Nonlinearity of Boolean functions: an algorithmic approach based on multivariate polynomials

We compute the nonlinearity of Boolean functions with Groebner basis techniques, providing two algorithms: one over the binary field and the other over the rationals. We also estimate their complexity. Then we show how to improve our rational algorithm, arriving at a worst-case complexity of $O(n2^n)$ operations over the integers, that is, sums and doublings. This way, with a different approach, we reach the same complexity of established algorithms, such as those based on the fast Walsh transform.


Introduction
Any function from (F 2 ) n to F 2 is called a Boolean function.Boolean functions are important in symmetric cryptography, since they are used in the confusion layer of ciphers.An affine Boolean function does not provide an effective confusion.To overcome this, we need functions which are as far as possible from being an affine function.The effectiveness of these functions is measured by several parameters, one of these is called "nonlinearity" ( [Car10]).In this paper, we provide three methods to compute the nonlinearity of Boolean functions.Moreover, we give an estimate of the complexity of our methods, comparing it with the complexity of the classical method which uses the fast Walsh transform and the fast Möbius transform.In Sections 2 and 3 we recall the basic notions and statements, especially regarding Boolean functions, which are necessary for our methods.In Section 4 and 5 we provide two algorithms which reduce the problem of computing the nonlinearity of a Boolean function to that of solving a Gröbner basis.In particular, in Section 5 we associate to each Boolean function in n variables a polynomial whose evaluations represent the distance from all possible affine functions.In Section 6 we show that this polynomial can be used to find the nonlinearity of a Boolean function without passing through a Gröbner basis computation.In Section 7 we provide some results to express the coefficients of this polynomials, and we show in Section 8 that these can be computed also using fast transforms.Finally, in Section 9 we analyze the complexity of the proposed methods, both experimentally and theoretically.In particular, we show that using fast Fourier methods we arrive at a worst-case complexity of O(n2 n ) operations over the integers, that is, sums and doublings.This way, with a different approach, we reach the same complexity of established algorithms, such as those based on the fast Walsh transform.

Preliminaries and Notation on Boolean functions
In this chapter we summarize some definitions and known results from [Car10] and [MS77], concerning Boolean functions and the classical techniques to determine their nonlinearity.
We denote by F the field F 2 .The set F n is the set of all binary vectors of length n, viewed as an F-vector space.Let v ∈ F n .The Hamming weight w(v) of the vector v is the number of its nonzero coordinates.For any two vectors v 1 , v 2 ∈ F n , the Hamming distance between v 1 and v 2 , denoted by d(v 1 , v 2 ), is the number of coordinates in which the two vectors differ.A Boolean function is a function f : F n → F. The set of all Boolean functions from F n to F will be denoted by B n .

Evaluation vector
We assume implicitly to have ordered F n , so that F n = {p 1 , . . ., p 2 n }.A Boolean function f can be specified by a truth table, which gives the evaluation of f at all p i 's.
Definition 2.1.We consider the evaluation map: The vector f is called the evaluation vector of f .
Once the order on F n is chosen, i.e. the p i 's are fixed, it is clear that the evaluation vector of f uniquely identifies f .

Algebraic normal form
A Boolean function f ∈ B n can be expressed in a unique way as a square free polynomial in This representation is called the Algebraic Normal Form (ANF).
Definition 2.2.The degree of the ANF of a Boolean function f is called the algebraic degree of f, denoted by deg f , and it is equal to max{w Let A n be the set of all affine functions from F n to F, i.e. the set of all Boolean functions in B n with algebraic degree 0 or 1.If α ∈ A n then its ANF can be written as There exists a simple divide-and-conquer butterfly algorithm ([Car10], p.10) to compute the ANF from the truth-table (or vice-versa) of a Boolean function, which requires O(n2 n ) bit sums, while O(2 n ) bits must be stored.This algorithm is known as the fast Möbius transform.

