 93-112, 2003.
[142] X.-D. Hou. Group Actions on Binary Resilient Functions. Appl. Alge-
bra Eng. Commun. Comput. 14(2), pp. 97-115, 2003.
[143] X.-D. Hou. New Constructions of Bent Functions. Proceedings of the
International Conference on Combinatorics, Information Theory and
Statistics; Journal of Combinatorics, Information and System Sciences,
Vol. 25, Nos. 1-4, pp. 173-189, 2000.
[144] X.D. Hou. On the coefficients of binary bent functions. Proceedings
of the American American Society (electronically published) S 0002-
9939(99)05146-1, 1999.
[145] X.-D. Hou and P. Langevin. Results on bent functions, Journal of
Combinatorial Theory, Series A, 80, pp. 232-246, 1997.
[146] T. Jakobsen and L.R. Knudsen. The interpolation attack on block ci-
phers. Fast Software Encryption’97, Lecture Notes in Computer Science
1267, 1997.
[147] C.J.A. Jansen and D.E. Boekee. The shortest feedback shift reg-
ister that can generate a given sequence. Advances in Cryptology –
CRYPTO’89, LNCS 435, Springer-Verlag, pp. 90-99,1990 (this paper
refers to the classified PhD thesis of C.J.A. Jansen entitled “Investiga-
tions on nonlinear streamcipher systems: construction and evaluation
methods”, Philips).
[148] T. Johansson and F. Jönsson. Improved fast correlation attack on
stream ciphers via convolutional codes. Advances in Cryptology - EU-
ROCRYPT’99, no. 1592 in Lecture Notes in Computer Science, pp.
347-362, 1999.

130
[149] T. Johansson and F. Jönsson. Fast correlation attacks based on turbo
code techniques. Advances in Cryptology - CRYPTO’99, no. 1666 in
Lecture Notes in Computer Science, pp. 181-197, 1999.

[150] T. Johansson and F. Jönsson. Fast correlation attacks through re-

construction of linear polynomials. Advances in Cryptology - CRYPTO
2000, no. 1880 in Lecture Notes in Computer Science, pp. 300-315,
2000.

[151] F. Jönsson. PhD thesis.Some results on fast correlation attacks. Lund

University. 2002.

[152] D. Jungnickel. Difference sets. Contemporary Design Theory: A Col-

lection of Surveys, J. Dinitz and D. R. Stinson eds. John Wiley & Sons,
1992.

[153] W. Kantor, An Exponential Number of Generalized Kerdock Codes,

Inf. and Contr. 53, pp. 74-80, 1982.

[154] T. Kasami. The weight enumerators for several classes of subcodes of

the second order binary Reed-Muller codes. Information and Control,
18, pp. 369-394, 1971.

[155] T. Kasami and N. Tokura. On the weight structure of the Reed Muller
codes, IEEE Trans. Info. Theory 16, pp. 752-759, 1970.

[156] T. Kasami, N. Tokura, and S. Azumi. On the Weight Enumration of

Weights Less than 2.5d of Reed-Muller Codes. Information and Control,
30:380–395, 1976.

[157] N. Katz. On a theorem of Ax. American Journal of Mathematics 93,

pp. 485-499, 1971.

[158] A. M. Kerdock. A class of low-rate non linear codes. Information and

Control, 20, 182-187 (1972).

[159] A. Kerckhoffs. La Cryptographie Militaire. Journal des Sciences Mil-

itaires, 1883.

[160] J.D. Key, T.P. McDonough and V.C. Mavron. Information sets and
partial permutation decoding for codes from finite geometries. To ap-
pear in Finite Fields and their Applications.

131
[161] J. Khan, G. Kalai and N. Linial. The influence of variables on Boolean
functions. IEEE 29th Symp. on foundations of Computer Science, pp.
68-80, 1988.

[162] L.R. Knudsen. Truncated and higher order differentials. Fast Software
Encryption, Second International Workshop, Lecture Notes in Com-
puter Science, n 1008, pp. 196-211. – Springer-Verlag, 1995.

[163] K. Khoo and G. Gong. New constructions for resilient and highly non-
linear Boolean functions. Proceedings of 8th Australasian Conference,
ACISP 2003, Wollongong, Austrialia, Lecture Notes in Computer Sci-
ence 2727 Springer, 2003.

