arxiv: v5 [cs.it] 4 Nov 2009

Transcription

1 1 Constructions of Almost Optimal Resilient Boolean Functions on Large Even Number of Variables WeiGuo ZHANG and GuoZhen XIAO ISN Lab, Xidian University, Xi an , P.R.China arxiv: v5 [cs.it] 4 Nov 009 Abstract In this paper, a technique on constructing nonlinear resilient Boolean functions is described. By using several sets of disjoint spectra functions on a small number of variables, an almost optimal resilient function on a large even number of variables can be constructed. It is shown that given any m, one can construct infinitely many n-variable (n even), m-resilient functions with nonlinearity > n 1 n/. A large class of highly nonlinear resilient functions which were not known are obtained. Then one method to optimize the degree of the constructed functions is proposed. Last, an improved version of the main construction is given. Keywords: Stream cipher, Boolean function, Algebraic degree, disjoint spectra functions, nonlinearity, resiliency, 1 Introduction Boolean functions are used as nonlinear combiners or nonlinear filters in certain models of stream cipher systems. In the design of cryptographic Boolean functions, there is a need to consider a multiple number of criteria simultaneously. The widely accepted criteria are balancedness, high nonlinearity, high algebraic degree, and correlation immunity of high order (for balanced functions, correlation immunity is referred to as resiliency). By an (n,m,d,n f ) function we mean an n-variable, m-resilient (order of resiliency m) Boolean function f with algebraic degree d and nonlinearity N f. Unfortunately, all the criteria above cannot be maximized together. For n even, the most notable example is perhaps bent functions [19]. Achieving optimal nonlinearity n 1 n/ 1, bent functions permit to resist linear attacks in the best possible way. But they are improper for cryptographic use because they are neither balanced nor correlation-immune and their algebraic degrees are not more than n/. When concerning the order of resiliency, Siegenthaler [8] and Xiao [31] proved that d n m 1 for m-reslient Boolean functions. Such a function, reaching this bound, is called degree-optimized. For the reasons above, it is more important to construct those degree-optimized resilient Boolean functions which have almost optimal (large but not optimal) nonlinearity, say between n 1 n/ and n 1 n/ 1, when n is even. This is also what we do in this paper. We now give a summary of earlier results that are related to our work. 1) To obtain nonlinear resilient functions, a modification of the Maiorana-McFarland (M-M) construction of bent functions(cf.[5]) by concatenating the small affine functions was first employed by Camion et al [1] and later studied in [7], [3], [1]. The nonlinearity of n-variable M-M resilient functions cannot exceed n 1 n/. The M-M technique in general does not generate degreeoptimized functions and the M-M functions are potentially cryptographically weak [], [9]. ) An interesting extension of the M-M technique has been made by Carlet [], where the concatenation of affine functions is replaced by concatenation of quadratic functions. In general, these constructed functions can not be degree-optimized, and the other parameters such as nonlinearity and resiliency are not better than those of the M-M functions. 3) Pasalic [17] presented a revised version of the M-M technique to obtain degree-optimized resilient functions. The modification is simple and smart but the nonlinearity value of the constructed functions is at most n 1 n/. Published in IEEE Transactions on Information Theory, vol. 55, no. 1, 009. (doi: /TIT ) w.g.zhang@qq.com

