A New Family of Boolean Functions with Good Cryptographic Properties

: In 2005, Philippe Guillot presented a new construction of Boolean functions using linear codes as an extension of the Maiorana–McFarland’s (MM) construction of bent functions. In this paper, we study a new family of Boolean functions with cryptographically strong properties, such as non-linearity, propagation criterion, resiliency, and balance. The construction of cryptographically strong Boolean functions is a daunting task, and there is currently a wide range of algebraic techniques and heuristics for constructing such functions; however, these methods can be complex, computationally difﬁcult to implement, and not always produce a sufﬁcient variety of functions. We present in this paper a construction of Boolean functions using algebraic codes following Guillot’s work.


Introduction
In today's society, there is a dependency-based communications security for financial transactions [1], telematic services, and telephony networks. Each day, new challenges arise for the protection of sensitive information from unauthorized entities. Cryptosystems are divided into two main types: symmetric and asymmetric ciphers [2]. Symmetric cryptosystems are classified in two families: block ciphers and stream ciphers. A fundamental piece of many symmetric ciphers are Boolean functions [3] used, for example, in internal state S-boxes. For example, the well known DES block cipher uses 6 input bits and 4 output bits [4] and stream ciphers, like Mickey and Sosemanuk, in the eSTREAM final round portfolio [5].
Symmetric ciphers are classified, generally, in block cipher and stream cipher and a fundamental piece in the design of both type of ciphers are Boolean functions [3]. Block ciphers include Boolean functions as component function of internal state non-linear Vectorial function, called S-boxes [4], while stream ciphers that are feedback shift register based used them as non-linear combination, non-linear filtering, or irregular clock-control [5].
In a symmetric cipher system, one seeks cryptographically strong Boolean functions that can be of practical use and resistant to different kinds of attacks that have appeared over the years (differential attack, linear attack, correlation attack, algebraic attack, etc.).
Boolean functions appear in various scientific disciplines, including Coding Theory, Combinatorics, Complexity Theory, Cryptography, and Graphic Theory, among others. In Cryptography, the design and analysis of Boolean functions that possess specific properties has often being the focus of attention. A productive field of research for most of these cryptographic properties is the Walsh-Hadamard spectrum, one of the most widely used representations of the Boolean function.
The non-linearity of a Boolean function f ∈ B n , denoted by N f , is the minimum distance between f and the set of affine functions A n , i.e., A high non-linearity is desired to reduce the effect of linear cryptanalysis attacks [8]. A Boolean function in F n 2 can be expressed uniquely as a polynomial in where c a ∈ F 2 , and a = (a 1 , . . . , a n ), with c a = ∑ x≤a f (x), where x ≤ a means that x i ≤ a i , for all 1 ≤ i ≤ n, i.e., c a = g(a 1 , . . . , a n ), and g is a function in B n called the Möbius Transform of f , denoted by g = µ( f ). The Algebraic Degree of a Boolean function f is the degree of its ANF. It follows that the algebraic degree of f ∈ B n does not exceed n, that is, is the number of variables in the highest order term with non-zero coefficient. ( Let f ∈ B n be a Boolean function, and let S be an arbitrary subspace of F n 2 and S ⊥ the dual (annihilator) of S, i.e., From the definition of the Walsh-Hadamard Transform, it follows that H(f )(u) equals the number of zeros minus the number of ones in the binary vector f ⊕ l u (l u ∈ A n and We summarize these results in the following Theorem 1. The non-linearity f is determined by the Walsh-Hadamard Transform of f , i.e., Proof. See proof in Reference [9]. In what follows, we summarize some factors which are important in the design of Boolean functions with good cryptographic properties [10]. An n-variable Boolean function is said to have correlation immunity of order m if and only if H(f )(u) = 0, with 1 ≤ w(u) ≤ m. A Boolean function with correlation immunity of order m and balanced is called m-resilient. The fundamental relationship between the number of variables n, the algebraic degree d, and the order of correlation immunity m of a Boolean function is m + d ≤ n; see Reference [11].
The autocorrelation function rf (s) of a Boolean function f is defined from its polar representation as This value is proportional to the imbalance of all the first-order derivatives of the Boolean function. Small autocorrelation values are desirable, while Boolean functions having larger values are considered weak.
We say that a Boolean function has propagation criteria of order l, denoted by PC(l) The Strict Avalanche Criterion (SAC) [12], refers to the effect of changing all input bits. A Boolean function f is said to Let q = 2 m , and let F q be the finite field with q elements. An F q −linear error correcting code C of length n is an F q −linear subspace of F n q . The elements of C are called words. The weight wt(x) of a word x in C is the number of its non-zero coordinates. The minimum weight d of the code C is defined as the minimum of the weights among all non-zero words occurring in C. For x, y ∈ C, we define the Hamming distance d(x, y) between x and y as wt(x − y). The minimum distance of a code C is defined as If k is the dimension of C as a vector space over F q , then we say that C is a [n, k, d] q error correcting code. The Singleton bound states that the parameters of a code C must satisfy n + 1 ≥ k + d.
A code satisfying the previous inequality with equality is called a maximum distance separable code, or simply a maximum distance separable (MDS)-code [13].
For q ≥ 2, h ≥ 1. Let Q = q h . Consider two codes which we call outer code and inner code. Let C be outer code with parameters [N, K, D] Q , and let I be inner code with parameters [n, h, d] q . The concatenation method [14] constructs a code F over F q out of a code over F Q . The first step is to fix any isomorphism ϕ : F Q −→ I ⊆ F n q . Then, The code F has parameters [N · n, K · h, D · d] q .

