A New Family of Boolean Functions with Good Cryptographic Properties

Abstract

In 2005, Philippe Guillot presented a new construction of Boolean functions using linear codes as an extension of the Maiorana–McFarland’s (MM) construction of bent functions. In this paper, we study a new family of Boolean functions with cryptographically strong properties, such as non-linearity, propagation criterion, resiliency, and balance. The construction of cryptographically strong Boolean functions is a daunting task, and there is currently a wide range of algebraic techniques and heuristics for constructing such functions; however, these methods can be complex, computationally difficult to implement, and not always produce a sufficient variety of functions. We present in this paper a construction of Boolean functions using algebraic codes following Guillot’s work.

1. Introduction

In today’s society, there is a dependency-based communications security for financial transactions [1], telematic services, and telephony networks. Each day, new challenges arise for the protection of sensitive information from unauthorized entities. Cryptosystems are divided into two main types: symmetric and asymmetric ciphers [2]. Symmetric cryptosystems are classified in two families: block ciphers and stream ciphers. A fundamental piece of many symmetric ciphers are Boolean functions [3] used, for example, in internal state S-boxes. For example, the well known DES block cipher uses 6 input bits and 4 output bits [4] and stream ciphers, like Mickey and Sosemanuk, in the eSTREAM final round portfolio [5].

Symmetric ciphers are classified, generally, in block cipher and stream cipher and a fundamental piece in the design of both type of ciphers are Boolean functions [3]. Block ciphers include Boolean functions as component function of internal state non-linear Vectorial function, called S-boxes [4], while stream ciphers that are feedback shift register based used them as non-linear combination, non-linear filtering, or irregular clock-control [5].

In a symmetric cipher system, one seeks cryptographically strong Boolean functions that can be of practical use and resistant to different kinds of attacks that have appeared over the years (differential attack, linear attack, correlation attack, algebraic attack, etc.).

Boolean functions appear in various scientific disciplines, including Coding Theory, Combinatorics, Complexity Theory, Cryptography, and Graphic Theory, among others. In Cryptography, the design and analysis of Boolean functions that possess specific properties has often being the focus of attention. A productive field of research for most of these cryptographic properties is the Walsh-Hadamard spectrum, one of the most widely used representations of the Boolean function.

The construction of cryptographically strong Boolean functions is a daunting task, and there is currently a wide range of algebraic techniques and heuristics for constructing such functions; however, these methods can be complex, computationally difficult to implement, and not always produce a sufficient variety of functions. We present in this paper a construction of Boolean functions using algebraic codes following Guillot’s work.

2. Preliminaries

Here, we follow Reference [6]. Let ${\mathbb{F}}_2^n$ be the binary vector space of dimension n over the Galois field of two elements ${\mathbb{F}}_2$. Given two vectors a,$b\in {\mathbb{F}}_2^n$, we define the scalar product as

$$a·b=(a_1{b}_1\oplus \dots \oplus a_n{b}_n),$$

and the sum as

$$a\oplus b=(a_1\oplus b_1,\dots ,a_n\oplus b_n),$$

where the product and sum ⊕ (also called XOR) are over ${\mathbb{F}}_2$.

An n-variable Boolean function f is a mapping

$$f:{\mathbb{F}}_2^n⟶{\mathbb{F}}_2.$$

We will denote by ${\mathcal{B}}_n$ the set of all Boolean functions of n variables. The set ${\mathcal{B}}_n$ is a vector space over ${\mathbb{F}}_2$ with the addition ⊕ defined by

$$(f\oplus g)\left(x\right)=f\left(x\right)\oplus g\left(x\right),$$

for any $f,g\in {\mathcal{B}}_n$ and any $x\in {\mathbb{F}}_2^n$. The polar form $\widehat{f}:{\mathbb{F}}_2^n⟶\mathbb{R}$, or sign function, of a Boolean function $f\in {\mathcal{B}}_n$, is defined by

$$\widehat{f}\left(x\right)={\left(-1\right)}^{f\left(x\right)}.$$

The truth table of a Boolean function f is the vector, indexed by the elements of ${\mathbb{F}}_2^n$ (in lexicographical order),

$$(f\left(\overline{0}\right),f\left(\overline{1}\right),\dots ,f\left(\overline{2^n-1}\right)),$$

where $\overline{0}=(0,\dots ,0,0)$, $\overline{1}=(0,\dots ,0,1)$, $\dots ,\overline{2^n-1}=(1,\dots ,1,1)$. The polar truth table of f is the $(1,-1)$ sequence defined by

$$\left({\left(-1\right)}^{f\left(\overline{0}\right)},\dots ,{\left(-1\right)}^{f\left(\overline{2^n-1}\right)}\right).$$