2 4) Sarkar and Maitra [1] indicated that for each order of resiliency m, it is possible to find an even positive integer n to construct an (n,m,n m 1,N f ) function f with N f > n 1 n/. They showed that for even n 1, the nonlinearity of 1-resilient functions with maximum possible algebraic degree n can reach n 1 n/ 1 n/ n/4 4. It was further improved due to the method proposed by Maitra and Pasalic [1]. Thanks to the existence of the (8,1,6,116) functions, an (n,1,n,n f ) function f with N f = n 1 n/ 1 n/ 4 could be obtained, where n 10. 5) Seberry et al. [6] and Dobbertin [6] independently presented constructions of highly nonlinear balanced Boolean functions by modifying the M-M bent functions. To obtain an n-variable balanced function, they concatenated n/ 1 nonconstant distinct n/-variable linear functions and one n/-variable modified M-M class highly nonlinear balanced Boolean function which can be constructed in a recursive manner. These constructed functions attain the best known nonlinearity for n-variable (n even) balanced functions. Unfortunately, these functions are not 1-resilient functions. 6) To obtain m-resilient functions with nonlinearity > n 1 n/ 1 n/ for n even and n 14, Maitra and Pasalic [11] applied the concatenation of n/ k distinct linear m-resilient functions on n/ variables together with a highly nonlinear resilient function on n/ + k variables. Moreover, they have provided a generalized construction method for m-resilient functions with nonlinearity n 1 n/ 1 n/ 3 n/ 4 for all n 8m + 6. For sufficiently large n, it is possible to get such functions with nonlinearity n 1 n/ 1 3 n/. And it is the upper bound on maximum possible nonlinearity under their construction method. 7) Computer search techniques have played an important role in the design of cryptographic Boolean functions in the last ten years [14], [16], [15], [4]. For a small number of variables, Boolean functions with good cryptographic parameters could be found by using heuristic search techniques [1], [0], [8]. However, search techniques cannot be used for functions with a large number of variables at present. 8) During the past decade, the most infusive results on the design of cryptographic Boolean functions were centered on finding small functions with desirable cryptographic properties. When it comes to constructing large functions, people used recursive constructions [9], [30], [7] besides the M-M construction and its revised (extended) versions. With the rapid development of integrated circuit technique, Boolean functions with large number of variables can be easily implemented in hardware []. In this paper we propose a technique to construct high nonlinear resilient Boolean functions on large even number of variables (n 1). We obtain a large class of resilient Boolean functions with a nonlinearity higher than that attainable by any previously known construction method. The organization of this paper is as follows. In Section II, the basic concepts and notions are presented. In Section III, we present a method to construct a set of disjoint spectra functions by using a class of partially linear functions. Our main construction is given in Section IV. A method for constructing resilient functions on large even number of input variables is proposed. We show that all the constructed functions are almost optimal. In Section V, the degrees of the constructed functions are optimized. In Section VI, an improved version of the main construction is given. Finally, Section VII concludes the paper with an open problem. Preliminary To avoid confusion with the additions of integers in R, denoted by + and Σ i, we denote the additions over F by and i. For simplicity, we denote by + the addition of vectors of Fn. A Boolean function of n variables is a function from F n into F, and we denote by B n the set of all Boolean functions of n variables. A Boolean function f(x n ) B n, where X n = (x 1,,x n ) F n, is generally represented by its algebraic normal form (ANF) f(x n ) = n λ u ( x ui i ) (1) u F n i=1 where λ u F and u = (u 1,,u n ). The algebraic degree of f(x n ), denoted by deg(f), is the maximal value of wt(u) such that λ u 0, where wt(u) denotes the Hamming weight of u. A Boolean function with deg(f) 1 is said to be affine. In particular, an affine function with constant term equal to zero is called a linear function. Any linear function on F n is denoted by ω X n = ω 1 x 1 ω n x n

3 3 where ω = (ω 1,,ω n ) F n. The Walsh spectrum of f B n in point ω is denoted by W f (ω) and calculated by W f (ω) = ( 1) f(xn) ω Xn. () X n F n f B n is said to be balanced if its output column in the truth table contains equal number of 0 s and 1 s (i.e. W f (0) = 0). In [31], a spectral characterization of resilient functions has been presented. Lemma 1: An n-variable Boolean function is m-resilient if and only if its Walsh transform satisfies W f (ω) = 0, for 0 wt(ω) m, ω F n. (3) The Hamming distance between two n-variable Boolean functions f and ρ is denoted by d(f,ρ) = {X n F n : f(x n ) ρ(x n )}. The set of all affine functions on F n is denoted by A(n). The nonlinearity of a Boolean function f B n is its distance to the set of all affine functions and is defined as N f = min ρ A(n) (d(f,ρ)). In term of Walsh spectra, the nonlinearity of f is given by [13] N f = n 1 1 max W f (ω). (4) ω F n Parseval s equation [10] states that (W f (ω)) = n (5) and implies that ω F n N f n 1 n/ 1. The equality occurs if and only if f B n are bent functions, where n is even. Bent functions can be constructed by the M-M method. The original M-M functions are defined as follows: for any positive integers p, q such that n = p+q, an M-M function is a function f B n defined by f(y q,x p ) = φ(y q ) X p π(y q ), X p F p,y q F q (6) where φ is any mapping from F q to Fp and π B q. When n is even, p=q=n/, and φ is injective, the M-M functions are bent. Certain choices of φ can easily yield bent functions with degree n/. For the case of n =, f B is bent if and only if deg(f) =. The M-M construction is in essence a concatenation of affine functions. The following definition shows a more general approach to obtain a large Boolean function by concatenating the truth tables of any small Boolean functions. Definition 1: Let Y q F q, X p F p, and p, q be positive numbers with p +q = n. f B n is called a concatenation of the functions in the set G = {g b b F q } B p if where the notation Y b q is defined by f(y q,x p ) = b F q Y b q g b (X p ), (7) Y b q = { 1 if Yq = b 0 if Y q b. (8) Theorem in [8] allows us to verify that the following lemma is true. Lemma : With the same notation as in Definition 1, if all the functions in G are m-resilient functions, then f is an m-resilient function. From now on, we will focus on highly nonlinear resilient Boolean functions with an even number of variables in the following sense. Definition : Let n 4 be even. f B n is said to be almost optimal if n 1 n/ N f < n 1 n/ 1. (9)