[164] L.R. Knudsen and M.P.J. Robshaw. Non-linear approximations in lin-

ear cryptanalysis. Advances in Cryptology - EUROCRYPT’96, Lecture
Notes in Computer Science 1070, pp. 224-236. Springer-Verlag, 1996.

[165] P.V. Kumar, R.A. Scholtz and L.R. Welch. Generalized bent functions
and their properties, Journal of Combinatorial Theory, Series A 40, pp.
90-107, 1985.

[166] K. Kurosawa and R. Matsumoto. Almost security of cryptographic

Boolean functions. IEEE Transactions on Information Theory, vol.50
(11), pp. 2752-2761, 2004.

[167] K. Kurosawa and T. Satoh. Design of SAC/P C(`) of order k Boolean

functions and three other cryptographic criteria. Advances in Cryp-
tology, EUROCRYPT’ 97, Lecture Notes in Computer Science 1233,
Springer Verlag, pp. 434-449, 1997.

[168] K. Kurosawa, T. Iwata and T. Yoshiwara. New covering radius of

Reed-Muller codes for t-resilient functions. Selected Areas in Cryptog-
raphy, 8th Annual International Workshop, Vaudenay and Youssef Eds.,
LNCS 2259, pp. 75 ff, 2001.

[169] X. Lai. Higher order derivatives and differential cryptanalysis. Proc.

”Symposium on Communication, Coding and Cryptography”, in honor
of J. L. Massey on the occasion of his 60’th birthday. 1994.

[170] X. Lai. Additive and linear structures of cryptographic functions. Pro-

ceedings of Fast Software Encryption, Second International Workshop,
Lecture Notes in Computer Science 1008, pp. 75-85, 1995.

132
[171] P. Langevin. Covering radius of RM (1, 9) in RM (3, 9). Eurocode’90,
no. 514 in Lecture Notes in Computer Science, pp. 51-59. Springer-
Verlag, 1991.
[172] P. Langevin. On the orphans and covering radius of the Reed-Muller
codes. Proceedings of AAECC 9, Lecture Notes in Computer Science
539, pp. 234-240, 1991.
[173] P. Langevin. On generalized bent functions. CISM Courses and Lec-
tures 339 (Eurocode), pp. 147-157, 1992.
[174] P. Langevin and P. Solé. Kernels and defaults. American Mathematical
Society (Proceedings of the conference Finite Fields and Applications
Fq4) Contemporary Mathematics 225, pp. 77-85, 1999.
[175] G. Leander. Bent functions with 2r Niho exponents. Proceedings of
the Workshop on Coding and Cryptography 2005, Bergen, pp. 454-461,
2005.
[176] G. Leander. Monomial bent functions. Proceedings of the Workshop
on Coding and Cryptography 2005, Bergen, pp. 462-470, 2005.
[177] R. J. Lechner. Harmonic analysis of switching functions. In Recent
Developments in Switching Theory, Academic Press, New York, 1971.
[178] R. Lidl and H. Niederreiter, Finite Fields, Encyclopedia of Mathemat-
ics and its Applications, vol. 20, Addison-Wesley, Reading, Massachus-
setts (1983)
[179] S. Ling and C. Xing, Coding Theory, Cambridge: Cambridge Univer-
sity Press, 2004.
[180] N. Linial, Y. Mansour and N. Nisan. Constant depth circuits, Fourier
transform, and learnability. Journal of the Association for Computing
Machinery, vol. 40 (3), pp. 607-620, 1993.
[181] J. H. van Lint. Introduction to coding theory, Springer, New York,
1982.
[182] M. Lobanov. Tight bound between nonlinearity and algebraic immu-
nity. Paper 2005/441 in http://eprint.iacr.org/
[183] O.A. Logachev, A.A. Salnikov and V.V. Yashchenko. Bent functions
on a finite Abelian group. Discrete Math. Appl. vol 7, N◦ 6, pp. 547-564,
1997.