Numerical normal form
In [CG99] a useful representation of Boolean functions for characterizing several cryptographic criteria (see also [CG01], [Car02]) is introduced.Boolean functions can be represented as elements of K[X]/ X 2 − X , where X 2 − X is the ideal generated by the polynomials Definition 2.3.Let f be a function on F n taking values in a field K.We call the numerical normal form (NNF) of f the following expression of f as a polynomial: It can be proved that any Boolean function f admits a unique numerical normal form.As for the ANF, it is possible to compute the NNF of a Boolean function from its truth table by mean of an algorithm similar to a fast Fourier transform, thus requiring O(n2 n ) additions over K and storing O(2 n ) elements of K.
From now on let K = Q.The truth table of f can be recovered from its NNF by the formula where a u ⇐⇒ ∀i ∈ {1, . . ., n} a i ≤ u i .Conversely, it is possible to derive an explicit formula for the coefficients of the NNF by means of the truth table of f .Proposition 2.4.Let f be any integer-valued function on F n .For every u ∈ F n , the coefficient λ u of the monomial X u in the NNF of f is: (1)

Nonlinearity of a Boolean function
The following lemma is obvious: Lemma 2.6.Let f, g be two Boolean functions.Then Definition 2.7.Let f ∈ B n .The nonlinearity of f is the minimum of the distances between f and any affine function The maximum nonlinearity for a Boolean function f is bounded by: (2)

Walsh transform of a Boolean function
Definition 2.8.The Walsh transform of a Boolean function f ∈ B n is the following function: where x • y is the scalar product of x and y.
We have the following fact: Fact 2.9.
It is possible to compute the Walsh spectrum of f from its evaluation vector in O(n2 n ) integer operations, while storing O(2 n ) integers, by means of the fast Walsh transform (the Walsh transform is the Fourier transform of the sign function of f ).Thus the computation of the nonlinearity of a Boolean function f , when this is given either in its ANF or in its evaluation vector, requires O(n2 n ) integer operations and a memory of O(2 n ).
Faster methods are known in particular cases, for example when the ANF is a sparse polynomial [Çal13a], [Çal13b].

Preliminary results
Here we present the main results from [SS07], [Sim09].The same techniques are also applied in [GOS06] and [Gue05].

Polynomials and vector weights
Let K be a field and X = {x 1 , . . ., x s } be a set of variables.We denote by K[X] the multivariate polynomial ring in the variables X.If f 1 , . . ., f N ∈ K[X], we denote by {f 1 , . . ., f N } the ideal in K[X] generated by f 1 , . . ., f N .Let q be the power of a prime.We denote by E q [X] = {x q 1 − x 1 , . . ., x q s − x s } , the set of field equations in F q [X] = F q [x 1 , . . ., x s ], where s ≥ 1 is an integer, understood from now on.We write E[X] when q = 2. Definition 3.1.Let 1 ≤ t ≤ s and m ∈ F q [X].We say that m is a square free monomial of degree t (or a simple t-monomial) if: where h 1 , . . ., h t ∈ {1, . . ., s} and h ℓ = h j , ∀ℓ = j , i.e. a monomial in F q [X] such that deg x h i (m) = 1 for any 1 ≤ i ≤ t.We denote by M s,t the set of all square free monomials of degree t in F q [X].
Let t ∈ N, with 1 ≤ t ≤ s and let I s,t ⊂ F q [X] be the following ideal where σ i are the elementary symmetric functions: We also denote by I s,s+1 the ideal E q [X] .For any 1 ≤ i ≤ s, let P i be the set which contains all vectors in (F q ) n of weight i, P i = {v ∈ F n q | w(v) = i}, and let Q i be the set which contains all vectors of weight up to i, Q i = ⊔ 0≤j≤i P j .
Theorem 3.2.Let t be an integer such that 1 ≤ t ≤ s.Then the vanishing ideal and its reduced Gröbner basis G is Let F q [Z] be a polynomial ring over F q .Let m ∈ M s,t , m = z h 1 • • • z ht .For any polynomial vector W in the module (F q [Z]) n , W = (W 1 , . . ., W n ), we denote by m(W ) the following polynomial in F q [Z]:

Computing the nonlinearity using Gröbner bases over F
In this section we show how to use Theorem 3.2 to compute the nonlinearity of a given Boolean function f ∈ B n .We want to define an ideal such that a point in its variety corresponds to an affine function with distance at most t − 1 from f .Let A be the variable set A = {a i } 0≤i≤n .We denote by g n ∈ F[A, X] the following polynomial: According to Lemma 2.6, determining the nonlinearity of f ∈ B n is the same as finding the minimum weight of the vectors in the set {f +g | g ∈ A n } ⊂ F 2 n .We can consider the evaluation vector of the polynomial g n as follows: Example 4.1.Let g 3 be a general affine function in A 3 .Then g 3 = a 1 x 1 + a 2 x 2 + a 3 x 3 + a 0 .We consider vectors in F 3 ordered as follows: So we have that the evaluation vector of g 3 is: Definition 4.2.We denote by J n t (f ) the ideal in F[A]: Lemma 4.4.For 1 ≤ t ≤ 2 n the following statements are equivalent: (1) (2)⇒(1).It can be proved by reversing the above argument.
From Lemma 4.4 we immediately have the following theorem.
From this theorem we can derive an algorithm to compute the nonlinearity for a function f ∈ B n , by computing any Gröbner basis of J n t (f ).
Then we compute f + g 5 and we obtain: f + g 5 = (a 0 , a 1 + a 0 , a 2 + a 0 , a 3 + a 0 , a 4 + a 0 , a 5 + a 0 , a 1 + a 2 + a 0 , a 1 + a 3 + a 0 , a 1 + a 4 + a 0 , a 1 + a 5 + a 0 , a 2 + a 3 + a 0 , a 2 + a 4 + a 0 , a 2 + a 5 + a 0 , a 3 + a 4 + a 0 , a 3 + a 5 + a 0 , a 4 + a 5 + a 0 + 1, As it is obvious that f is not affine, we start from the ideal J 5 2 (f ), which is generated by The Gröbner basis of J 5 2 (f ) with respect to any monomial order is trivial so we compute a Gröbner basis of J 5 3 (f ).We obtain that the Gröbner basis of J 5 t (f ) is trivial with respect to any monomial order for 2 ≤ t ≤ 4. For t = 5, we obtain the following Gröbner basis with respect to the degrevlex order with a 1 > a 2 > a 3 > a 4 > a 5 > a 0 : Then N(f ) = 4, that is, there is only one affine function α which has distance equal to 4 from f : α = 0.
5 Computing the nonlinearity using Gröbner bases over Q Here we present an algorithm to compute the nonlinearity of a Boolean function using Gröbner bases over Q rather than over F, which turns out to be much faster than Algorithm 1.The same algorithm can be slightly modified to work over the field F p , where p is a prime.The complexity of these algorithms will be analyzed in Section 9.
As we have seen in Section 4, the nonlinearity of a Boolean function can be computed using Gröbner bases over F. It is sufficient to find the minimum j such that the variety of the ideal J n t (f ) is not empty.Recall that This method becomes impractical even for small values of n, since 2 n t monomials have to be evaluated.A first slight improvement could be achieved by adding to the ideal one monomial evaluation at a time and check if 1 has appeared in the Gröbner basis.Even this way, the algorithm remains very slow.For each i = 1, . . ., 2 n , let us denote: the Boolean function where as usual A = {a 0 , . . ., a n } are the n + 1 variables representing the coefficient of a generic affine function.
In this case we have that: Note that the polynomials f (F) i are affine polynomials.We also denote by f the integer nonlinearity polynomial (or simply the nonlinearity polynomial) of the Boolean function f .For any t ∈ N we define the ideal N t f ⊆ Q[A] as follows: Note that the evaluation vector n f represents all the distances of f from all possible affine functions (in n variables).
Theorem 5.2.The variety of the ideal N t f is non-empty if and only if the Boolean function f has distance t from an affine function.In particular, N(f ) = t, where t is the minimum positive integer such that V(N t f ) = ∅.
Proof.Note that Hence and our claim follows directly.
To compute the nonlinearity of f we can use Algorithm 2 with input f .
Algorithm 2 To compute the nonlinearity of the Boolean function f j ← j + 1 5: end while 6: return j 6 Computing the nonlinearity using fast polynomial evaluation Once the nonlinearity polynomial n f is defined, we can use another approach to compute the nonlinearity avoiding the computations of Gröbner bases.We have to find the minimum nonnegative integer t in the set of the evalua- We write explicitly the modified algorithm.