4 4 3 A Large Set of Disjoint Spectra Functions Disjoint spectra functions will play an important role in constructing almost optimal resilient functions in this paper. Definition 3: A set of Boolean functions {g 1,g,,g e } B p such that for any α F p, W gi (α) W gj (α) = 0, 1 i < j e (10) is called a set of disjoint spectra functions. The idea that two Boolean functions with disjoint spectra can be used to construct highly nonlinear resilient functions was clearly mentioned in [18], and it was also used in [9], [7], [1]. In this section, we provide a simple construction method for a large set of disjoint spectra functions by using a set of partially linear functions. As a family of special resilient functions, partially linear functions were firstly considered by Siegenthaler [8]. Here is the definition of such functions. Definition 4: Let t be a positive integer and {i 1,,i t } {i t+1,,i p } = {1,,p}. Let X p = (x 1,,x p ) F p, X t = (x i 1,,x it ) F t and X p t = (x i t+1,,x ip ) F p t. For any c F t, g c B p is called a tth-order partially linear function if g c (X p ) = c X t h c(x p t ) (11) where h c B p t. Now we use partially linear functions to construct a set of disjoint spectra functions. Lemma 3: With the same notation as in Definition 4, a set of tth-order partially linear functions T = {g c (X p ) = c X t h c(x p t ) c Ft } (1) is a set of disjoint spectra functions. Proof: Let α = (δ,θ) F p, where δ Ft and θ Fp t. For any g c T, W gc (α) = ( 1) c X t hc(x p t ) α Xp We have X p F p = X p F p = X t Ft = X t Ft ( 1) (c+δ) X t (hc(x p t ) θ X p t ) ( 1) (c+δ) X t ( 1) (c+δ) X t X p t Fp t ( 1) (hc(x p t ) θ X p t ) W hc (θ) (13) W gc (α) = { 0 if c δ t W hc (θ) if c = δ. (14) For any g c T, c c, we have W gc (α) W gc (α) = 0. According to Definition 3, T is a set of disjoint spectra functions. Disjoint spectra functions (partially linear functions) will be used as the components to construct almost optimal resilient Boolean functions in this paper. Open Problem: Construct a large set of disjoint spectra functions which are not (linearly equivalent to) partially linear functions. 4 Main Construction This section presents a method for constructing resilient Boolean functions with very high nonlinearity. The algebraic degrees of the functions are also given.

5 5 Construction 1: Let n 1 be an even number, m be a positive number, and (a 1,,a s ) F s such that n/ ( ) n/ k n/ s ( ) n/ k + a k n/ (15) j j j=m+1 j=m+1 where s = (n m )/4. Let X n/ = (x 1,,x n/ ) F n/, X t = (x 1,,x t ) F t, and X k = (x t+1,,x n/ ) F k with t+k = n/. Let Γ 0 = {c X n/ c F n/, wt(c) > m}. (16) For 1 k s, let H k be a nonempty set of k-variable bent functions with algebraic degree max(k, ) and where h c H k. Set Γ k = {c X t h c (X k) c F t,wt(c) > m} (17) Γ = s Γ k. (18) k=0 Denote by φ any injective mapping from F n/ to Γ. Then for (Y n/,x n/ ) F n/ F n/ we construct the function f B n as follows: f(y n/,x n/ ) = φ(b). (19) Remark 1: 1) For Inequality (15) holds, we have Γ = b F n/ Y b n/ s Γ k n/. (0) k=0 Due to this we can find an injective mapping φ. ) All the functions in Γ are partially linear functions and each Γ k is a set of disjoint spectra functions. Theorem 1: Let f F n be as in Construction 1. Then f is an almost optimal (n,m,d,n f) function with s N f n 1 n/ 1 (a k n/ k 1 ) (1) and d n/+max{,max{k a k 0, k = 1,, s}}. () Proof: For any (β,α) F n/ F n/ we have W f (β,α) = ( 1) f(y n/,x n/ ) (β,α) (Y n/,x n/ ) (Y n/,x n/ ) F n = b F n/ = = b F n/ s k=0 ( 1) β b X n/ F n/ ( 1) β b W gb (α) φ(b) Γ k b F n/ ( 1) g b(x n/ ) α X n/ ( 1) β b W gb (α) (3) Let 0 k s. Any g b Γ k is a partially linear function. From (14), we have W gb (α) {0,± n/ k }.