133
[184] S. Lloyd. Properties of binary functions. Advances in Cryptology -
EUROCRYPT ’90, Lecture Notes in Computer Science 473, pp. 124-
139, 1991.
[185] S. Lloyd. Counting binary functions with certain cryptographic prop-
erties. Journal of Cryptology 5, pp. 107-131; 1992.
[186] S. Lloyd. Balance, uncorrelatedness and the strict avalanche criterion.
Discrete Applied Mathematics, 41, pp. 223-233, 1993.
[187] F. J. MacWilliams and N. J. Sloane. The theory of error-correcting
codes, Amsterdam, North Holland. 1977.
[188] J. A. Maiorana. A classification of the cosets of the Reed-Muller code
R(1, 6). Mathematics of Computation. vol. 57, No. 195, pp. 403-414,
1991.
[189] S. Maitra. Highly nonlinear balanced Boolean functions with very good
autocorrelation property. Proceedings of the Workshop on Coding and
Cryptography 2001 published by Electronic Notes in Discrete Mathe-
matics, Elsevier, vo. 6, pp. 355-364, 2001.
[190] S. Maitra. Autocorrelation properties of correlation immune Boolean
functions. Progress in Cryptology - INDOCRYPT 2001, Lecture Notes
in Computer Science 2247, pp. 242-253, 2001.
[191] S. Maitra and E. Pasalic. Further constructions of resilient Boolean
functions with very high nonlinearity. IEEE Transactions on Informa-
tion Theory, vol.48 (7), pp. 1825-1834, 2002.
[192] S. Maitra and P. Sarkar. Enumeration of correlation-immune Boolean
functions. ACISP, pp. 12-25, 1999.
[193] S. Maitra and P. Sarkar. Maximum nonlinearity of symmetric Boolean
functions on odd number of variables. IEEE Transactions on Informa-
tion Theory, vol. 48, pp. 2626-2630, 2002.
[194] S. Maitra and P. Sarkar. Highly nonlinear resilient functions optimiz-
ing Siegenthaler’s inequality. In Advances in Cryptology - CRYPTO’99,
no. 1666 in Lecture Notes in Computer Science, pp. 198-215. Springer-
Verlag, 1999.
[195] S. Maitra and P. Sarkar. Modifications of Patterson-Wiedemann func-
tions for cryptographic applications. IEEE Trans. Inform. Theory, vol.
48, pp. 278-284, 2002.

134
[196] S. Maity and S. Maitra. Minimum distance between bent and 1-
resilient Boolean functions. Proceedings of Fast Software Encryption
2004, LNCS 3017, pp. 143-160, 2004.

[197] J. L. Massey. Shift-register analysis and BCH decoding. IEEE Trans.

Inform. Theory, vol. 15, pp. 122-127, 1969.

[198] J. L. Massey. Randomness, arrays, differences and duality. IEEE

Trans. Inform. Theory, vol. 48, pp. 1698-1703, 2002.

[199] M. Matsui. Linear cryptanalysis method for DES cipher. Advances in

Cryptology - EUROCRYPT’93, no. 765 in Lecture Notes in Computer
Science. Springer-Verlag, pp. 386-397, 1994.

[200] R.J. McEliece. Weight congruence for p-ary cyclic codes. Discrete
Mathematics, 3, pp. 177-192, 1972.

[201] R. L. McFarland. A family of noncyclic difference sets, Journal of

Comb. Theory, Series A, no. 15, pp. 1-10, 1973.

[202] W. Meier, E. Pasalic and C. Carlet. Algebraic attacks and decom-

position of Boolean functions. Advances in Cryptology, EUROCRYPT
2004, Lecture Notes in Computer Science, Springer Verlag 3027, pp.
474-491, 2004.

[203] W. Meier and O. Staffelbach. Fast correlation attacks on stream ci-

phers. Advances in Cryptology, EUROCRYPT’88, Lecture Notes in
Computer Science 330, Springer Verlag, pp. 301-314, 1988.

[204] W. Meier and O. Staffelbach. Nonlinearity Criteria for Cryptographic

Functions. Advances in Cryptology, EUROCRYPT’ 89, Lecture Notes
in Computer Science 434, Springer Verlag, pp. 549-562, 1990.

[205] W. Meier and O. Staffelbach. Correlation properties of combiners with

memory in stream ciphers. Advances in Cryptology, EUROCRYPT’90,
Lecture Notes in Computer Science 473, Springer Verlag, pp. 204-213,
1990.

[206] A. Menezes, P. van Oorschot and S. Vanstone. Handbook of Applied

Cryptography. CRC Press Series on Discrete Mathematics and Its Ap-
plications, 1996.

[207] W. Millan, A. Clark and E. Dawson. Heuristic design of cryptograph-

ically strong balanced Boolean functions. EUROCRYPT’98, Advances

135
 in Cryptology, Lecture Notes in Computer Science 1403, Springer Ver-
lag, 1998.