Maiorana-McFarland-Guillot's Construction
The Maiorana-McFarland (MM) construction was originally designed to obtain bent functions [15]. It has been extended to construct resilient functions [16].
For n ∈ N, n ≥ 2 and F n 2 = E ⊕ F, a decomposition into two complementary subspaces E of dimension p and F of dimension q = n − p. For any application π : E −→ F n 2 and any application h : E −→ F 2 , the MM construction defines a Boolean function f as follows: f : The application π is defined on F n 2 , but, since π(x) is wrapped by an internal product with an element of F, the value of f is invariant when π(x) is moved by a vector of F ⊥ . So, π can be considered to be defined over the space F n 2 /F ⊥ ∼ = E ⊥ , so that π : E −→ E ⊥ . One of the properties we are interested in from a Boolean function is the Propagation Criteria. In Reference [16], it was shown that for a Boolean function to have Propagation Criteria of order k it is enough that the coset Therefore, to find a Boolean function with PC(k − 1), it is enough to select an appropriate x 0 in the complement of F, such that the lateral class x 0 + F has weight ≥ k.

Construction of π and h
4.1. π One-to-One Following Guillot's ideas, we note that we need to have all the values of π(E). For u ∈ E ⊥ , we will construct the lateral class u + F ⊥ and calculate the minimum weight of this class for each u.
Let us save these weights in the set In order to build π one by one, we must have q > p because we want our Boolean function to be balanced; this implies that H(f )(0) = 0, i.e., 0 / ∈ π(E). To build a Boolean function with a high resiliency order (l), we must take care that the cardinality of U(l) ≥ 2 p . To build the image of π(E), we take 2 p non-zero elements of U(l), and we assign it randomly. In the same way, we randomly generate the values of h(E) using any pseudo-random generator.

π Two-to-One
Let w 0 and w 1 be the minimum weights of E 0 and E 1 , respectively. In order to construct an l−resilient function, we need that max{w 0 , w 1 } ≥ l + 1.
We will store the pairs (u, i) such that w i = max{w 0 , w 1 } in the set U, i.e., We proceed to construct the image π(E) and the image h(E). To do so, we first notice that translating by x 0 partitions E into two parts of size 2 p−1 : a p − 1 dimensional subspace S 0 ≤ E not containing x 0 and its translate S 1 = x 0 + S 0 . We construct the image of π in such a way that π(x) = π(x + x 0 ) for all x ∈ E. There are many possible ways of achieving this. For the image of h, we choose the value of h(x) at random for x ∈ S 0 , and we define

Construction of f
Recall that the Boolean function f is expressed as with z = x + y; x ∈ E, y ∈ F. We have all the ingredients in place to compute f . For example, we may proceed as follows: without loss of generality, we may assume that the information coordinates for the code F are the first q coordinates. Then, given z = (z 1 , z 2 , . . . , z q , z q+1 , . . . , z n ) ∈ F n 2 , we may compute y using any systematic generator matrix G F for F as y = (z 1 , z 2 , . . . , z q ) · G F , and then we obtain x by computing x = y + z. As we know the images of π an h for all x ∈ E (see previous section), we may obtain the value of f (z).

Reed-Solomon Codes
The class of Reed-Solomon Codes [17] is considered of great importance in coding theory. They are members of the family of algebraic codes. Recall one of the standard descriptions of an extended Reed-Solomon code over F q [18]. Let F q = {0, 1, α, α 2 , · · · , α q−2 }. Consider the set The Reed-Solomon code RS(r, q) of length n = q is defined by Because a polynomial of degree l has at most l zeros in F q , we see that RS(r, q) has minimum distance d = q − r + 1, which is the best possible, i.e., RS(r, q) is a maximum distance separable (MDS) code [18]. The code RS(r, q) has parameters [q, r, q − r + 1] q .