6 6 Let Since (15) holds, there exists an injective mapping φ such that A k = Γ k {φ(b) b F n/ }. (4) s m ( ) n/ A k =. (5) i i=1 From Lemma 3, Γ k is a set of disjoint spectra functions. Noting (10), if A k, then we have ( 1) β b W gb (α) {0,± n/ k }. (6) φ(b) Γ k b F n/ If A k =, then we have φ(b) Γ k b F n/ ( 1) β b W gb (α) = 0. (7) Combining (3), (6), and (7), we have where W f (β,α) n/ + a k = s a k n/ k (8) { 0 if Ak = 1 if A k. (9) From (4), Inequality (1) holds. From Definition, f is almost optimal. Note that the algebraic degree of any function in Γ 1 is. Hence, when max{k a k 0, k = 1,, s} = 1 (30) d n/+ where the equality holds if and only if A 1 is odd. Note that the algebraic degree of any bent functions on F k can reach k when k. So d can reach n/+k when k and A k is odd, where k = max{k a k 0, k = 1,, s}. (31) Any g b Γ, b F n/, is an m-resilient function, where g b (X n/ ) = φ(b). From Lemma, f is an m-resilient function since it is a concatenation of m-resilient functions. Remark : 1) The nonlinearity of the resilient functions constructed above is always strictly greater than n 1 n/. For reasonable fixed n and m, the nonlinearity of the constructed functions is always greater than that of the known ones except some functions on small even number of variables. ) Let m be the maximum number such that Inequality (15) holds. Roughly speaking, m/n tends to 1/4. Example 1: It is possible to construct a (16,1,10, ) function. Note that s = (n m )/4 =3. For 1 k 3, let X 8 k = (x 1,,x 8 k ) F 8 k and X k = (x 8 k+1,,x 8 ) F k. Let X 8 = (X 8 k,x k ) F8. We construct four sets of disjoint spectra functions as follows: For 1 k 3, where h c H k. We have Γ 0 = {c X 8 wt(c) > 1,c F 8 }. Γ k = {c X 8 k h c(x k ) wt(c) > 1,c F8 k } Γ k = 8 k i= ( 8 k i ), 0 k 3.

7 7 Notice that Γ 0 + Γ = 58 > 8, it is possible to establish an injective mapping φ from F 8 to R, where R = Γ 0 Γ. Then for (Y 8,X 8 ) F 8 F8 we construct the function f B 16 as follows: f(y 8,X 8 ) = b F 8 From (8), for any (β,α) F 8 F8, we have By (4), we have max W f (β,α) (β,α) F 8 3 k=0 g Γ k W g (α) = Y b 8 φ(b). 3 k=0 N f max W g (α) = α F 8 g Γ k Note that the partially linear function in Γ can be denoted by g = c X 4 h c(x 4 ) where h c is a bent function on F 4. Since the algebraic degree of h c(x 4 ) can reach, deg(f) can reach 8+=10. So it is possible to obtain a (16,1,10, ) function. 5 Degree Optimization Let {i 1,,i m+1 } {i m+,,i n/ } = {1,,n/}. The algebraic degree of any (n,m,d,n f ) function f obtained in Construction 1 can be optimized by adding a monomial x im+ x in/ to one function g Γ with φ 1 (g), where g can be denoted by g = x i1 x im+1 (x im+,,x in/ ). (3) It is not difficult to prove that N f {N f,n f m+1 }, where N f is the nonlinearity of the degreeoptimized function f. To optimize the algebraic degree of f and ensure that N f = N f, we below propose an idea to construct a set of disjoint spectra functions Γ 0 including a nonlinear function g = g +x im+ x in/. Construction : Let n 1 be an even number, m be a positive number, and (a 1,,a s ) F s such that n/ ( ) n/ k n/ s ( ) n/ k n/ m a k n/ (33) j j j=m+1 where s = (n m )/4. Let Let j=m+1 S = {c c = (c 1,,c n/ ) F n/,wt(c) > m,(c i1,,c im+1 ) = (1 1)}. (34) g (X n/ ) = c X n/ x im+ x im+3 x in/ (35) where c S. For 1 k s, Γ k is defined as in Construction 1. And we modify the Γ 0 in Construction 1 as follows: Set Γ 0 = {g (X n/ )} {c X n/ c F n/,wt(c) > m,c / S}. (36) Γ = Γ 0 Γ 1 Γ s. (37)

8 8 Denote by φ any injective mapping from F n/ to Γ such that φ 1 (g c ). The function f B n is constructed as follows: f (Y n/,x n/ ) = Yn/ b φ (b). (38) b F n/ Theorem : The function f F n proposed by Construction is an almost optimal (n,m,n m 1,N f ) function with N f n 1 n/ 1 s a k n/ k 1. (39) Proof: f is an m-resilient function since it is a concatenation of m-resilient functions. Let g b (X n/ ) = φ (b) Γ, b F n/. From the proof of Theorem 1, for any (β,α) F n/ F n/, we have W f (β,α) = φ(b) Γ 0 b F n/ ( 1) β b W gb (α)+ s φ(b) Γ k b F n/ ( 1) β b W gb (α). (40) Let c = (c 1,,c n/ ) Fn/ and α = (α 1,,α n/ ) F n/. We have W g (α) = X n/ F n/ = ( 1) (c +α) X n/ x im+ x in/ n/ m+ if α = c ± m+ if α c and θ = δ 0 if α c and θ δ. (41) where δ = (c i 1,,c i m+1 ) and θ = (α i1,,α im+1 ). Let g b (X n/ ) = φ (b) Γ, b F n/. When g b Γ 0 and g b = c X n/ g, we have W gb (α) = { 0 if α c n/ if α = c. (4) From (36), if α c and (α i1,,α im+1 ) = (1 1), then α c. Obviously, Γ 0 is a set of disjoint spectra functions. So we have ( 1) β b W gb (α) {0,± m+,±( n/ m+ ),± n/ }. (43) φ(b) Γ 0 b F n/ Let A k = Γ k {φ(b) b F n/ }. Similarly to the proof of Theorem 1, for any (β,α) F n, we have where W f (β,α) n/ + a k = s a k n/ k { 0 if Ak = 1 if A k. From (3), Inequality (39) holds and f is obviously almost optimal. For the existence of g, deg(f ) = n m 1. Remark 3: 1) Apparently, the idea above to obtain degree-optimized resilient functions is firstly considered by Pasalic [17]. ) A long list of input instances and the corresponding cryptographic parameters can be found in Table 1 and Table. In Table, the entries with * represent the functions that can not be degree optimized via Construction on the premise of that N f = N f.