[208] C. J. Mitchell. Enumerating Boolean functions of cryptographic sig-

nifiance. Journal of Cryptology 2 (3), pp. 155-170, 1990.

[209] J. Mykkelveit. The covering radius of the [128,8] Reed-Muller code is

56. IEEE Trans. Inform. Theory, vol. 26 (3), pp. 359-362, 1980.

[210] Y.Nawaz, G.Gong, and K.Gupta. Upper Bounds on Algebraic Immu-

nity of Power Functions. Proceeding of Fast Software Encryption 2006.
To appear.

[211] N. Nisan and M. Szegedy. On the degree of Boolean functions as real

polynomials. Comput. Complexity 4, pp. 301-313, 1994.

[212] K. Nyberg. Constructions of bent functions and difference sets, EU-

ROCRYPT’90, Advances in Cryptology, Lecture Notes in Computer
Science 473, Springer Verlag, pp. 151-160, 1991.

[213] L. O’Connor and A. Klapper. Algebraic nonlinearity and its applica-

tions to cryptography. Journal of Cryptology 7, pp. 213-227, 1994.

[214] D. Olejár and M. Stanek. ”On cryptographic properties of random

Boolean functions.” Journal of Universal Computer Science, vol. 4,
No.8, pp. 705-717, 1998.

[215] J. D. Olsen, R. A. Scholtz and L. R. Welch. Bent function sequences,

IEEE Trans. on Inf. Theory, vol IT- 28, no. 6, 1982.

[216] E. Pasalic. On Boolean functions in symmetric-key ciphers. Ph.D. The-

sis, 2003.

[217] E. Pasalic, T. Johansson, S. Maitra and P. Sarkar. New constructions

of resilient and correlation immune Boolean functions achieving upper
bounds on nonlinearity. Proceedings of the Workshop on Coding and
Cryptography 2001, published by Electronic Notes in Discrete Mathe-
matics, Elsevier, vo. 6, pp. 425-434, 2001.

[218] E. Pasalic and S. Maitra. A Maiorana-McFarland type construction

for resilient Boolean functions on n variables (n even) with nonlinearity
> 2n−1 − 2n/2 + 2n/2−2 . Proceedings of the Workshop on Coding and
Cryptography 2003, pp. 365-374, 2003.

136
[219] S. M. Park, S. Lee, S. H. Sung, K. Kim. Improving bounds for the num-
ber of correlation-immune Boolean functions. Information Processing
Letters 61, pp. 209-212, 1997.

[220] N.J. Patterson and D.H. Wiedemann. The covering radius of the
[215 , 16] Reed-Muller code is at least 16276. IEEE Trans. Inform. The-
ory, IT-29, pp. 354-356, 1983.

[221] N.J. Patterson and D.H. Wiedemann. Correction to [220]. IEEE Trans.
Inform. Theory, IT-36(2), pp. 443, 1990.

[222] V. S. Pless, W. C. Huffman, Eds, R. A. Brualdi, assistant editor.

Handbook of Coding Theory, Amsterdam, the Netherlands: Elsevier,
1998.

[223] B. Preneel, W. Van Leekwijck, L. Van Linden, R. Govaerts and J.

Vandevalle. Propagation characteristics of Boolean functions, Advances
in Cryptology, EUROCRYPT’90, Lecture Notes in Computer Sciences,
Springer Verlag no. 473, pp. 161-173, 1991.

[224] B. Preneel, R. Govaerts and J. Vandevalle. Boolean functions satisfy-

ing higher order propagation criteria, Advances in Cryptology, EURO-
CRYPT’91, Lecture Notes in Computer Sciences, Springer Verlag no.
547, pp. 141-152, 1991.

[225] B. Preneel. Analysis and Design of Cryptographic Hash Functions,

Ph. D. Thesis, Katholieke Universiteit Leuven, K. Mercierlaan 94, 3001
Leuven, Belgium, U.D.C. 621.391.7, 1993.

[226] M. Quisquater. The sum transform: a new tool to study cryptographic

properties of Boolean functions. Preprint, 2002.

[227] M. Quisquater, B. Preneel and J. Vandewalle. A new inequality in

discrete Fourier theory. IEEE Trans. on Inf. Theory 49, pp. 2038-2040,
2003.

