A Graph Theoretic Approach to Construct Desired Cryptographic Boolean Functions

Abstract

In this paper, we present four product operations to construct cryptographic boolean functions from smaller ones with predictable Walsh spectrum. A lot of cryptographic properties of boolean functions can be presented by their Walsh spectrum. In our method, we use the product of Cayley graphs to present new boolean functions with desired Walsh spectrum and investigate their non-linearity, algebraic and correlation immunity.

1. Introduction

Boolean functions are fundamental components of a cryptographic algorithm. Designing boolean functions with desired cryptographic properties is an important problem. Boolean functions should have some properties like balancedness, high non-linearity, algebraic immunity, correlation immunity and propagation criterion to be used in a symmetric algorithm. These properties make the cipher resistant against attacks like differential and linear cryptanalysis, correlation and algebraic attacks and statistical tests. Correlation immune functions were introduced by Siegenthaler [1] to resist against a class of divide and conquer attacks on certain models of stream ciphers. Algebraic attacks [2,3] have become a powerful tool that can be used for almost all types of cryptographic systems. Algebraic attacks will be more efficient if boolean functions have low degrees. All cryptographic properties can be measured by the Walsh spectrum of a boolean function. Hence, constructing boolean functions with desired Walsh spectrum can help designers to use practical boolean functions. In this paper, we aim to propose four new methods to construct larger boolean functions from smaller ones with predictable cryptographic properties.

In 1999 Bernasconi et al. made a new characterization for boolean functions exploiting the graph theoretic approach. They proved that any boolean function can be represented by a Cayley graph and eigenvalues of this Cayley graph correspond to its Walsh spectrum. The authors defined a Cayley graph on the boolean function as $f:{\mathcal{Z}}_2^n⟶{\mathcal{Z}}_2$, where $\mathsf{\Gamma }=Cay({\mathcal{Z}}_2^n,{\mathsf{\Omega }}_f)$ where ${\mathsf{\Omega }}_f$ is the support of f and two vertices $x,y\in {\mathcal{Z}}_2^n$ are incident if $x\oplus y\in {\mathsf{\Omega }}_f.$ Since for all elements $x\in {\mathcal{Z}}_2^n$ we have $x^{-1}=x$, any subset of ${\mathcal{Z}}_2^n$ is symmetric. The adjacency matrix of a boolean function $A_f$ is the adjacency matrix of its associated Cayley graph and ${\left(A_f\right)}_{ij}=f(i\oplus j)$. The following theorem is the main result of [4] where the function $W\left(f\right)$ is the Walsh transform of the boolean function f.

Theorem 1.

Let $f:{\mathcal{Z}}_2^n⟶{\mathcal{Z}}_2$, and let ${\lambda }_i,0\le i\le 2^n-1$ be the eigenvalues of its associated Cayley graph.

(i) For any $0\le i\le 2^n-1,{\lambda }_i=W\left(f\right)\left(i\right).$

(ii) The multiplicity of the largest spectral coefficient of f, $W\left(f\right)\left(0\right)$ is equal to $2^{n-dim\langle {\mathsf{\Omega }}_f\rangle }.$

In [5] Stanica investigated some cryptographic properties of boolean functions in terms of their eigenvalues and adapted some graph theory concepts with cryptographic properties of these functions. In the following we state some of these results.

Corollary 1.

Let f be a boolean function and the eigenvalues of ${\mathsf{\Gamma }}_f$ be ordered as ${\lambda }_1\ge {\lambda }_2\ge \cdots \ge {\lambda }_v$.

• Let g be the multiplicity of the lowest eigenvalue of ${\mathsf{\Gamma }}_f$ and ${\lambda }_2\ne 0$, in this case $min\{g+1,1-{\displaystyle \frac{{\lambda }_v}{{\lambda }_2}}\}\le \chi \left({\mathsf{\Gamma }}_f\right)\le \left|{\mathsf{\Omega }}_f\right|$ where $\chi \left({\mathsf{\Gamma }}_f\right)$ is the chromatic number of ${\mathsf{\Gamma }}_f$.
• A boolean function f depends linearly on a variable $x_i$ if and only if the eigenvalues for Cayley graph ${\mathsf{\Gamma }}_f$ satisfy ${\lambda }_0=2^{n-1}$ and if i-th component of binary representation of $a\ne 0$ equals to 0, then ${\lambda }_a=0.$
• For an unbalanced correlation immune function f on ${\mathcal{Z}}_2^n$ of order l, there are ${\sum }_{s=1}^l\left(\genfrac{}{}{0pt}{}{2^n}{s}\right)$ zero eigenvalues of ${\mathsf{\Gamma }}_f$.

In Section 2, we first start with some definitions and basic properties of boolean functions and their cryptographic properties. Next we state some algebraic graph theory that will be used throughout the paper. In Section 3, we first present some related works to our subject and next we propose our methods to construct new boolean functions. Finally, we present some theorems to investigate their cryptographic properties.