The support f, denoted by $Supp\left(f\right)$, is the set of vectors in ${\mathbb{F}}_2^n$ in which the image under f is 1, i.e.,

$$Supp\left(f\right)=\{x\in {\mathbb{F}}_2^n\mid f\left(x\right)=1\}.$$

The weight of a Boolean function $f\in {\mathcal{B}}_n$, denoted by $w\left(f\right)$, is the cardinality of its support, i.e., $w\left(f\right)=\left|Supp\right(f\left)\right|$. We will say that a function $f\in {\mathcal{B}}_n$ is balanced if $w\left(f\right)=2^{n-1}$, i.e., if the truth table of f contains the same number of 0 and 1. This property is desirable in a Boolean function to resist differential attacks, such as those introduced by Shamir against the DES algorithm [7]. A Boolean function $f\in {\mathcal{B}}_n$ is called affine if we can write it as

$$f\left(x\right)=⟨a,x⟩\oplus b,$$

for some $a\in {\mathbb{F}}_2^n$ and $b\in {\mathbb{F}}_2$. If $b=0$, we say that f is a linear function. The set of affine functions will be denoted by ${\mathcal{A}}_n$. Let $f,g\in {\mathcal{B}}_n$. The distance, $d(f,g)$, between f and g, is the weight of the function $f\oplus g$, i.e.,

$$d(f,g)=w(f\oplus g).$$

The non-linearity of a Boolean function $f\in {\mathcal{B}}_n$, denoted by ${\mathcal{N}}_f$, is the minimum distance between f and the set of affine functions ${\mathcal{A}}_n$, i.e.,

$${\mathcal{N}}_f=min\{d(f,\phi )\mid \phi \in {\mathcal{A}}_n\}.$$

A high non-linearity is desired to reduce the effect of linear cryptanalysis attacks [8].

A Boolean function in ${\mathbb{F}}_2^n$ can be expressed uniquely as a polynomial in

$${\mathbb{F}}_2\left[x_1,\dots ,x_n\right]/\left(x_1^2\oplus x_1,\dots ,x_n^2\oplus x_n\right),$$

through its Algebraic Normal Form (ANF)

$$f\left(x\right)=\sum _{a\in {\mathbb{F}}_2^n}{c}_a{x}_1^{a_1}\cdots x_n^{a_n},$$

(1)

where $c_a\in {\mathbb{F}}_2$, and $a=(a_1,\dots ,a_n)$, with $c_a={\sum }_{x\le a}f\left(x\right)$, where $x\le a$ means that $x_i\le a_i,$ for all $1\le i\le n$, i.e., $c_a=g(a_1,\dots ,a_n)$, and g is a function in ${\mathcal{B}}_n$ called the Möbius Transform of f, denoted by $g=\mu \left(f\right)$. The Algebraic Degree of a Boolean function f is the degree of its ANF. It follows that the algebraic degree of $f\in {\mathcal{B}}_n$ does not exceed n, that is, is the number of variables in the highest order term with non-zero coefficient.

The Walsh-Hadamard Transform of a function f in ${\mathbb{F}}_2^n$ is the mapping $H\left(f\right):{\mathbb{F}}_2^n\to \mathbb{R}$, defined by

$$H\left(f\right)\left(h\right)=\sum _{x\in {\mathbb{F}}_2^n}f\left(x\right){(-1)}^{h·x}.$$

(2)

Let $f\in {\mathcal{B}}_n$ be a Boolean function, and let S be an arbitrary subspace of ${\mathbb{F}}_2^n$ and $S^{\perp }$ the dual (annihilator) of S, i.e.,

$$S^{\perp }=\{x\in {\mathbb{F}}_2^n:x·s=0,\forall s\in S\},$$

then

$$\sum _{u\in S}H\left(f\right)\left(u\right)=2^{dimS}\sum _{u\in S^{\perp }}f\left(u\right).$$