Algorithm 3 To compute the nonlinearity of the Boolean function f
Let us compute all f = 4a 0 a 1 a 2 − 2a 0 − 2a 1 a 2 + 3 and since then the nonlinearity of f is 1.
Observe that the vector n f represents all the distances of f from all possible affine functions in 2 variables, that is, from 0, 1,

Properties of the nonlinearity polynomial
From now on, with abuse of notation, we sometimes consider 0 and 1 as elements of F and other times as elements of Z.We have the following definition where the sum on the right is in Z.
It is easy to show that b 1 ⊕ . . .⊕ b n ∈ {0, 1}.We give a theorem to compute the coefficients of the nonlinearity polynomial.
Then the coefficients of n f can be computed as: Proof.The nonlinearity polynomial is the integer sum of the 2 n numerical normal forms of the affine polynomials g n (A, u) ⊕ f (u) ∈ F[A], each identified by the vector u ∈ F n , i.e.: for some λ v ∈ Z, and by Proposition 2.4 Let us prove Equation (4).When v = (0, . . ., 0) we have c (0,...,0) = Let us prove Equation (5).Suppose v = 0. Now the coefficient c v of the monomial A v of the nonlinearity polynomial is such that: We prove that each u such that ṽ = (v 1 , . . ., v n ) u yields a zero term in the summation, as follows.
Clearly ā v and a v since v i = 1.
By direct substitution we obtain Thanks to (7) we can continue from (6) and get where we used a ⊕ b = a + b − 2ab.Now we consider v, u fixed, and ṽ u.There are exactly 2 w(v) vectors a such that a v, i.e.: Now we want to study the internal summation in (8).
Since a v and ṽ u then (a 1 , . . ., a n ) u by transitivity.For all j / ∈ U we have a j = 0, and then w(a 0 , a j 1 , . . ., a j w(u) ) = w(a).Thus, for any u ∈ F n we have and each of the two cases happens for exactly one half of the vectors a v.
Clearly the two halves are disjoint.
This yields, from ( 6) and ( 8), the following chain of equalities: u∈F n ṽ u a∈F n+1 , a v gn(a,u)=0 which proves the theorem.
In particular we have: Then we have that: And ∀ṽ ∈ F n , ṽ = 0 we have: Corollary 7.3 shows that it is sufficient to store half of the coefficients of n f , precisely the coefficients of the monomials where a 0 does not appear.A scheme that shows how to derive the coefficients of the nonlinearity polynomial in the case n = 3 can be seen in Tables 1 and 2.
Table 1 Computation of the coefficients of the nonlinearity polynomial with n = 3.Each line represents the NNF coefficients of the terms of f (u) + g n (A, u) not containing a 0 .
Computation of the coefficients of the nonlinearity polynomial with n = 3.Each line represents the NNF coefficients of the terms of f (u) + g n (A, u) containing a 0 .

Complexity of constructing the nonlinearity polynomial
We write the algorithm (Algorithm 4) to calculate the nonlinearity polynomial in O(n2 n ) integer operations.
(2) the storage of O(2 n ) integers of size less than or equal to 2 n .
Proof.In the first part of Algorithm 4 (the computation of the coefficients of the monomials not containing a 0 ) the iteration on i is repeated n times.For each i, Step 6 and Step 8 or 10 are repeated 2 i 2 n 2 i+1 = 2 n/2 times (since b goes from 0 to 2 n by a step of 2 i+1 and x performs 2 i steps).In Step 6 only one integer sum is performed, in Steps 8 we have one integer sum and one doubling, and in Step 10 only one doubling.Then the total amount of integer operation is Finally the computation of the coefficients of the monomials containing a 0 requires only 2 n integer doublings.
To store all the monomials of the nonlinearity polynomial we have to store 2 n+1 integers, although Corollary 7.3 shows that it is sufficient to store only the first half of them, i.e. 2 n integers.By Corollary 7.4, their size is less than or equal to 2 n .

Complexity considerations
First we recall that the complexity of computing the nonlinearity of a Boolean function with n variables, having as input its coefficients vector, is O(n2 n ) using the Fast Möbius and the Fast Walsh Transform.We now want to analyze the complexity of Algorithm 1, 2, 3.