2. Definitions and Preliminaries

2.1. Boolean Functions

Consider the field ${\mathcal{Z}}_2$ with elements $\{0,1\}$. Let n be a positive integer and ${\mathcal{Z}}_2^n=\left\{(x_n,\dots ,x_1)\right|x_i\in {\mathcal{Z}}_2,1\le i\le n\}$ be the binary representation of the positive integer set $\{0,1,\dots ,2^n-1\}.$ Here, we show addition in integer sets by +, and addition by module 2 by $\oplus .$ For $x,y\in {\mathcal{Z}}_2^n$, define $x\oplus y=(x_1\oplus y_1,\dots ,x_n\oplus y_n)$ and $x.y=x_1{y}_1\oplus \dots \oplus x_n{y}_n$. We also define the Hamming weight of a vector $x\in {\mathcal{Z}}_2^n$ as $hwt\left(x\right)=|\left\{i\right|x_i=1\}|.$ Now an n-variable boolean function $f(x_n,\dots ,x_2,x_1)$ is a map from ${\mathcal{Z}}_2^n$ to ${\mathcal{Z}}_2.$ The set of all boolean functions over ${\mathcal{Z}}_2^n$ is denoted by $F_n$. An n-variable boolean function $f(x_n,\dots ,x_2,x_1)$ can be represented as a multivariate polynomial over ${\mathcal{Z}}_2$ called algebraic normal form (ANF) as

$$f(x_n,\dots ,x_1)=a_0\underset{i=0}{\overset{n}{⨁}}{a}_i{x}_i\underset{1\le i,j\le n}{⨁}{a}_{ij}{x}_i{x}_j⨁\cdots ⨁a_{1\cdots n}{x}_1{x}_2\cdots x_n.$$

The algebraic degree of a boolean function f is the number of variables in the most existing variables of its multiplicative terms with nonzero coefficient in its ANF and denoted by $deg\left(f\right)$. A boolean function of the form $f\left(x\right)=a_0\oplus a_1{x}_1\oplus \dots \oplus a_n{x}_n$ is called affine and if $a_0=0$, is called linear.

The binary vector of length $2^n$ as $(f\left(0\right),f\left(1\right),\dots ,f(2^n-1))\in {\mathcal{Z}}_2^n,$ is said to be the truth table of f. We also denote the support of f by ${\mathsf{\Omega }}_f$ as $\{x\in {\mathcal{Z}}_2^n|f\left(x\right)=1\}$. Clearly $0\le |{\mathsf{\Omega }}_f|\le 2^n$ and also the hamming weight of f is $hwt\left(f\right)=|{\mathsf{\Omega }}_f|$.

One can see that the ANF of a boolean function $f:{\mathcal{Z}}_2^n⟶{\mathcal{Z}}_2$ with support ${\mathsf{\Omega }}_f$ is

$$f(x_n,\cdots ,x_1)=\underset{\alpha =({\alpha }_n,\cdots ,{\alpha }_1)\in {\mathsf{\Omega }}_f}{⨁}{x}^{\alpha }$$

where $x^{\alpha }=x_n^{\left({\alpha }_n\right)}\cdots x_1^{\left({\alpha }_1\right)}=(x_n\oplus {\alpha }_n\oplus 1)\cdots (x_1\oplus {\alpha }_1\oplus 1)$. So we have

$$f(x_n,\cdots ,x_1)=\underset{\alpha \in {\mathsf{\Omega }}_f}{⨁}\prod _{i=1}^n(x_i\oplus {\alpha }_i\oplus 1).$$

(1)

The distance between two boolean functions $f,g\in F_n$ is defined as $d(f,g)=hwt(f\oplus g).$ For each boolean function $f:{\mathcal{Z}}_2^n⟶{\mathcal{Z}}_2$, the sign function is $\widehat{f}:{\mathcal{Z}}_2^n⟶\{-1,1\}$ where $\widehat{f}\left(x\right)={(-1)}^{f\left(x\right)}.$

The Walsh transform of a boolean function is a function $W\left(f\right)$ from ${\mathcal{Z}}_2^n$ to $\mathcal{Z}$ where

$$W\left(f\right)\left(w\right)=\sum _{x=0}^{2^n-1}f\left(x\right){(-1)}^{w.x}.$$

It is clear that $W\left(f\right)\left(0\right)=|{\mathsf{\Omega }}_f|$ and the Walsh spectrum of a boolean function can be defined as $(W\left(f\right)\left(0\right),\cdots ,W\left(f\right)(2^n-1)).$ Also the relation between $W\left(f\right)\left(w\right)$ and $W\left(\widehat{f}\right)\left(w\right)={\sum }_{x=0}^{2^n-1}{(-1)}^{f\left(x\right)+w.x}$ is as follows

$$W\left(f\right)\left(w\right)=2^{n-1}\delta \left(w\right)-\frac{1}{2}W\left(\widehat{f}\right)\left(w\right),$$

(2)

$$W\left(\widehat{f}\right)\left(w\right)=2^n\delta \left(w\right)-2W\left(f\right)\left(w\right),$$

(3)

where $\delta \left(w\right)=1$ if $w=0$ and $\delta \left(w\right)=0$, otherwise.

Any cryptographical property comes from a concrete attack or a potential security threat to cryptosystems. A lot of cryptographic properties of boolean functions can be described by their Walsh spectrum. The Walsh spectrum has been mostly employed for analysis and generalization of desired cryptographic boolean functions [6,7,8].

A boolean function f is called balanced if the number of outputs 0 is equal to the number of outputs 1 or $|{\mathsf{\Omega }}_f|=2^{n-1}$.

The nonlinearity of a boolean function f denoted by $nl\left(f\right)$ is an important criterion to measure the distance of the boolean function with the set of all affine functions. This criterion is a security property to measure how resistant a boolean function is against linear cryptanalysis which is a common and strong attack. If a boolean function has low nonlinearity, an attacker can approximate it by an affine function. A boolean function with high nonlinearity cannot be approximated by linear or affine functions. The nonlinearity of a boolean function can be measured by the following lemma.

Lemma 1.