9 Table 1: Existence of Almost Optimal (n,m,n m 1,N f ) functions (1 m 4) m n N f 1 n 0 n 1 n/ 1 n/ n 11 n 1 n/ 1 n/ n 13 n 1 n/ 1 n/4+ n/4+1 4 n 0 n = 136 n 1 n/ 1 n/4+ n/4+1 n/ n 49 n 1 n/ 1 n/ n 51 n 1 n/ 1 n/4+3 n/ n 50 n 1 n/ 1 (n+6)/ n 58 n 1 n/ 1 (n+6)/4 (n+)/4 4 6 n 38 n 1 n/ 1 (n+10)/4 4 n 4 n 46 n 1 n/ 1 (n+10)/4 (n+)/ n 90 n 1 n/ 1 (n+10)/4 (n+6)/ n 98 n 1 n/ 1 (n+10)/4 (n+6)/4 (n+)/4 4 n = 16 n 1 n/ 1 n/ n 40 n 1 n/ 1 n/4+3 8 n = 44 n 1 n/ 1 n/4+3 n/4+ 8 n 0 48 n 84 n 1 n/ 1 n/4+4 8 n = 88 n 1 n/ 1 n/4+4 n/ n 96 n 1 n/ 1 n/4+4 n/ n 176 n 1 n/ 1 n/ n 6 n 1 n/ 1 (n+10)/4 8 n 30 n 58 n 1 n/ 1 (n+14)/4 8 6 n 66 n 1 n/ 1 (n+14)/4 (n+10)/ n 1 n 1 n/ 1 (n+18)/4 8 n = 0 n 1 n/ 1 n/4+3 n/ n 3 n 1 n/ 1 n/ n = 36 n 1 n/ 1 n/4+4 n/ n 56 n 1 n/ 1 n/ n 0 n = 60 n 1 n/ 1 n/4+5 n/ n 88 n 1 n/ 1 n/ n = 9 n 1 n/ 1 n/4+6 n/ n = 96 n 1 n/ 1 n/4+6 n/ n 144 n 1 n/ 1 n/ n 6 n 1 n/ 1 (n+14)/ n 4 n 1 n/ 1 (n+18)/4 16 n = 46 n 1 n/ 1 (n+18)/4 (n+14)/4 16 n 5 n 70 n 1 n/ 1 (n+)/4 16 n = 74 n 1 n/ 1 (n+)/4 (n+18)/4 16 n = 78 n 1 n/ 1 (n+)/4 (n+18)/4 (n+14)/ n 114 n 1 n/ 1 (n+6)/ n 3 n 1 n/ 1 n/ n 48 n 1 n/ 1 n/4+6 3 n = 5 n 1 n/ 1 n/4+6 n/4+5 3 n 0 56 n 68 n 1 n/ 1 n/4+7 3 n = 7 n 1 n/ 1 n/4+7 n/4+5 n/ n 100 n 1 n/ 1 n/4+8 3 n = 6 n 1 n/ 1 (n+18)/ n 38 n 1 n/ 1 (n+)/4 3 n = 4 n 1 n/ 1 (n+)/4 (n+18)/4 3 n 46 n 58 n 1 n/ 1 (n+6)/4 3 n = 6 n 1 n/ 1 (n+6)/4 (n+)/ n 8 n 1 n/ 1 (n+30)/4 3 n = 86 n 1 n/ 1 (n+30)/4 (n+)/4 (n+18)/4 (n+14)/4 3 n = 90 n 1 n/ 1 (n+30)/4 (n+6)/4 (n+)/ n 118 n 1 n/ 1 (n+34)/4 3 9