(3)

From the definition of the Walsh-Hadamard Transform, it follows that $H(\widehat{f})\left(u\right)$ equals the number of zeros minus the number of ones in the binary vector $f\oplus l_u(l_u\in {\mathcal{A}}_n$ and $l_u\left(v\right)={\sum }_{i=1}^n{u}_i{v}_i)$ such that

$$H\left(\widehat{f}\right)\left(u\right)=2^n-2d(f,\sum _{i=1}^n{u}_i{v}_i),$$

(4)

$$d(f,\sum _{i=1}^n{u}_i{v}_i)={\displaystyle \frac{1}{2}}(2^n-H\left(\widehat{f}\right)\left(u\right)),$$

(5)

$$d(f,1\oplus \sum _{i=1}^n{u}_i{v}_i)={\displaystyle \frac{1}{2}}(2^n+H\left(\widehat{f}\right)\left(u\right)).$$

(6)

We summarize these results in the following

Theorem 1.

The non-linearity f is determined by the Walsh-Hadamard Transform of f, i.e.,

$${\mathcal{N}}_f=2^{n-1}-{\displaystyle \frac{1}{2}}\underset{u\in {\mathbb{F}}_2^{{}^n}}{max}\left|H\left(\widehat{f}\right)\left(u\right)\right|.$$

(7)

Proof. 

See proof in Reference [9]. □

In what follows, we summarize some factors which are important in the design of Boolean functions with good cryptographic properties [10]. An n-variable Boolean function is said to have correlation immunity of order m if and only if $H(\widehat{f})\left(u\right)=0$, with $1\le w\left(u\right)\le m$. A Boolean function with correlation immunity of order m and balanced is called m-resilient. The fundamental relationship between the number of variables n, the algebraic degree d, and the order of correlation immunity m of a Boolean function is $m+d\le n$; see Reference [11].

The autocorrelation function $r_{\widehat{f}}\left(s\right)$ of a Boolean function f is defined from its polar representation as

$$r_{\widehat{f}}\left(s\right)=\sum _{x\in {\mathbb{F}}_2^n}\widehat{f}\left(x\right)\widehat{f}(x\oplus s).$$

This value is proportional to the imbalance of all the first-order derivatives of the Boolean function. Small autocorrelation values are desirable, while Boolean functions having larger values are considered weak.

We say that a Boolean function has propagation criteria of order l, denoted by $PC\left(l\right)$ if $f\left(x\right)\oplus f(x\oplus u)$ is balanced for all u with $1\le w\left(u\right)\le l$.

The Strict Avalanche Criterion (SAC) [12], refers to the effect of changing all input bits. A Boolean function f is said to satisfy SAC if $f\left(x\right)\oplus f(x\oplus u)$ is balanced for all u with $w\left(u\right)=1$.

Let $q=2^m$, and let ${\mathbb{F}}_q$ be the finite field with q elements. An ${\mathbb{F}}_q—$linear error correcting codeC of length n is an ${\mathbb{F}}_q—$linear subspace of ${\mathbb{F}}_q^n$. The elements of C are called words. The weight $wt\left(x\right)$ of a word x in C is the number of its non-zero coordinates. The minimum weight d of the code C is defined as the minimum of the weights among all non-zero words occurring in C. For $x,y\in C$, we define the Hamming distance $d(x,y)$ between x and y as $wt(x-y)$. The minimum distance of a code C is defined as

$$d=min\left\{d\right(x,y\left)\right|x,y\in C,x\ne y\}.$$

If k is the dimension of C as a vector space over ${\mathbb{F}}_q$, then we say that C is a ${[n,k,d]}_q$ error correcting code. The Singleton bound states that the parameters of a code C must satisfy

$$n+1\ge k+d.$$

A code satisfying the previous inequality with equality is called a maximum distance separable code, or simply a maximum distance separable (MDS)-code [13].