[9] For an n-variable boolean function $f,$

$$nl\left(f\right)=2^{n-1}-\frac{1}{2}ma{x}_{w\in {\mathcal{Z}}_2^n}|W(\widehat{f})\left(w\right)|.$$

By Lemma 1 and Equation (3), one can deduce the following lemma.

Lemma 2.

$$nl\left(f\right)=min\{hwt\left(f\right),2^n-hwt\left(f\right),2^{n-1}-ma{x}_{w\in {{\mathcal{Z}}_2}^n}|W\left(f\right)\left(w\right)\left|\right\}.$$

If a boolean function f is a statistically independent of any k of its input variables, then we call f is the correlation immune of order k or k-CI which is a security measure about how resistant a boolean function is against a correlation attack. If a boolean function is balanced and correlation immunity is of order k, then it is said to be k-resilient. Correlation immune (CI) boolean functions were introduced by Siegenthaler [1] to introduce a criterion to resist against certain types of divide and conquer cryptanalysis on some kind of stream ciphers. In 1985, Chor et al. [10] conjectured that the only one-resilient symmetric functions are the exclusive- or of all n-variable and its negation. This conjecture was disproved by Gopalakrishnan, Hoffman and Stinson in [11] in 1993 by presenting a class of infinite counter examples, and they noted that it does not seem to extend any further in an obvious way. Maitra et al. [12] in 1999 proved that the number of n-variable CI boolean functions with Hamming weight $2t+2$ is strictly greater than the number of these functions with Hamming weight $2t$ for which $2t<2^{n-1}$.

The relation of correlation immunity of a boolean function with its Walsh spectrum can be interpreted as follows.

Lemma 3.

A boolean function is correlation immune of order k if and only if for any $w\in {\mathcal{Z}}_2^n$ with $1\le hwt\left(w\right)\le k,$$W\left(f\right)\left(w\right)=0.$

The algebraic immunity is a cryptographic property that measures the resistance of a boolean function against the algebraic attack proposed by Courtois in 2003 in [2] for stream ciphers and also for block ciphers in [3]. Constructing boolean functions with the best algebraic immunity is a very hard task. The algebraic immunity is an important property of boolean functions that causes resistance against algebraic attack. An algebraic attack is a powerful attack which might threaten the security of both blocks and stream ciphers. The idea is to set up an algebraic system of equations verified by the key bits and trying to solve it. This raises the fundamental issue of determining whether or not a given function has non-trivial low degree multiples. Further, the algebraic immunity of the boolean function $f\in F_n$ is defined as follows:

$$\begin{array}{c}\hfill AI\left(f\right)=min\left\{deg\left(g\right)\right|g\in F_n,(fg=0or(f\oplus 1)g=0)\}.\end{array}$$

The problem of finding boolean functions with high algebraic immunity is equivalent to the problem of resisting against algebraic attack. There is a theorem from [13] that characterizes the relation between the support of a boolean function and its algebraic immunity as the following:

Theorem 2.

If the support of a boolean function f on n variables is a k-dimensional subspace of ${\mathcal{Z}}_2^n$, then the algebraic degree of f is $n-k$.

2.2. Graph Theory

Since we use some results in graph theory and algebraic graph theory, we now recall some concepts and results in these field in the following.

The set of vertices and edges of a graph G are denoted by $V\left(G\right)$ and $E\left(G\right)$, respectively. A graph with n vertices and m edges is called $(n,m)$-graph. Two vertices are adjacent if there is an edge between them. A graph is called r-regular if every vertex is adjacent to exactly r vertices.

The adjacency matrix of G is a (0,1)-matrix $A={\left(a_{ij}\right)}_{n\times n}$ the rows and columns of which are labeled by vertices and if $v_i{v}_j\in E\left(G\right),(1\le i,j\le n)$ then $a_{ij}=1$ and $a_{ij}=0$, otherwise. The determinant $det(A-\lambda I)$ is a polynomial of degree n which is called characteristic polynomial of G. The roots of this polynomial are called the eigenvalues of G. If ${\lambda }_1>{\lambda }_2>\dots >{\lambda }_k$ are distinct eigenvalues of G with multiplicities $s_1,s_2,\dots ,s_k$ respectively, we denote the spectrum of G by $spec\left(G\right)=\{{\lambda }_1^{s_1},\dots ,{\lambda }_k^{s_k}\}.$

Now we define the Cayley graph from [14]. Let A be a group and $S_A$ be a subset of A such that $1_A\notin S_A$ and if $x\in S_A$ then $x^{-1}\in S_A$(symmetric subset of the group), the Cayley graph $\mathsf{\Gamma }=Cay(A,S_A)$ is a simple graph where

$$V\left(\mathsf{\Gamma }\right)=A\mathrm{and}E\left(\mathsf{\Gamma }\right)=\left\{\{g,h\}\right|g{h}^{-1}\in S_A\}.$$

The Cayley graph $\mathsf{\Gamma }=Cay(A,S_A)$ is a $|S_A|$-regular graph. Here, we use [15] to introduce four graph products namely, the Cartesian product, tensor product, strong product and lexicographic product and then we investigate some algebraic approachs for the Walsh spectrum of regarded boolean functions. The main question is under which conditions, the product of two Cayley graphs, is again a Cayley graph.