Boolean Functions from RS(r, 2 m )
For our construction of Boolean functions, we will use a concatenated Reed-Solomon code. Let C = RS(r, 2 m ); this is our outer code. Let I be the all even-weight codewords, then with parameters [m + 1, m, 2] 2 . After concatenation, we obtain a code F with parameters [(m + 1)2 m , m · r, 2(2 m − r + 1)] 2 .
We will use our code F as the main ingredient to the MM construction, obtaining a new family of Boolean functions, in n = (m + 1)2 m variables. The dimension of the complementary vector space E is, therefore, (m + 1)2 m − m · r, and F n 2 = E ⊕ F. We focus now in the lateral class x 0 + F. As F is constructed by evaluating all polynomials of degree less than r over F 2 m [x], we can assume that x 0 is also constructed by evaluating a polynomial L(x) over F 2 m [x]. A polynomial L(x) can be obtained using Lagrange interpolation in which the evaluation produces a suitable concatenated x 0 . Let a 1 , ..., a r be a set of information coordinates for the code RS(r, 2 m ), by Lagrange interpolation, we can obtain a polynomial L(x) of degree r such that L(a i ) = 0 for i = 1, ..., r and L(a i+1 ) = s, s ∈ F 2 m − {0}. The vector ev(L) is a vector in the complement of RS(r, 2 m ) as a vector space over F 2 m , and the lateral class ev(L) + RS(r, 2 m ) has minimum weight ≥2 m − r. Let x 0 be the image of ev(L) under concatenation; it follows that x 0 is a vector in the complement of F as a binary vector space, and, by construction, the minimum weight of the lateral class x 0 + F is ≥ 2(2 m − r). Thus, by using our proposed F and x 0 in Guillot's construction, we obtain a Boolean function satisfying PC(2 m+1 − 2r − 1).

On the Number of Distinct Boolean Functions
The cryptographic properties of the functions obtained in our construction depend solely on the properties of the code F and the image π(E). Once π(E) and F are fixed, we may construct 2 p ! × 2 2 p (see Reference [16]) distinct Boolean functions with identical cryptographic properties. In our construction, we have incorporated extra choices in the concatenation step; namely, we have 2 2 k − 1 choices for the isomorphism: bringing the total number of distinct Boolean functions up to 2 p ! × 2 2 p × (2 2k − 1). 9. Examples 9.1. Example # 1. π One-to-One For this example, we will take n = 16; so, the dim(F) = 9 and the dim(E) = 7 was the one that was selected. For this, we select a code RS(3, 4) over F 2 3 with primitive polynomial α 3 + α 2 + 1 and a concatenation code of even weight I = [4, 3,2]. Now, We build all cosets of the form u + F ⊥ , where u ∈ E ⊥ , and we calculate the minimum weights of each class.

Example # 2. π Two to One
Suppose we want to build a 12-variable Boolean function. As the main ingredient, we use the Reed-Solomon code C = RS(3, 4) over F 4 with parameters [4,3,2]. A generator matrix for C is where α 2 + α + 1 = 0. We now obtain a binary code from C by concatenation with the even weight code I = {000, 101, 011, 110} with parameters [3,2,2]. Any other 2dimensional binary code will serve as an inner code. The next step is to choose any homomorphism ν between F 4 and I as vector spaces over F 2 . For our example, we choose 0 → 000, 1 → 101, α → 011, α + 1 → 110. After concatenation, we obtain a binary code F with parameters [12,6,4]. A systematic generator matrix for F is given by The row span of G F is the binary vector space F in the MM construction. As G F is systematic, i.e., the first 6 columns are the information coordinates of code F, we may easily describe the complementary space E with generator matrix In this example, we have n = 12, p = 6, q = 6, so we will build a two to one function π. The next step is to build x 0 ∈ E by concatenation of the evaluation vector of L(x) = x 2 + x.
We obtain x 0 = {0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0} ∈ E. For each lateral class u + F ⊥ with u ∈ E ⊥ , we construct the sets be the minimum distances of E 0 and E 1 , respectively, and let d j = max{d 0 , d 1 }. Next, we store the pairs (u, j) in an array. In this example, the array is given by As might be noticed, all u in the previous arrays have weight ≥3, as expected from Guillot's results; so, the Boolean function we will construct will have resilience order 2. For x ∈ E, we define π(x) = π(x + x 0 ) ∈ F 2 at random, and we define h(x) = h u and h(x + x 0 ) = h u + h t , where h t is a random value in F 2 .
Using π and h defined above in the MM construction, the following cryptographic parameters for the Boolean function f were checked using sage: Balanced, non-linearity of 1984, propagation criteria of order 3, and resilience of order 2.

Conclusions
In this work, a complete description is made of how the images of π and h should be chosen to build the well-desired Boolean functions. The desirable cryptographic properties were carefully reviewed given the chosen construction, and we described the advantages and disadvantages of the aforementioned construction. We set which are going to do the optimal parameters to find the Boolean functions. Thus, it will be possible to know when the functions will be balanced and what order of propagation criterion they will have; thus, it will be possible to know the non-linearity and resiliency order. It is also important to note that a non-trivial factor is obtained in terms of the number of different functions obtained with the same properties. All of the above can be known beforehand by the characteristics and properties of the Reed-Solomon code used, according to the function that wants to be built from n-variables.