For $q\ge 2,h\ge 1$. Let $Q=q^h$. Consider two codes which we call outer code and inner code. Let C be outer code with parameters ${[N,K,D]}_Q$, and let I be inner code with parameters ${[n,h,d]}_q$. The concatenation method [14] constructs a code F over ${\mathbb{F}}_q$ out of a code over ${\mathbb{F}}_Q$. The first step is to fix any isomorphism $\phi :{\mathbb{F}}_Q⟶I\subseteq {\mathbb{F}}_q^n$. Then,

$$F:=\left\{(\phi \left(x_1\right),\dots ,\phi \left(x_N\right))\right|(x_1,\dots ,x_N)\in C\}.$$

The code F has parameters ${[N·n,K·h,D·d]}_q$.

3. Maiorana-McFarland-Guillot’s Construction

The Maiorana–McFarland (MM) construction was originally designed to obtain bent functions [15]. It has been extended to construct resilient functions [16].

For $n\in \mathbb{N},n\ge 2$ and ${\mathbb{F}}_2^n=E\oplus F$, a decomposition into two complementary subspaces E of dimension p and F of dimension $q=n-p$. For any application $\pi :E⟶{\mathbb{F}}_2^n$ and any application $h:E⟶{\mathbb{F}}_2$, the MM construction defines a Boolean function f as follows:

$$\begin{array}{cccc}\hfill f:& E\oplus F& ⟶& {\mathbb{F}}_2\hfill \\ & x+y& \mapsto & \pi \left(x\right)·y+h\left(x\right).\hfill \end{array}$$

The application $\pi$ is defined on ${\mathbb{F}}_2^n$, but, since $\pi \left(x\right)$ is wrapped by an internal product with an element of F, the value of f is invariant when $\pi \left(x\right)$ is moved by a vector of $F^{\perp }$. So, $\pi$ can be considered to be defined over the space ${\mathbb{F}}_2^n/F^{\perp }\cong E^{\perp }$, so that $\pi :E⟶E^{\perp }$.

One of the properties we are interested in from a Boolean function is the Propagation Criteria. In Reference [16], it was shown that for a Boolean function to have Propagation Criteria of order k it is enough that the coset $x_0+F$, with $x_0\in E$, has $w(x_0+F)>k$. Therefore, to find a Boolean function with $PC(k-1)$, it is enough to select an appropriate $x_0$ in the complement of F, such that the lateral class $x_0+F$ has weight $\ge k$.

4. Construction of $\mathbf{\pi }$ and $\mathit{h}$

4.1. $\pi$ One-to-One

Following Guillot’s ideas, we note that we need to have all the values of $\pi \left(E\right)$. For $u\in E^{\perp }$, we will construct the lateral class $u+F^{\perp }$ and calculate the minimum weight of this class for each u. Let us save these weights in the set $U\left(l\right)=\{u\in E^{\perp }:w(u+F^{\perp })\ge l+1\}$. In order to build $\pi$ one by one, we must have $q>p$ because we want our Boolean function to be balanced; this implies that $H(\widehat{f})\left(0\right)=0$, i.e., $0\notin \pi \left(E\right)$. To build a Boolean function with a high resiliency order $\left(l\right)$, we must take care that the cardinality of $U\left(l\right)\ge 2^p$. To build the image of $\pi \left(E\right)$, we take $2^p$ non-zero elements of $U\left(l\right)$, and we assign it randomly. In the same way, we randomly generate the values of $h\left(E\right)$ using any pseudo-random generator.

4.2. $\pi$ Two-to-One

Let $u\in E^{\perp }$. The linear functional $v\mapsto v·x_0$ partitions the lateral class $u+F^{\perp }$ into the sets

$$E_0=\{v\in u+F^{\perp }\mid v·x_0=0\},$$

and

$$E_1=\{v\in u+F^{\perp }\mid v·x_0=1\}.$$

Let $w_0$ and $w_1$ be the minimum weights of $E_0$ and $E_1$, respectively. In order to construct an $l—$resilient function, we need that

$$max\{w_0,w_1\}\ge l+1.$$

We will store the pairs $(u,i)$ such that $w_i=max\{w_0,w_1\}$ in the set U, i.e.,