10 10 Table : (n,m,n m 1,N f ) functions (m 5)which were not known earlier (30,5,4, ) (36,5,30, ) (38,5,3, ) (4,5,36, ) (44,5,38, ) (48,5,4, ) (54,5,48, ) (58,5,5, ) (60,5,54, ) (64,5,48, ) (70,5,64, ) (74,5,68, ) (76,5,70, ) (80,5,74, ) (84,5,78, ) (88,5,8, ) (90,5,84, ) (94,5,88, ) (98,5,9, ) (100,5,94, ) (34,6,7, ) (40,6,33, ) (4,6,35, ) (48,6,41, ) (5,6,45, 51 5 ) (54,6,47, ) (60,6,53, ) (64,6,47, ) (66,6,59, ) (70,6,63, ) (76,6,69, ) (80,6,73, ) (8,6,75, ) (86,6,79, ) (90,6,83, ) (9,6,85, ) (96,6,89, ) (100,6,93, ) (38,7,30, ) (40,7,3, ) (46,7,38, 45 0 ) (48,7,40, ) (5,7,44, ) (54,7,46, ) (58,7,50, ) (60,7,5, ) (64,7,46, ) (66,7,58, ) (70,7,6, ) (7,7,64, ) (76,7,68, ) (78,7,70, ) (8,7,74, ) (86,7,78, ) (88,7,80, ) (9,7,84, ) (98,7,90, ) (100,7,9, ) (4,8,33, ) (44,8,35, ) (50,8,41, ) (5,8,43, ) (58,8,49, ) (64,8,45, ) (68,8,59, ) (70,8,61, ) (7,8,63, ) (76,8,67, ) (78,8,69, ) (8,8,73, ) (88,8,79, ) (9,8,83, ) (94,8,85, ) (98,8,89, ) (100,8,91, ) (00,8,191, ) (46,9,36, ) (48,9,38, 47 3 ) (54,9,44, ) (56,9,46, ) (6,9,5, ) (64,9,44, ) (68,9,58, ) (70,9,60, ) (74,9,64, (76,9,66, ) (80,9,70, ) (8,9,7, ) (88,9,78, ) (94,9,84, ) (98,9,88, ) (100,9,90, ) (5,10,41, ) (60,10,49, ) (66,10,55, ) (68,10,57, ) (74,10,63, ) (76,10,65, ) (80,10,69, ) (8,10,71, ) (84,10,73, ) (86,10,75, ) (88,10,77, ) (9,10,81, ) (94,10,83, ) (98,10,87, ) (100,10,89, ) (500,10,489, ) (100,1,78, ) (00,45,154, ) (184,38,145, ) (516,116,399, ) (83,00,631, ) (10000,475,754, )

11 11 6 Improved Version of the Main Construction Both constant functions and balanced Boolean functions are regarded as 0-resilient functions. The Boolean functions that are neither balanced nor correlation-immune are regarded as ( 1)-resilient functions (e.g. bent functions). Lemma 4: With the same notation as in the Definition 4, if h c is a v-resilient function, then g c is a (wt(c) + v)-resilient function. Proof: Let α F p and l = c X t. It is not difficult to deduce that W gc (α) = W l (α i1,,α it ) W hc (α it+1,,α ip ). When wt(α i1,,α it ) < wt(c), W l (α i1,,α it ) = 0. From Lemma 1, for h c is a v-resilient function, we have W hc (α it+1,,α ip ) = 0, for wt(α it+1,,α ip ) v. Obviously, W gc (α) = 0 when wt(α) wt(c) + v. From Lemma 1, g c is a (wt(c) + v)-resilient function. Construction 3: Let n 1 be an even number, m be a positive number, e k be a nonnegative number with 0 e k k +1, and a k F (k = 1,, n/4 ) such that n/ i=m+1 ( n/ i ) + n/4 a k n/ k j=m e k +1 Let X n/ = (x 1,,x n/ ) F n/, X t = (x 1,,x t ) F t where t+k = n/. Let ( ) n/ k n/. (44) j and X k = (x t+1,,x n/ ) F k, Ω 0 = {c X n/ c F n/, wt(c) > m}. (45) For 1 k n/4 and 0 e k m+1, let R k be a nonempty set of nonlinear (k,e k 1,,N hk ) functions with high nonlinearity and where h c R k. Set Ω k = {c X t h c (X k) c F t,wt(c) > m e k } (46) Ω = n/4 k=0 Ω k. (47) Denote by ϕ any injective mapping from F n/ to Ω such that there exists an (n/,m,n/ m 1,N gb ) function g b Ω with ϕ 1 (g b ). We construct the function f B n as follows: f(y n/,x n/ ) = b F n/ Y b n/ ϕ(b) (48) Theorem 3: If f B n is proposed by Construction 3, then f is an almost optimal (n,m,n m 1,N f ) function with n/4 N f n 1 n/ 1 (a k n/ k ( k 1 N hk )). (49) Proof: For any (β,α) F n/ F n/ we have W f (β,α) = s k=0 φ(b) Γ k b F n/ ( 1) β b W gb (α) (50) Let A k = Ω k {φ(b) b F n/ }. (51)