[228] M. Quisquater, B. Preneel and J. Vandewalle. Spectral characteri-

zation of functions satisfying the (extended) propagation criterion of
degree l and order k. Preprint, 2004.

[229] C. R. Rao. Factorial experiments derived from combinatorial arrange-

ments of arrays. J. Roy. Statist. 9, pp. 128-139, 1947.

137
[230] F. Rodier. On the nonlinearity of Boolean functions. Proceedings of
the Workshop on Coding and Cryptography 2003, pp. 397-405, 2003.

[231] O. S. Rothaus. On “bent” functions. J. Comb. Theory, 20A, pp. 300-

305, 1976.

[232] B.V. Ryazanov. On the distribution of the spectral complexity of

Boolean functions. Discrete Math. Appl., vol. 4, No. 3, pp. 279-288,
1994.

[233] R. A. Rueppel Analysis and design of stream ciphers Com. and Contr.
Eng. Series, Berlin, Heidelberg, NY, London, Paris, Tokyo 1986

[234] R. A. Rueppel and O. J. Staffelbach. Products of linear recurring se-

quences with maximum complexity. IEEE Transactions on Information
theory, vol. IT-33, no. 1, 1987.

[235] P. Sarkar and S. Maitra. Construction of nonlinear Boolean func-

tions with important cryptographic properties. Advances in Cryptology
- EUROCRYPT 2000, no. 1807 in Lecture Notes in Computer Science,
Springer Verlag, pp. 485-506, 2000.

[236] P. Sarkar and S. Maitra. Nonlinearity Bounds and Constructions of

Resilient Boolean Functions. CRYPTO 2000, LNCS, vol. 1880, ed. Mi-
hir Bellare, pp. 515-532, 2000.

[237] P. Sarkar and S. Maitra. Construction of nonlinear resilient Boolean

functions using “small” affine functions. IEEE Transactions on Infor-
mation theory, vol. 50, No 9, pp. 2185-2193, 2004.

[238] P. Savicky. On the bent Boolean functions that are symmetric. Eur.
J. Combinatorics 15, pp. 407-410, 1994.

[239] M. Schneider. A note on the construction and upper bounds of

correlation-immune functions. 6th IMA Conference, pp. 295-306, 1997.

[240] J. Seberry and X-.M. Zhang. Constructions of bent functions from two
known bent functions. Australasian Journal of Combinatorics no. 9, pp.
21-35, 1994.

[241] J. Seberry, X-.M. Zhang and Y. Zheng. On constructions and nonlin-

earity of correlation immune Boolean functions. Advances in Cryptology
- EUROCRYPT’93, LNCS 765, pp. 181-199, 1994.

138
[242] J. Seberry, X-.M. Zhang and Y. Zheng. Nonlinearly balanced Boolean
functions and their propagation characteristics. Advances in Cryptology
- CRYPTO’93, pp. 49-60, 1994.
[243] N. V. Semakov and V. A. Zinov’ev, Balanced codes and tactical con-
figurations, Problems of Info. Trans. 5(3), pp. 22-28 (1969)
[244] C.E. Shannon. Communication theory of secrecy systems. Bell system
technical journal, 28, pp. 656-715, 1949.
[245] T. Siegenthaler. Correlation-immunity of nonlinear combining func-
tions for cryptographic applications. IEEE Transactions on Informa-
tion theory, vol. IT-30, No 5, pp. 776-780, 1984.
[246] T. Siegenthaler. Decrypting a Class of Stream Ciphers Using Cipher-
text Only. IEEE Transactions on Computer, vol. C-34, No 1, pp. 81-85,
1985.
[247] P. Stanica, S. Maitra and J. Clark. Results on rotation symmetric
bent and correlation immune Boolean functions. Proceedings of Fast
Software Encryption 2004, LNCS 3017, pp. 161-177, 2004.
[248] P. Stanica and S. H. Sung. Boolean functions with five controllable
cryptographic properties. Designs, Codes and Cryptography 31, pp. 147-
157, 2004.
[249] I. Strazdins. Universal affine classification of Boolean functions. Acta
Applicandae Mathematicae 46, pp. 147-167, 1997.
[250] T. Sugita, T. Kasami and T. Fujiwara. Weight distributions of the
third and fifth order Reed-Muller codes of length 512. Nara Inst. Sci.
Tech. Report, 1996.
[251] S. H. Sung, S. Chee and C. Park. Global avalanche characteristics
and propagation criterion of balanced Boolean functions. Information
Processing Letters 69, pp. 21-24, 1999.
[252] H. Tapia-Recillas and G. Vega. An upper bound on the number of
iterations for transforming a Boolean function of degree greater than
or equal than 4 to as function of degree 3. Designs, Codes and Cryp-
tography 24, pp. 305-312, 2001.
[253] Y. V. Tarannikov. On resilient Boolean functions with maximum pos-
sible nonlinearity. Proceedings of INDOCRYPT 2000, Lecture Notes in
Computer Science 1977, pp. 19-30, 2000.