$$U=\left\{(u,i)\right|u\in E^{\perp },w_i=max\{w_0,w_1\}\}.$$

We proceed to construct the image $\pi \left(E\right)$ and the image $h\left(E\right)$. To do so, we first notice that translating by $x_0$ partitions E into two parts of size $2^{p-1}$: a $p-1$ dimensional subspace $S_0\le E$ not containing $x_0$ and its translate $S_1=x_0+S_0$. We construct the image of $\pi$ in such a way that $\pi \left(x\right)=\pi (x+x_0)$ for all $x\in E$. There are many possible ways of achieving this. For the image of h, we choose the value of $h\left(x\right)$ at random for $x\in S_0$, and we define $h(x+x_0)=h\left(x\right)+i$ such that $\left(\pi \right(x),i)\in U$.

5. Construction of $\mathit{f}$

Recall that the Boolean function f is expressed as

$$f\left(z\right)=\pi \left(x\right)·y+h\left(x\right),$$

with $z=x+y$; $x\in E,y\in F$. We have all the ingredients in place to compute f. For example, we may proceed as follows: without loss of generality, we may assume that the information coordinates for the code F are the first q coordinates. Then, given $z=(z_1,z_2,\dots ,z_q,z_{q+1},\dots ,z_n)\in {\mathbb{F}}_2^n,$ we may compute y using any systematic generator matrix $G_F$ for F as

$$y=(z_1,z_2,\dots ,z_q)·G_F,$$

and then we obtain x by computing $x=y+z.$ As we know the images of $\pi$ an h for all $x\in E$ (see previous section), we may obtain the value of $f\left(z\right)$.

6. Reed-Solomon Codes

The class of Reed-Solomon Codes [17] is considered of great importance in coding theory. They are members of the family of algebraic codes. Recall one of the standard descriptions of an extended Reed-Solomon code over ${\mathbb{F}}_q$ [18]. Let ${\mathbb{F}}_q=\{0,1,\alpha ,{\alpha }^2,\cdots ,{\alpha }^{q-2}\}$. Consider the set

$$L=\{f\left(x\right)\in {\mathbb{F}}_q\left[x\right]\mid degree\left(f\left(x\right)\right)<r\}.$$

The Reed-Solomon code $RS(r,q)$ of length $n=q$ is defined by

$$RS(r,q):=\{c=(f\left(0\right),f\left(1\right),f\left(\alpha \right),f\left({\alpha }^2\right),\cdots ,f\left({\alpha }^{q-2}\right))\mid f\left(x\right)\in L\}.$$

Because a polynomial of degree l has at most l zeros in ${\mathbb{F}}_q$, we see that $RS(r,q)$ has minimum distance $d=q-r+1$, which is the best possible, i.e., $RS(r,q)$ is a maximum distance separable (MDS) code [18]. The code $RS(r,q)$ has parameters

$${\left[q,r,q-r+1\right]}_q.$$

In this paper, we will assume that $q=2^m$; then, $RS(r,2^m)$ has parameters

$${\left[2^m,r,2^m-r+1\right]}_{2^m}.$$

7. Boolean Functions from $\mathit{RS}(\mathit{r},{\mathbf{2}}^{\mathit{m}})$

For our construction of Boolean functions, we will use a concatenated Reed-Solomon code. Let $C=RS(r,2^m)$; this is our outer code. Let I be the all even-weight codewords, then with parameters ${\left[m+1,m,2\right]}_2$. After concatenation, we obtain a code F with parameters

$${\left[(m+1)2^m,m·r,2(2^m-r+1)\right]}_2.$$

We will use our code F as the main ingredient to the MM construction, obtaining a new family of Boolean functions, in $n=(m+1)2^m$ variables. The dimension of the complementary vector space E is, therefore, $(m+1)2^m-m·r$, and ${\mathbb{F}}_2^n=E\oplus F$.