12 1 Note that each Ω k (k = 0,1,, n/4 ) is a set of disjoint spectra functions. Similarly to the proof of Theorem 1, we obtain where W f (β,α) n/ + a k = s a k n/ k ( k N hk ) (5) { 0 if Ak = 1 if A k. From (3), Inequality (49) holds. From Lemma 4, all the functions in Ω are m-resilient functions. Due to Lemma, f is an m-resilient function. For the existence of a degree-optimized function g b Ω with ϕ 1 (g b ), we have deg(f) = n m 1. Fixing n and m, we can also obtain lots of degree-optimized resilient functions whose nonlinearity are better than that of functions constructed by Construction 1. See the following example. Example : It is possible to construct a (8,1,6, ) function. Let and Ω 0 = {c X t c F14, wt(c) } Ω 5 = {c X 4 h c (X 10) c F 4, h c R 5 } where R 5 is a nonempty set of (10,1,8,49) functions [8]. Note that Ω 0 = 16369, Ω 5 = 16. For > 14, it is possible to select 14 many 14-variable 1-resilient functions from Ω 0 Ω 5. We concatenate these functions and obtain a (8,1,6, ) function. Similarly,onecanobtainthefollowingresilientfunctions: (36,3,3, ), (4,5,36, ), (66,10,55, ), (86,4,81, ), etc. 7 Conclusion and an Open Problem In this paper, we described a technique for constructing resilient functions with good nonlinearity on large even number variables. As a consequence, we obtained general constructions of functions which were not known earlier. Sarkar and Maitra [3] have shown that the nonlinearity of any (n,m,n m 1,N f ) function (m n ) is divisible by m+. And they have deduced the following result: If n is even, and m n/, then N f n 1 n/ 1 m+1. But we suppose that this upper bound could be improved. So we propose an open problem as follows: Does there exist n-variable (n even), m-resilient (m 0) functions with nonlinearity > n 1 n/ 1 n/4 +m 1? If there does, how to construct these functions? Conjecture: Let n 1 be even and m n/. For any (n,m,,n f ) function, the following inequality always holds: References N f n 1 n/ 1 n/4 +m 1. (53) [1] P. Camion, C. Carlet, P. Charpin, and N. Sendrier, On correlation-immune functions, in Advances in Cryptology - CRYPTO 91 (Lecture Notes in Computer Sceince). Berlin, Germany: Springer-Verlag, 199, vol. 547, pp [] C. Carlet, A larger class of cryptographic Boolean functions via a study of the Maiorana- Mcfarland constructions, in Advances in Cryptology - CRYPTO 00 (Lecture Notes in Computer Sceince), Berlin, Germany: Springer-Verlag, 00, vol. 44, pp [3] S. Chee, S. Lee, D. Lee, and S. H. Sung, On the correlation immune functions and their nonlinearity, in Advances in Cryptology- Asiacrypt 96 (Lecture Notes in Computer Sceince). Berlin, Germany: Springer-Verlag, 1997, vol. 1163, pp