The Cartesian product of two graphs $G_1$ and $G_2$ denoted by $G_1\square G_2$ is the graph with vertex set $V\left(G_1\right)\times V\left(G_2\right)$ and edge set

$$\left\{(v_1,u_1)(v_2,u_2)\right|v_1=v_2,u_1{u}_2\in E\left(G_2\right)or{v}_1{v}_2\in E\left(G_1\right),u_1=u_2\}.$$

If $\left\{{\alpha }_i\right|1\le i\le n_1\}$ and $\left\{{\beta }_j\right|1\le j\le n_2\}$ are the eigenvalue multisets of $G_1$ and $G_2$ (respectively), then $\{{\alpha }_i+{\beta }_j,|1\le i\le n_1,1\le j\le n_2\}$ is the eigenvalue multiset of $G_1\square G_2$. In the following theorem, the conditions which shows when a Cartesian product of two Cayley graphs is again a Cayley graph, is investigated.

Theorem 3.

[16] Let A and B be two groups. If ${\mathsf{\Gamma }}_1=Cay(A,S_A)$ and ${\mathsf{\Gamma }}_2=Cay(B,S_B)$ are two Cayley graphs, then the Cartesian product of two graphs $\mathsf{\Gamma }={\mathsf{\Gamma }}_1\square {\mathsf{\Gamma }}_2$ is also a Cayley graph and $\mathsf{\Gamma }=Cay(A\times B,S)$ where $S=(S_A,1_B)\cup (1_A,S_B).$

Let $G_1$ be an $(n_1,m_1)$-graph and $G_2$ an $(n_2,m_2)$-graph. The tensor product $G_1\otimes G_2$ is a graph with vertex set $V\left(G_1\right)\times V\left(G_2\right)$ and $E(G_1\otimes G_2)=\left\{(v_1,u_1)(v_2,u_2)\right|v_1{v}_2\in E\left(G_1\right),u_1{u}_2\in E\left(G_2\right)\}.$ Suppose $\left\{{\alpha }_i\right|1\le i\le n_1\}$ and $\left\{{\beta }_j\right|1\le j\le n_2\}$ are respectively the eigenvalue multisets of $G_1,G_2$, then $\left\{{\alpha }_i{\beta }_j\right|1\le i\le n_1,1\le j\le n_2\}$ is the eigenvalue multiset of $G_1\otimes G_2.$ More generally, we have the following theorem.

Theorem 4.

[16] Let A and B be two groups whose related Cayley graphs are ${\mathsf{\Gamma }}_1=Cay(A,S_A)$ and ${\mathsf{\Gamma }}_2=Cay(B,S_B)$. Then the tensor product $\mathsf{\Gamma }={\mathsf{\Gamma }}_1\otimes {\mathsf{\Gamma }}_2$ is also a Cayley graph where $\mathsf{\Gamma }=Cay(A\times B,S)$ and $S=S_A\times S_B.$

The strong product of two graphs $G_1$ and $G_2$ denoted by $G_1\odot G_2$ is a graph with vertex set $V\left(G_1\right)\times V\left(G_2\right)$ and edge set $E(G_1\odot G_2)=E(G_1\square G_2)\cup E(G_1\otimes G_2).$ If $\left\{{\alpha }_i\right|1\le i\le n_1\}$ and $\left\{{\beta }_j\right|1\le j\le n_2\}$ are respectively the eigenvalue multisets of $G_1$ and $G_2$, then $\{({\alpha }_i+1)({\beta }_j+1)-1,|1\le i\le n_1,1\le j\le n_2\}$ is the eigenvalue multiset of $G_1\odot G_2.$

Theorem 5.

[16] Let A and B be two groups. If ${\mathsf{\Gamma }}_1=Cay(A,S_A)$ and ${\mathsf{\Gamma }}_2=Cay(B,S_B)$ are two Cayley graphs, then the strong product $\mathsf{\Gamma }={\mathsf{\Gamma }}_1\odot {\mathsf{\Gamma }}_2$ is also a Cayley graph and $\mathsf{\Gamma }=Cay(A\times B,S)$, where $S=(S_A\times S_B)\cup (S_A,1_B)\cup (1_A,S_B).$

The lexicographic product $G_1\circ G_2$ of two graphs $G_1$ and $G_2$ is one with vertex set $V\left(G_1\right)\times V\left(G_2\right)$ and

$$E(G_1\circ G_2)=\left\{(v_1,u_1)(v_2,u_2)\right|v_1{v}_2\in E\left(G_1\right)or{v}_1=v_2,u_1{u}_2\in E\left(G_2\right)\}.$$

Theorem 6.

[17] Let $G_1$ be a graph of order $n_1$ with spectrum $spec\left(G_1\right)=\{{\lambda }_1^{m_1},{\lambda }_2^{m_2},\dots ,{\lambda }_s^{m_s}\}$ and let $G_2$ be a p-regular graph of order $n_2$ with spectrum $spec\left(G_2\right)=\{{\mu }_1^{r_1},{\mu }_2^{r_2},\dots ,{\mu }_t^{r_t}\}.$ Then

$$\begin{array}{ccc}\hfill spec(G_1\circ G_2)& =& \{p^{n_1(r_1-1)},{\mu }_2^{n_1{r}_2},\cdots ,{\mu }_t^{n_1{r}_t}\}\hfill \\ & \cup & \{{(n_2{\lambda }_1+{\mu }_1)}^{m_1},\cdots ,{(n_2{\lambda }_s+{\mu }_1)}^{m_s}\}.\hfill \end{array}$$

Theorem 7.

[16] Let A and B be two groups. If ${\mathsf{\Gamma }}_1=Cay(A,S_A)$ and ${\mathsf{\Gamma }}_2=Cay(B,S_B)$ are two Cayley graphs, then the lexicographic product $\mathsf{\Gamma }={\mathsf{\Gamma }}_1\circ {\mathsf{\Gamma }}_2$ is also a Cayley graph in which $\mathsf{\Gamma }=Cay(A\times B,S)$ and $S=(S_A\times B)\cup (1_A,S_B).$

3. Main Results

Constructing cryptographic boolean functions with different methods is a prevalent research field.