We focus now in the lateral class $x_0+F$. As F is constructed by evaluating all polynomials of degree less than r over ${\mathbb{F}}_{2^m}\left[x\right]$, we can assume that $x_0$ is also constructed by evaluating a polynomial $L\left(x\right)$ over ${\mathbb{F}}_{2^m}\left[x\right]$. A polynomial $L\left(x\right)$ can be obtained using Lagrange interpolation in which the evaluation produces a suitable concatenated $x_0$. Let $a_1,...,a_r$ be a set of information coordinates for the code $RS(r,2^m)$, by Lagrange interpolation, we can obtain a polynomial $L\left(x\right)$ of degree r such that $L\left(a_i\right)=0$ for $i=1,...,r$ and $L\left(a_{i+1}\right)=s,s\in {\mathbb{F}}_{2^m}-\left\{0\right\}$. The vector $ev\left(L\right)$ is a vector in the complement of $RS(r,2^m)$ as a vector space over ${\mathbb{F}}_{2^m}$, and the lateral class $ev\left(L\right)+RS(r,2^m)$ has minimum weight ≥$2^m-r$. Let $x_0$ be the image of $ev\left(L\right)$ under concatenation; it follows that $x_0$ is a vector in the complement of F as a binary vector space, and, by construction, the minimum weight of the lateral class $x_0+F$ is $\ge 2(2^m-r)$. Thus, by using our proposed F and $x_0$ in Guillot’s construction, we obtain a Boolean function satisfying $PC(2^{m+1}-2r-1)$.

8. On the Number of Distinct Boolean Functions

The cryptographic properties of the functions obtained in our construction depend solely on the properties of the code F and the image $\pi \left(E\right)$. Once $\pi \left(E\right)$ and F are fixed, we may construct $2^p!\times 2^{2^p}$ (see Reference [16]) distinct Boolean functions with identical cryptographic properties. In our construction, we have incorporated extra choices in the concatenation step; namely, we have $2^{2^k}-1$ choices for the isomorphism:

$$\varphi :{\mathbb{F}}_{2^{2k}}⟶{\mathbb{F}}_2^{2k+1},$$

bringing the total number of distinct Boolean functions up to

$$2^p!\times 2^{2^p}\times (2^{2k}-1).$$

9. Examples

9.1. Example # 1. $\pi$ One-to-One

For this example, we will take $n=16$; so, the $dim\left(F\right)=9$ and the $dim\left(E\right)=7$ was the one that was selected. For this, we select a code $RS(3,4)$ over ${\mathbb{F}}_{2^3}$ with primitive polynomial ${\alpha }^3+{\alpha }^2+1$ and a concatenation code of even weight $I=\left[4,3,2\right]$.

Now,

$$G_F={\left(\begin{array}{cccc}1& 1& 1& 1\\ 0& a^1& a^2& 1+a^1\\ 0& a^2& a^1+a^2& 1+a^2\end{array}\right)}_{{\mathbb{F}}_{2^3}},$$

$$G_F=\left(\begin{array}{cccccccccccccccc}1& 0& 0& 0& 0& 0& 0& 0& 0& 1& 0& 0& 0& 0& 1& 1\\ 0& 1& 0& 0& 0& 0& 0& 0& 0& 1& 0& 0& 1& 1& 0& 0\\ 0& 0& 1& 0& 0& 0& 0& 0& 0& 1& 0& 0& 0& 1& 1& 0\\ 0& 0& 0& 1& 0& 0& 0& 0& 0& 0& 1& 0& 0& 1& 1& 0\\ 0& 0& 0& 0& 1& 0& 0& 0& 0& 0& 1& 0& 1& 1& 0& 0\\ 0& 0& 0& 0& 0& 1& 0& 0& 0& 0& 1& 0& 1& 1& 1& 1\\ 0& 0& 0& 0& 0& 0& 1& 0& 0& 0& 0& 1& 0& 1& 1& 0\\ 0& 0& 0& 0& 0& 0& 0& 1& 0& 0& 0& 1& 1& 0& 1& 0\\ 0& 0& 0& 0& 0& 0& 0& 0& 1& 0& 0& 1& 1& 1& 1& 1\end{array}\right),$$

$$G_E=\left(\begin{array}{cccccccccccccccc}0& 0& 0& 0& 0& 0& 0& 0& 0& 1& 0& 0& 0& 0& 0& 0\\ 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 1& 0& 0& 0& 0& 0\\ 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 1& 0& 0& 0& 0\\ 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 1& 0& 0& 0\\ 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 1& 0& 0\\ 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 1& 0\\ 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 1\end{array}\right).$$

We build all cosets of the form $u+F^{\perp }$, where $u\in E^{\perp }$, and we calculate the minimum weights of each class.