139
[254] Y. V. Tarannikov. New constructions of resilient Boolean functions
with maximum nonlinearity. Proceedings of FSE 2001, 8th International
Workshop, FSE 2001, Lecture Notes in Computer Science, vol. 2355,
pp. 66-77, 2001.
[255] Y. V. Tarannikov and D. Kirienko. Spectral analysis of high order
correlation immune functions. Proceedings of 2001 IEEE International
Symposium on Information Theory, p. 69, 2001 (full preliminary version
at Cryptology ePrint archive http://eprint.iacr.org/).
[256] Y. V. Tarannikov, P. Korolev and A. Botev. Autocorrelation coeffi-
cients and correlation immunity of Boolean functions. Proceedings of
Asiacrypt 2001, Lecture Notes in Computer Science 2248, pp. 460-479,
Springer-Verlag, 2001
[257] S. Tsai. Lower bounds on representing Boolean functions as polyno-
mials in Z?m .SIAM J. Discrete Math., vol. 9 (1), pp. 55-62, 1996.
[258] S. F. Vinokurov and N. A. Peryazev. An expansion of Boolean function
into a sum of products of subfunctions. Discrete Math. Appl., vol. 3 (5),
pp. 531-533, 1993.
[259] A.F. Webster and S.E. Tavares. On the design of S-boxes. In Advances
in Cryptology - CRYPTO’85, no. 219 in Lecture Notes in Computer
Science, pp. 523-534. Springer-Verlag, 1985.
[260] J. Wolfmann. Bent functions and coding theory. Difference Sets, Se-
quences and their Correlation Properties, A. Pott, P. V. Kumar, T.
Helleseth and D. Jungnickel, eds., pp. 393–417. Amsterdam: Kluwer,
1999.
[261] Y. X. Yang and B. Guo. Further enumerating Boolean functions of
cryptographic signifiance. Journal of Cryptology 8 (3), pp. 115-122,
1995.
[262] R. Yarlagadda and J.E. Hershey. Analysis and synthesis of bent se-
quences, Proc. IEE, vol. 136, Pt. E, pp. 112-123, 1989.
[263] A.M. Youssef and G. Gong. Hyper-bent functions. Advances in
Cryptology-EUROCRYPT 2001, Lecture Notes in Computer Science,
2045, Springer-Verlag, Berlin, pp. 406-419, 2001.
[264] M. Zhang. Maximum correlation analysis of nonlinear combining func-
tions in stream ciphers. Journal of Cryptology 13 (3), pp. 301-313, 2000.

140
[265] X.-M. Zhang and Y. Zheng. GAC - the criterion for global avalanche
characteristics of cryptographic functions. Journal of Universal Com-
puter Science, 1(5), pp. 320-337, 1995.

[266] X.-M. Zhang and Y. Zheng. Auto-correlations and new bounds on the
nonlinearity of Boolean functions. Advances in Cryptology - EURO-
CRYPT’96, no. 1070 in Lecture Notes in Computer Science, Springer-
Verlag, pp. 294-306, 1996.

[267] X.-M. Zhang and Y. Zheng. Characterizing the structures of cryp-

tographic functions satisfying the propagation criterion for almost all
vectors. Designs, Codes and Cryptography, 7(1), pp. 11-134, 1996.

[268] X.-M. Zhang and Y. Zheng. The nonhomomorphicity of Boolean func-

tions. Advances in Cryptology - SAC 1998, Lecture Notes in Computer
Science 1556, pp. 280-295, 1999.

[269] Y. Zheng and X. M. Zhang. Plateaued functions. ICICS’99, Lecture

Notes in Computer Science, Heidelberg, Ed., Springer-Verlag, vol. 1726,
pp. 284-300, 1999.

[270] Y. Zheng, X.-M. Zhang, and H. Imai. Restriction, terms and nonlin-
earity of Boolean functions. Theoretical Computer Science, 226(1-2),
pp. 207-223, 1999.