Here, we construct four new families of boolean functions by means of graph products with predictable Walsh spectrum and then we verify their correlation immunity, algebraic immunity and nonlinearity. For a given boolean function f, we suppose $f\left(0\right)=0$ or the associated Cayley graph is simple. Let $f_1:{\mathcal{Z}}_2^{n_1}⟶{\mathcal{Z}}_2$ and $f_2:{\mathcal{Z}}_2^{n_2}⟶{\mathcal{Z}}_2$ be two boolean functions with associated Cayley graphs ${\mathsf{\Gamma }}_1=Cay({\mathcal{Z}}_2^{n_1},{\mathsf{\Omega }}_{f_1})$ and ${\mathsf{\Gamma }}_2=Cay({\mathcal{Z}}_2^{n_2},{\mathsf{\Omega }}_{f_2})$, respectively. In the following, suppose $\left[n\right]=\{1,2,\cdots ,n\}$.

First construction. The Cartesian product of two boolean functions can be defined as $f_1\square f_2:{\mathcal{Z}}_2^{n_1+n_2}⟶{\mathcal{Z}}_2$ with

$$\begin{array}{ccc}\hfill {\mathsf{\Omega }}_{f_1\square f_2}& =& \{x\in {\mathcal{Z}}_2^{n_1+n_2}|(x_{n_1+n_2},\cdots ,x_{n_1+1})\in {\mathsf{\Omega }}_{f_2},x_i=0,i\in \left[n_1\right]\}\hfill \\ & \cup & \{x\in {\mathcal{Z}}_2^{n_1+n_2}|(x_{n_1},\cdots ,x_1)\in {\mathsf{\Omega }}_{f_1},x_{i+n_1}=0,i\in \left[n_2\right]\}.\hfill \end{array}$$

Clearly, $|{\mathsf{\Omega }}_{f_1\square f_2}|=|{\mathsf{\Omega }}_{f_1}|+|{\mathsf{\Omega }}_{f_2}|$ and by Equation (1), one can conclude that the ANF of $f=f_1\square f_2$ is

$$\begin{array}{ccc}\hfill \mathit{f}({\mathit{x}}_{n_1+n_2},\cdots ,x_2,x_1)& =& f_2(x_{n_1+n_2},\cdots ,x_{n_1+1})\square f_1(x_{n_1},\cdots ,x_1)\hfill \\ & =& (1\oplus x_{n_1+n_2})\cdots (1\oplus x_{n_1+1})f_1(x_{n_1},\cdots ,x_1)\hfill \\ & \oplus & (1\oplus x_{n_1})\cdots (1\oplus x_1)f_2(x_{n_1+n_2},\cdots ,x_{n_1+1}).\hfill \end{array}$$

The spectrum of the related Cayley graph on $f_1\square f_2$ is

$$\{W\left({\mathit{f}}_1\right)\left(x\right)+W\left(f_2\right)\left(y\right)|x\in {\mathcal{Z}}_2^{n_1},y\in {\mathcal{Z}}_2^{n_2}\}.$$

Second construction. The tensor product of two boolean functions can be defined as $f_1\otimes f_2:{\mathcal{Z}}_2^{n_1+n_2}⟶{\mathcal{Z}}_2$ with

$${\mathsf{\Omega }}_{f_1\otimes f_2}=\{x\in {\mathcal{Z}}_2^{n_1+n_2}|(x_{n_1+n_2},\dots ,x_{n_1+1})\in {\mathsf{\Omega }}_{f_2},(x_{n_1},\cdots ,x_1)\in {\mathsf{\Omega }}_{f_1}\}.$$

One can conclude that the ANF of $f=f_1\otimes f_2$ is

$$\begin{array}{ccc}\hfill \mathit{f}({\mathit{x}}_{n_1+n_2},\cdots ,x_1)& =& f_2(x_{n_1+n_2},\cdots ,x_{n_1+1})\otimes f_1(x_{n_1},\cdots ,x_1)\hfill \\ & =& {\mathit{f}}_2(x_{n_1+n_2},\cdots ,x_{n_1+1})f_1(x_{n_1},\cdots ,x_1),\hfill \end{array}$$

where, on the other hand, the spectrum of the related Cayley graph on $f_1\otimes f_2$ is

$$\left\{W\left(f_1\right)\left(x\right)W\left(f_2\right)\left(y\right)\right|x\in {\mathcal{Z}}_2^{n_1},y\in {\mathcal{Z}}_2^{n_2}\}.$$

Third construction. In this construction we define the strong product of two boolean functions as $f=f_1\odot f_2:{\mathcal{Z}}_2^{n_1+n_2}⟶{\mathcal{Z}}_2$ with

$$\begin{array}{ccc}\hfill {\mathsf{\Omega }}_f& =& \{x\in {\mathcal{Z}}_2^{n_1+n_2}|(x_{n_1+n_2},\cdots ,x_{n_1+1})\in {\mathsf{\Omega }}_{f_2},(x_{n_1},\cdots ,x_1)\in {\mathsf{\Omega }}_{f_1}\}\hfill \\ & \cup & \{x\in {\mathcal{Z}}_2^{n_1+n_2}|(x_{n_1+n_2},\cdots ,x_{n_1+1})\in {\mathsf{\Omega }}_{f_2},x_i=0,i\in \left[n_1\right]\}\hfill \\ & \cup & \{x\in {\mathcal{Z}}_2^{n_1+n_2}|(x_{n_1},\cdots ,x_1)\in {\mathsf{\Omega }}_{f_1},x_{i+n_1}=0,i\in \left[n_2\right]\}.\hfill \end{array}$$