For $n=16$, the maximum resistance we can aspire to is $l=3$; so, since E has 128 elements, we choose exactly from $E^{\perp }$, and we determinate.

U(3) = {D600, B900, 6B00, 5B00, EF00, DF00, D280, 3980, DB80, D200, B200, 7200, CA00, AA00, 6A00, 9A00, 5A00, 3A00, C600, A600, 6600, 9600, 5600, 3600, F600, 8E00, 2E00, EE00, DE00, BE00, D100, B100, 7100, A900, 6900, 9900, 5900, 3900, D800, F900, C500, A500, 6500, 9500, 5500, 3500, F500, 8D00, 2D00, ED00, DD00, BD00, C300, A300, 6300, 9300, 5300, F300, 8B00, 4B00, 2B00, B800, EB00, 1B00, 7800, DB00, BB00, 7B00, 4700, 2700, E700, 1700, D700, 7700, 0F00, CF00, AF00, 6F00, D400, 9F00, 5F00, 7400, 3F00, FF00, D080, B080, 7080, C880, A880, 6880, 5880, 3880, F880, 5480, 3480, F480, 2C80, EC80, DC80, BC80, C280, A280, 9280, 5280, CC00, 3280, F280, 8A80, 4A80, 2A80, EA80, 1A80, DA80, BA80, 4680, 2680, E680, 1680, D680, 0E80, CE80, AE80, C180, A180, 6180, 9180, 3180, F180} in hexadecimal but with $u\ne 0$ to ensure that the function is balanced and in turn these vectors will be the images of $\pi$.

Now, we get the $h\left(E\right)$ values randomly using any binary pseudo-random generator. In summary, our function will have the following properties: balanced, ${\mathcal{N}}_f=$ 32,512, 3-resilient, and $deg\left(f\right)=8$.

9.2. Example # 2. $\pi$ Two to One

Suppose we want to build a 12-variable Boolean function. As the main ingredient, we use the Reed-Solomon code $C=RS(3,4)$ over ${\mathbb{F}}_4$ with parameters $[4,3,2]$. A generator matrix for C is

$$G=\left(\begin{array}{cccc}1& 1& 1& 1\\ 0& \alpha & \alpha +1& 1\\ 0& \alpha +1& \alpha & 1\end{array}\right),$$

where ${\alpha }^2+\alpha +1=0$. We now obtain a binary code from C by concatenation with the even weight code $I=\{000,101,011,110\}$ with parameters $[3,2,2]$. Any other 2-dimensional binary code will serve as an inner code. The next step is to choose any homomorphism $\nu$ between $F_4$ and I as vector spaces over ${\mathbb{F}}_2$. For our example, we choose $0\mapsto 000,1\mapsto 101,\alpha \mapsto 011,\alpha +1\mapsto 110$. After concatenation, we obtain a binary code F with parameters $[12,6,4]$. A systematic generator matrix for F is given by

$$G_F=\left(\begin{array}{cccccccccccc}1& 0& 0& 0& 0& 0& 1& 0& 0& 1& 0& 1\\ 0& 1& 0& 0& 0& 0& 1& 0& 0& 0& 1& 1\\ 0& 0& 1& 0& 0& 0& 0& 1& 0& 1& 0& 1\\ 0& 0& 0& 1& 0& 0& 0& 1& 0& 0& 1& 1\\ 0& 0& 0& 0& 1& 0& 0& 0& 1& 1& 0& 1\\ 0& 0& 0& 0& 0& 1& 0& 0& 1& 0& 1& 1\end{array}\right).$$

The row span of $G_F$ is the binary vector space F in the MM construction. As $G_F$ is systematic, i.e., the first 6 columns are the information coordinates of code F, we may easily describe the complementary space E with generator matrix

$$G_E=\left(\begin{array}{cccccccccccc}0& 0& 0& 0& 0& 0& 1& 0& 0& 0& 0& 0\\ 0& 0& 0& 0& 0& 0& 0& 1& 0& 0& 0& 0\\ 0& 0& 0& 0& 0& 0& 0& 0& 1& 0& 0& 0\\ 0& 0& 0& 0& 0& 0& 0& 0& 0& 1& 0& 0\\ 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 1& 0\\ 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 0& 1\end{array}\right).$$