Some considerations on Algorithm 1
In Algorithm 1, almost all the computations are wasted evaluating all possible simple-t-monomials in 2 n variables, which are2 n t .This number grows enormously even for small values of n and t.We investigated experimentally how many of the 2 n t monomials are actually needed to compute the final Gröbner basis of J n t .Our experiment ran over all possible Boolean functions in 3 and 4 variables.The results are reported in Tables 3, 4 and 5.In this tables, for each J n t there are four columns.Let G n t be the Gröbner basis of J n t .Under the column labeled #C we report the average number of checked monomials in 2 n variables before obtaining G n t .Under the column labeled #S we report the average number of monomials which are actually sufficient to obtain G n t .Under the columns labeled "m" e "M" we report, respectively, the minimum and the maximum number of sufficient monomials to find G n t running through all possible Boolean functions in n variables.For example, to compute the Gröbner basis of the ideal J3 2 associated to a Boolean function f whose nonlinearity is 2, we needed to check on average 24 monomials before finding the correct basis.Between the 24 monomials only 9.7 (on average) were sufficient to obtain the same basis, where the number of sufficient monomials never exceeded the range 8 − 11.

Algorithm 1 and 2
Since it is not easy to estimate the complexity of a Gröbner basis computation theoretically, we give some experimental results, shown in Table 6.In this table we report the coefficients of growth of the analyzed algorithms1 , comparing them with the value log 2 (n+1)2 n+1 n2 n . For each algorithm we compute the average time t n to compute the nonlinearity of a Boolean function with n variables and the average time t n+1 to compute the nonlinearity of a   tn .When Gröbner bases are computed, then graded reverse lexicographical order is used, with Magma [MAG] implementation of the Faugère F 4 algorithm.Since the ideal J n t (f ) of Definition 4.2 is derived from the evaluation of 2 n t monomials (generating at most the same number of equations), then the complexity of Algorithm 1 is equivalent to the complexity of computing a Gröbner basis of at most 2 n t equations of degree d (where 1 < d ≤ t) in n + 1 variables over the field F. This method becomes almost impractical for n = 5.We recall that t ≤ 2 n−1 − 2 n 2 −1 (see Equation 2).The complexity of Algorithm 2 is equivalent to the complexity of computing a Gröbner basis of only n + 1 field equations plus one single polynomial n f of degree at most n + 1 in n + 1 variables over the field Q (or over a prime field F p ) with coefficients of size less then or equal to 2 n .As shown in Table 6, computing this Gröbner basis over a prime field F p with p ∼ 2 n is much faster than computing the same base over Q.It may be investigated if there are better size for the prime p. Proof.Algorithm 3 can be divided in three main steps: (1) Calculation of the nonlinearity polynomial n f .This step, as shown in Theorem 8.1, requires O(n2 n ) integer operations and O(2 n ) memory.
(2) Evaluation of the nonlinearity polynomial n f .This step can be performed using fast Möbius transform in O(n2 n ) integer sums and O(2 n ) memory.
(3) Computation of the minimum n f (a) with a ∈ Z n+1 .This step requires no more than O(2 n ) checks.
The overall complexity is then O(n2 n ) integer operations and O(2 n ) memory.

Conclusions
We presented an approach to compute the nonlinearity of a Boolean function using multivariate polynomials.In particular we show that the problem of computing the distance of a generic Boolean function f from the set of affine functions is equivalent to the problem of solving a multivariate polynomial system over the binary field.This system can be reformulated over the rationals by considering the associated pseudo Boolean function, and we can exhibit a multivariate polynomial whose evaluations solve the problem.Moreover, we evaluate our polynomial using fast Fourier techniques and solve the problem very efficienlty.In particular, with our polynomial-based approach we compute the nonlinearity of any Boolean function in O(n2 n ) operations, reaching the same complexity of classical methods.

Acknowledgments
The first two authors would like to thank the third author (their supervisor).
m M #C #S m M #C #S m M #C

9. 3
Algorithm 3 Theorem 9.1.Algorithm 3 returns the nonlinearity of a Boolean function f with n variables in O(n2 n ) integers operations (sums and doublings).

Table 3
Number of monomials needed to compute the Gröbner basis of the ideal J 3 t .

Table 5
Number of monomials needed to compute the Gröbner basis of the ideal J 4

Table 6
Experimental comparisons of the coefficients of growth of the analyzed algorithms.Boolean function with n + 1 variables.Then we report in the table the value log 2