By Equation (1), it is easy to verify that the ANF of $f=f_1\odot f_2$ is

$$\begin{array}{ccc}\hfill \mathit{f}({\mathit{x}}_{n_1+n_2},\cdots ,x_1)& =& f_2(x_{n_1+n_2},\cdots ,x_{n_1+1})\odot f_1(x_{n_1},\cdots ,x_1)\hfill \\ & =& {\mathit{f}}_2(x_{n_1+n_2},\cdots ,x_{n_1+1})f_1(x_{n_1},\cdots ,x_1)\hfill \\ & \oplus & (1\oplus x_{n_1+n_2})\cdots (1\oplus x_{n_1+1})f_1(x_{n_1},\cdots ,x_1)\hfill \\ & \oplus & (1\oplus x_{n_1})\cdots (1\oplus x_1)f_2(x_{n_1+n_2},\cdots ,x_{n_1+1}),\hfill \end{array}$$

where $|{\mathsf{\Omega }}_{f_1\odot f_2}|=|{\mathsf{\Omega }}_{f_1}\left|\right|{\mathsf{\Omega }}_{f_2}|+|{\mathsf{\Omega }}_{f_1}|+|{\mathsf{\Omega }}_{f_2}|.$ The spectrum of the related Cayley graph on $f_1\odot f_2$ is

$$\{W\left({\mathit{f}}_1\right)\left(x\right)W\left(f_2\right)\left(y\right)+W\left(f_1\right)\left(x\right)+W\left(f_2\right)\left(y\right)|x\in {\mathcal{Z}}_2^{n_1},y\in {\mathcal{Z}}_2^{n_2}\}.$$

Fourth construction. Here we define the lexicographic product of two boolean functions as $f=f_1\circ f_2:{\mathcal{Z}}_2^{n_1+n_2}⟶{\mathcal{Z}}_2$ with

$$\begin{array}{ccc}\hfill {\mathsf{\Omega }}_f& =& \{x\in {\mathcal{Z}}_2^{n_1+n_2}|(x_{n_1+n_2},\cdots ,x_{n_1+1})\in {\mathcal{Z}}_2^{n_2}\mathrm{and}(x_{n_1},\cdots ,x_1)\in {\mathsf{\Omega }}_{f_1}\}\hfill \\ & \cup & \{x\in {\mathcal{Z}}_2^{n_1+n_2}|(x_{n_1+n_2},\cdots ,x_{n_1+1})\in {\mathsf{\Omega }}_{f_2}\mathrm{and}{x}_i=0,1\le i\le n_1\}.\hfill \end{array}$$

where $|{\mathsf{\Omega }}_{f_1\circ f_2}|=2^{n_2}|{\mathsf{\Omega }}_{f_1}|+|{\mathsf{\Omega }}_{f_2}|.$ By Equation (1), one can see that the ANF of $f=f_1\circ f_2$ is

$$\begin{array}{ccc}\hfill \mathit{f}({\mathit{x}}_{n_1+n_2},\cdots ,x_1)& =& {\mathit{f}}_2(x_{n_1+n_2},\cdots ,x_{n_1+1})\circ f_1(x_{n_1},\cdots ,x_1)\hfill \\ & =& [{\mathit{f}}_1(x_{n_1},\cdots ,x_1)\oplus (1\oplus x_{n_1})]\cdots \hfill \\ & & \left[(1\oplus x_1)f_2(x_{n_1+n_2},\cdots ,x_{n_1+1})\right].\hfill \end{array}$$

The spectrum of the related Cayley graph on $f_1\circ f_2$ is

$$\begin{array}{c}\hfill spec\left(f_2\right)\cup \{2^{n_2}W\left(f_1\right)\left(x\right)+W\left(f_2\right)\left(0\right)|x\in {\mathcal{Z}}_2^{n_1}\}.\end{array}$$

Now we verify the cryptographic properties of these constructions. In the following theorems, let $f_1$ and $f_2$ be as above.

Theorem 8.

In construction one, if $f_1$ and $f_2$ are correlation immune of order l, then $f_1\square f_2$ is correlation immune of order l. Also if $f_1$ and $f_2$ are correlation immune of order l such that $|{\mathsf{\Omega }}_{f_1}|+|{\mathsf{\Omega }}_{f_2}|=2^{n_1+n_2-1},$ then $f_1\square f_2$ is $l-$resilient.

Proof. 

Let $f=f_1\square f_2$ and $w=(w_{n_1+n_2},\dots ,w_1)\in {\mathcal{Z}}_2^{n_1+n_2}$ in which $hwt\left(w\right)=l.$ Let $w=(a,b),a\in {\mathcal{Z}}_2^{n_2},b\in {\mathcal{Z}}_2^{n_1}$, then

$$\begin{array}{ccc}\hfill W\left(f\right)\left(w\right)& =& \sum _{x\in {\mathcal{Z}}_2^{n_1+n_2},x=(r,s)}f\left(x\right){(-1)}^{w.x}=\sum _{x\in {\mathsf{\Omega }}_{f_1\square f_2}}{(-1)}^{w.x}\hfill \\ & =& \sum _{r\in {\mathsf{\Omega }}_{f_2},s=0}{(-1)}^{w.x}+\sum _{r=0,s\in {\mathsf{\Omega }}_{f_1}}{(-1)}^{w.x}\hfill \\ & =& \sum _{r\in {\mathsf{\Omega }}_{f_2}}{(-1)}^{a.r}+\sum _{s\in {\mathsf{\Omega }}_{f_1}}{(-1)}^{b.s}\hfill \\ & =& W\left(f_2\right)\left(a\right)+W\left(f_1\right)\left(b\right).\hfill \end{array}$$

Since $hwt\left(a\right),hwt\left(b\right)\le l$ and $f_1$ and $f_2$ are $l-$CI, we can verify that $W\left(f_2\right)\left(a\right)=0,W\left(f_1\right)\left(b\right)=0$ and hence $W\left(f\right)\left(w\right)=0.$ □

Theorem 9.