13 13 [4] J. Clark, J. Jacob, S. Stepney, S. Maitra, and W. Millan, Evolving Boolean functions satisfying multiple criteria, in Progress in INDOCRYPT 00(Lecture Notes in Computer Science). Berlin, Germany: Springer-Verlag, 00, vol. 551, pp [5] J. F. Dillon, Elementary Hadamard difference set, Ph.D. Thesis, University of Maryland, [6] H. Dobbertin, Construction of bent functions and balanced Boolean functions with high nonlinearity, in Workshop on Fast Software Encryption (FES 1994) (Lecture Notes in Computer Science). Berlin, Germany: Springer-Verlag, 1995, vol. 1008, pp [7] M. Fedorova and Y. V. Tarannikov, On the constructing of highly nonlinear resilient Boolean functions by means of special matrices, in Progress in Cryptology - INDOCRYPT 001 (Lecture Notes in Computer Science). Berlin, Germany: Springer-Verlag, 001, vol. 47, pp [8] S. Kavut, S. Maitra, and M. D. Yücel, Search for Boolean functions with excellent profiles in the rotation symmetric class, IEEE Transations on Information Theory, vol. 53, no. 5, pp , 007. [9] K. Khoo, G. Gong, and H.-K. Lee, The rainbow attack on stream ciphers based on Maiorana- McFarland functions, in Appiled Cryptography and Network Security - ACNS 006 (Lecture Notes in Computer Sceince), Berlin, Germany: Springer-Verlag, 006, vol. 3989, pp [10] F. J. MacWilliams and N. J. A. Sloane, The Theory of Error-Correcting Codes, Amsterdam, The Netherlands: North-Holland, [11] S. Maitra and E. Pasalic, A Maiorana-McFarland type construction for resilient Boolean functions on variables (n even) with nonlinearity > n 1 n/ + n/, Discrete Applied Mathematics, vol. 154, pp , 006. [1] S. Maitra and E. Pasalic, Further constructions of resilient Boolean functions with very high nonlinearity, IEEE Transations on Information Theory, vol. 5, no. 5, pp , 006. [13] W. Meier and O. Staffelbach, Nonlinearity criteria for cryptographic functions, in Advances in Cryptology - EUROCRYPT 89 (Lecture Notes in Computer Sceince), Berlin, Germany: Springer-Verlag, 1990, vol. 434, pp [14] W. Millan, A. Clark, and E. Dawson, An effective genetic algorithm for finding highly nonlinear Boolean functions, in Proceedings of the First International Conference on Information and Communication Security (Lecture Notes in Computer Science). Berlin, Germany: Springer-Verlag, 1997, vol. 1334, pp [15] W. Millan, A. Clark, and E. Dawson, Boolean function design using hill climbing methods, in Proceedings of the 4th Australasian Conference on Information Security and Privacy (Lecture Notes in Computer Science). Berlin, Germany: Springer-Verlag, 1999, vol. 1587, pp [16] W. Millan, A. Clark, and E. Dawson. Heuristic design of cryptographically strong balanced Boolean functions, in Advances in Cryptology - EUROCRYPT 98 (Lecture Notes in Computer Science). Berlin, Germany: Springer-Verlag, 1998, vol. 1403, pp [17] E. Pasalic, Maiorana-McFarland class: degree optimization and algebraic properties, IEEE Transactions on Information Theory, vol. 5, no.10, pp , 006. [18] E. Pasalic, S. Maitra, T. Johansson, and P. Sarkar, New constructions of resilient and correlation immune Boolean functions achieving upper bounds on nonlinearity, in Workshop on Coding and Cryptography - WCC 001, Paris, France, Jan. 8-1, 001. Published in Electronic Notes in Discrete Mathematics. Amsterdam, The Netherlands: Elsevier Science, 001, vol. 6, pp [19] O. S. Rothaus, On bent functions, Journal of Combinatorial Theory, Ser. A, vol. 0, pp , [0] Z. Saber, M. F. Uddin, and A. Youssef, On the existence of (9,3,5,40) resilient functions, IEEE Transations on Information Theory, vol. 48, no. 7, pp , 00.

14 14 [1] P. Sarkar and S. Maitra, Construction of nonlinear Boolean functions with important cryptographic properties, in Advances in Cryptology - EUROCRYPT 000 (Lecture Notes in Computer Sceince), Berlin, Germany: Springer-Verlag, 000, vol. 1807, pp [] P. Sarkar and S. Maitra, Efficient implementation of cryptographically useful large Boolean functions, IEEE Transactions on Computers, vol. 5, no. 4, pp , 003. [3] P. Sarkar and S. Maitra, Nonlinearity bounds and constructions of resilient Boolean functions, in Advances in Cryptology - CRYPTO 000 (Lecture Notes in Computer Sceince), Berlin, Germany: Springer-Verlag, 000, vol. 1880, pp [4] P. Sarkar and S. Maitra, Construction of nonlinear resilient Boolean functions using small affine functions, IEEE Transactions on Information Theory, vol. 50, no. 9, pp , 004. [5] J. Seberry, X.-M. Zhang, and Y. Zheng, Nonlinearity and propagation characteristics of balanced Boolean functions, Information and Computation, vol. 119, pp. 1-13, [6] J. Seberry, X.-M. Zhang, and Y. Zheng, Nonlinearly balanced Boolean functions and their propagation characteristics, in Advances in Cryptology - CRYPTO 93 (Lecture Notes in Computer Sceince), Berlin, Germany: Springer-Verlag, 1994, vol. 773, pp [7] J. Seberry, X.-M. Zhang, and Y. Zheng, On constructions and nonlinearity of correlation immune Boolean functions, in Advances in Cryptology - EUROCRYPT 93 (Lecture Notes in Computer Sceince), Berlin, Germany: Springer-Verlag, 1984, vol. 765, pp [8] T. Siegenthaler, Correlation-immunity of nonlinear combining functions for cryptographic applications, IEEE Transactions on Information Theory, vol. 30, no.5, pp , [9] Y. V. Tarannikov, On resilient Boolean functions with maximum possible nonlinearity, in Progress in Cryptology - INDOCRYPT 000 (Lecture Notes in Computer Science). Berlin, Germany: Springer Verlag, 000, vol. 1977, pp [30] Y. V. Tarannikov, New constructions of resilient Boolean functions with maximal nonlinearity, in Workshop on Fast Software Encryption (FSE 001) (Lecture Notes in Computer Science). Berlin, Germany: Springer-Verlag, 001, vol. 355, pp [31] GZ. Xiao and J. L. Massey, A spectral characterization of correlation-immune combining functions, IEEE Transactions on Information Theory, vol. 34, no. 3, pp , 1988.