[271] Y. Zheng and X.-M. Zhang. On relationships among avalanche, nonlin-

earity and correlation immunity. Advances in Cryptography - Asiacrypt
2000, Lecture Notes in Computer Science, 1976, pp. 470-483, 2000.

[272] Y. Zheng and X.-M. Zhang. Improving upper bound on the nonlinear-
ity of high order correlation immune functions. Proceedings of Selected
Areas in Cryptography 2000, Lecture Notes in Computer Science 2012,
pp. 262-274, 2001.

141
Index
[N, k, d]-code, 30 covering sequence, 59
cryptanalysis, 4
absolute indicator, 52 cryptography, 4
affine functions, 12
affine invariant, 11 decomposable functions, 102
affinely equivalent, 40 decryption, 4
algebraic attacks, 49 derivative, 23
algebraic degree, 11 difference set, 63
algebraic immunity, 50 diffusion, 39
Algebraic Normal Form, 7 Dillon’s functions, 69
algebraic thickness, 54 Dirac symbol, 20
amplitude, 85 discrete Fourier transform, 17
annihilator, 50 distance enumerator, 34
atomic functions, 8 distance to linear structures, 48
auto-correlation function, 24 distinguishing attacks, 44
Ax’s theorem, 34 dual distance, 34
dual function, 64
balanced functions, 44
bent functions, 42 encryption, 4
Berlekamp-Massey algorithm, 36 error correcting codes, 5
binary Möbius transform, 9 extended propagation criterion, 47
Boolean functions, 5
fast correlation attacks, 45
Cayley graph, 28 Feedback Shift Register, 37
ciphertext, 4 filtering function, 37
code, 5
codewords, 5 generalized degree, 14
Combining Boolean functions, 36 generator matrix, 30
complete class of functions, 62 global avalanche criterion, 52
complexity criteria, 54
Hamming distance, 7
concatenating affine functions, 68
Hamming weight, 7
confusion, 39
hyper-bent functions, 81
conventional cryptography, 4
correlation attack, 45 idempotent functions, 96
correlation-immune function, 45 indicator, 21
covered, 9 inner product, 12
covering radius, 43
covering radius bound, 42 Kerdock code, 88

142
Krawtchouk polynomials, 112
level of a covering sequence, 60
LFSR, 35
linear code, 30
linear complexity, 36
Linear Feedback Shift Registers, 35
linear kernel, 47
linear structure, 47
Möbius transform over integers, 15
MacWilliams’ identity, 33
Maiorana-McFarland construction,
96
Maiorana-McFarland original class,
68
maximal odd weighting, 31
maximum correlation, 54
McEliece’s theorem, 34
minimum distance, 30
monomial functions, 71
non-trivial covering sequence, 60
nonhomomorphicity, 55
nonlinearity, 41
nonlinearity profile, 44
normal basis, 88
normal function, 54
numerical degree, 14
Numerical Normal Form, 14
one time pad, 35
orphan of R(1, n), 87
orthogonal, 21
parity-check matrix, 32
Parseval’s relation, 23
partial bent functions, 84
partial covering sequence, 61
Partial Spreads class, 69
partially defined, 11
143
partially-bent functions, 84
perfect nonlinear functions, 63
plaintext, 4
plateaued functions, 53
Poisson summation formula, 21
power functions, 71
primary constructions, 67
primitive element, 88
Propagation Criterion, 46
pseudo-Boolean functions, 14
pseudo-random sequences, 35
public key cryptography, 4
quadratic functions, 55
rank of ϕf , 56
redundancy, 5
Reed-Muller codes, 30
resiliency order, 45
resilient function, 45
Rothaus’ bound, 66
Sarkar et al.’s bound, 92
Sarkar-Maitra’s divisibility, 92
secondary constructions, 67
sign function, 18
Stream ciphers, 34
Strict Avalanche Criterion, 46
sum-of-squares indicator, 52
support of the codeword, 7
support of the function, 7
symmetric cryptography, 4
symmetric function, 110
Tarannikov et al.’s construction, 104
the naive bound, 79
trace function, 13
transmission rate, 5
Vernam cipher, 34
Walsh transform, 18
weakly-normal function, 54
weight distribution, 33
weight enumerator, 33
Wiener-Khintchine Theorem, 24

144