In the second construction, if $f_1$ and $f_2$ are l-CI, then $f_1\otimes f_2$ is l-CI, and if $|{\mathsf{\Omega }}_{f_1}\left|\right|{\mathsf{\Omega }}_{f_2}|=2^{n_1+n_2-1},$ then $f_1\otimes f_2$ is l-resilient.

Proof. 

For any $w\in {\mathcal{Z}}_2^{n_1+n_2}$ with $hwt\left(w\right)=l$ and $w=(a,b)$, where $a\in {\mathcal{Z}}_2^{n_2},b\in {\mathcal{Z}}_2^{n_1},$ we prove $W\left(f\right)\left(w\right)=W\left(f_2\right)\left(a\right)W\left(f_1\right)\left(b\right)$. This yields that

$$\begin{array}{ccc}\hfill W\left(f\right)\left(w\right)& =& \sum _{x\in {\mathcal{Z}}_2^{n_1+n_2},x=(r,s)}f\left(x\right){(-1)}^{w.x}\hfill \\ & =& \sum _{x\in {\mathsf{\Omega }}_{f_1\otimes f_2}}{(-1)}^{w.x}\hfill \\ & =& \sum _{r\in {\mathsf{\Omega }}_{f_2},s\in {\mathsf{\Omega }}_{f_1}}{(-1)}^{a.r+b.s}\hfill \\ & =& \sum _{r\in {\mathsf{\Omega }}_{f_2},s\in {\mathsf{\Omega }}_{f_1}}{(-1)}^{a.r}{(-1)}^{b.s}\hfill \\ & =& \sum _{r\in {\mathsf{\Omega }}_{f_2}}{(-1)}^{a.r}\sum _{s\in {\mathsf{\Omega }}_{f_1}}{(-1)}^{b.s}\hfill \\ & =& W\left(f_2\right)\left(a\right)W\left(f_1\right)\left(b\right).\hfill \end{array}$$

Since $hwt\left(a\right),hwt\left(b\right)\le l$ and $f_1$ and $f_2$ are $l-$CI, we have $W\left(f_2\right)\left(a\right)=0,W\left(f_1\right)\left(b\right)=0$ and hence $W\left(f\right)\left(w\right)=0.$ □

Theorem 10.

If $f_1$ and $f_2$ are l-CI, then $f_1\odot f_2$ is l-CI, and if $|{\mathsf{\Omega }}_{f_1}\left|\right|{\mathsf{\Omega }}_{f_2}|+|{\mathsf{\Omega }}_{f_1}|+|{\mathsf{\Omega }}_{f_2}|=2^{n_1+n_2-1},$ then $f_1\odot f_2$ is l-resilient.

Proof. 

Since ${\mathsf{\Omega }}_{f_1\odot f_2}={\mathsf{\Omega }}_{f_1\square f_2}\cup {\mathsf{\Omega }}_{f_1\otimes f_2},$ then for any $w\in {\mathcal{Z}}_2^{n_1+n_2}$ with $hwt\left(w\right)=l$ and $w=(a,b),a\in {\mathcal{Z}}_2^{n_2},b\in {\mathcal{Z}}_2^{n_1},$ we have $W\left(f\right)\left(w\right)=W\left(f_2\right)\left(a\right)+W\left(f_1\right)\left(b\right)+W\left(f_2\right)\left(a\right)W\left(f_1\right)\left(b\right).$ On the other hand, $f_1,f_2$ are $l-$CI and $hwt\left(a\right),hwt\left(b\right)\le l$ which yields that $W\left(f_2\right)\left(a\right)=0$ and $W\left(f_1\right)\left(b\right)=0$. This means that $W\left(f\right)\left(w\right)=0.$ □

Theorem 11.

For two boolean functions $f_1,f_2$, the boolean function $f_1\circ f_2$ is not correlation immune.

Proof. 

Consider the element $w\in {\mathcal{Z}}_2^{n_1+n_2}$ such that $hwt\left(w\right)=l$ and $w=(a,b)$, where $a\in {\mathcal{Z}}_2^{n_2},b\in {\mathcal{Z}}_2^{n_1}.$ In this case we have

$$\begin{array}{ccc}\hfill W\left(f\right)\left(w\right)& =& \sum _{x\in {\mathcal{Z}}_2^{n_1+n_2},x=(r,s)}f\left(x\right){(-1)}^{w.x}\hfill \\ & =& \sum _{x\in {\mathsf{\Omega }}_{f_1\circ f_2}}{(-1)}^{w.x}\hfill \\ & =& \sum _{r\in {\mathcal{Z}}_2^{n_2},s\in {\mathsf{\Omega }}_{f_1}}{(-1)}^{w.x}+\sum _{r\in {\mathsf{\Omega }}_{f_2},s=0}{(-1)}^{w.x}\hfill \\ & =& \sum _{r\in {\mathcal{Z}}_2^{n_2},s\in {\mathsf{\Omega }}_{f_1}}{(-1)}^{a.r}{(-1)}^{b.s}+\sum _{r\in {\mathsf{\Omega }}_{f_2}}{(-1)}^{a.r}\hfill \\ & =& \sum _{r\in {\mathcal{Z}}_2^{n_2}}{(-1)}^{a.r}\sum _{s\in {\mathsf{\Omega }}_{f_1}}{(-1)}^{b.s}+W\left(f_2\right)\left(a\right).\hfill \end{array}$$