In this example, we have $n=12,p=6,q=6$, so we will build a two to one function $\pi$. The next step is to build $x_0\in E$ by concatenation of the evaluation vector of $L\left(x\right)=x^2+x$. We obtain $x_0=\{0,0,0,0,0,0,1,1,1,1,0,0\}\in E$. For each lateral class $u+F^{\perp }$ with $u\in E^{\perp }$, we construct the sets $E_0=\{v\in u+F^{\perp }:v·x_0=0\}$ and $E_1=\{v\in u+F^{\perp }:v·x_0=1\}.$ Let $d_0=d\left(E_0\right),d_1\left(E_1\right)$ be the minimum distances of $E_0$ and $E_1$, respectively, and let $d_j=max\{d_0,d_1\}$. Next, we store the pairs $(u,j)$ in an array. In this example, the array is given by

$$(u,0/1)=\left(\begin{array}{cc}u& h_u\\ \{0,0,1,0,1,1\}& 0\\ \{0,0,1,1,0,1\}& 0\\ \{0,0,1,1,1,0\}& 0\\ \{0,1,0,0,1,1\}& 0\\ \{0,1,0,1,1,0\}& 0\\ \{0,1,0,1,1,1\}& 1\\ \{0,1,1,0,0,1\}& 0\\ \{0,1,1,0,1,0\}& 1\\ \{0,1,1,0,1,1\}& 0\\ \{0,1,1,1,0,0\}& 0\\ \{0,1,1,1,0,1\}& 1\\ \{0,1,1,1,1,0\}& 0\\ \{0,1,1,1,1,1\}& 1\\ \{1,0,0,0,1,1\}& 0\\ \{1,0,0,1,0,1\}& 0\\ \{1,0,0,1,1,0\}& 1\\ \{1,0,0,1,1,1\}& 0\\ \{1,0,1,0,0,1\}& 1\\ \{1,0,1,0,1,1\}& 0\\ \{1,0,1,1,0,0\}& 0\\ \{1,0,1,1,0,1\}& 0\\ \{1,0,1,1,1,0\}& 0\\ \{1,0,1,1,1,1\}& 1\\ \{1,1,0,0,0,1\}& 0\\ \{1,1,0,0,1,0\}& 0\\ \{1,1,0,1,0,0\}& 0\\ \{1,1,0,1,0,1\}& 1\\ \{1,1,0,1,1,0\}& 0\\ \{1,1,0,1,1,1\}& 1\\ \{1,1,1,0,0,0\}& 0\\ \{1,1,1,0,0,1\}& 0\\ \{1,1,1,0,1,0\}& 0\end{array}\right).$$

As might be noticed, all u in the previous arrays have weight ≥$3$, as expected from Guillot’s results; so, the Boolean function we will construct will have resilience order 2. For $x\in E$, we define $\pi \left(x\right)=\pi (x+x_0)\in {\mathbb{F}}_2$ at random, and we define $h\left(x\right)=h_u$ and $h(x+x_0)=h_u+h_t$, where $h_t$ is a random value in ${\mathbb{F}}_2$.

Using $\pi$ and h defined above in the MM construction, the following cryptographic parameters for the Boolean function f were checked using sage: Balanced, non-linearity of 1984, propagation criteria of order 3, and resilience of order 2.

10. Conclusions

In this work, a complete description is made of how the images of $\pi$ and h should be chosen to build the well-desired Boolean functions. The desirable cryptographic properties were carefully reviewed given the chosen construction, and we described the advantages and disadvantages of the aforementioned construction. We set which are going to do the optimal parameters to find the Boolean functions. Thus, it will be possible to know when the functions will be balanced and what order of propagation criterion they will have; thus, it will be possible to know the non-linearity and resiliency order. It is also important to note that a non-trivial factor is obtained in terms of the number of different functions obtained with the same properties. All of the above can be known beforehand by the characteristics and properties of the Reed-Solomon code used, according to the function that wants to be built from n-variables.