In other words, if $a=0,$ then $W\left(f\right)\left(w\right)=2^{n_2}W\left(f_1\right)\left(b\right)+W\left(f_2\right)\left(0\right)$ and if $a\ne 0$ then $W\left(f\right)\left(w\right)=W\left(f_2\right)\left(a\right).$ □

The algebraic immunity of these constructions is presented in the following:

Theorem 12.

Let $f_1:{\mathcal{Z}}_2^{n_1}⟶{\mathcal{Z}}_2$ and $f_2:{\mathcal{Z}}_2^{n_2}⟶{\mathcal{Z}}_2$ be two boolean functions. Then

(i) $AI(f_1\square f_2)=2,$

(ii) $AI(f_1\otimes f_2)\le min\{AI\left(f_1\right),AI\left(f_2\right)\},$

(iii) $AI(f_1\odot f_2)\le min\{AI\left(f_1\right),AI\left(f_2\right)\}+1,$

(iv) $AI(f_1\circ f_2)\le AI\left(f_1\right)+1.$

Proof. 

(i)$x_1{x}_{n_1}$ is an annihilator of $f_1\square f_2$ so

$$AI(f_1\square f_2)=2.$$

(ii) If $g_1$ and $g_2$ are annihilators of $f_1$ and $f_2$ respectively, then $g_1$ and $g_2$ are annihilators of $f_1\otimes f_2$ too.

(iii) If $g_1$ and $g_2$ are annihilators of $f_1$ and $f_2$ respectively, then $x_{n_1}{g}_1$ and $x_{n_1+1}{g}_2$ are annihilators of $f_1\odot f_2$ too.

(iv) If $g_1$ is an annihilator of $f_1$, then $x_1{g}_1$ is an annihilator of $f_1\circ f_2.$ □

In the following theorem, we investigate nolinearity of these constructions.

Theorem 13.

Let $f_1\in F_{n_1}$ and $f_2\in F_{n_2}$. Then

$$\begin{array}{ccc}\hfill \left(i\right)nl(f_1\square f_2)& =& min\left\{\right|{\mathsf{\Omega }}_{f_1}|+|{\mathsf{\Omega }}_{f_2}|,2^{n_1+n_2}-|{\mathsf{\Omega }}_{f_1}|+|{\mathsf{\Omega }}_{f_2}|,2^{n_1+n_2-1}\hfill \\ & -& ma{x}_{(x,y)\ne 0}\left\{\right|W\left({\mathit{f}}_1\right)\left(x\right)+W\left(f_2\right)\left(y\right)\left|\right\}\}.\hfill \\ \hfill \left(ii\right)nl(f_1\otimes f_2)& =& min\left\{\right|{\mathsf{\Omega }}_{f_1}\left|\right|{\mathsf{\Omega }}_{f_2}|,2^{n_1+n_2}-|{\mathsf{\Omega }}_{f_1}\left|\right|{\mathsf{\Omega }}_{f_2}|,2^{n_1+n_2-1}\hfill \\ & -& ma{x}_{(x,y)\ne 0}\left\{\right|W\left({\mathit{f}}_1\right)\left(x\right)W\left(f_2\right)\left(y\right)\left|\right\}\}.\hfill \\ \hfill \left(iii\right)nl(f_1\odot f_2)& =& min\left\{\right|{\mathsf{\Omega }}_{f_1}|+|{\mathsf{\Omega }}_{f_2}|+|{\mathsf{\Omega }}_{f_1}\left|\right|{\mathsf{\Omega }}_{f_2}|,2^{n_1+n_2}\hfill \\ & -& \left(\right|{\mathsf{\Omega }}_{f_1}|+|{\mathsf{\Omega }}_{f_2}|+|{\mathsf{\Omega }}_{f_1}\left|\right|{\mathsf{\Omega }}_{f_2}\left|\right),2^{n_1+n_2-1}-ma{x}_{(x,y)\ne 0}\hfill \\ & & \left\{\right|W\left({\mathit{f}}_1\right)\left(x\right)+W\left(f_2\right)\left(y\right)+W\left({\mathit{f}}_1\right)\left(x\right)W\left(f_2\right)\left(y\right)\left|\right\}\}.\hfill \\ \hfill \left(iv\right)nl(f_1\circ f_2)& =& min\left\{2^{n_2}\right|{\mathsf{\Omega }}_{f_1}|+|{\mathsf{\Omega }}_{f_2}|,2^{n_1+n_2}-2^{n_2}|{\mathsf{\Omega }}_{f_1}|+|{\mathsf{\Omega }}_{f_2}|,\hfill \\ & & 2^{n_1+n_2-1}-max\{W\left(f_2\right)\left(x\right),2^{n_2}W\left(f_1\right)\left(y\right)+|{\mathsf{\Omega }}_{f_2}\left|\right\}\}.\hfill \end{array}$$

Proof. 

It is a straight result from Lemma 2 and the following conditions

(i)$hwt(f_1\square f_2)=|{\mathsf{\Omega }}_{f_1}+{\mathsf{\Omega }}_{f_2}|,$

(ii)$hwt(f_1\otimes f_2)=|{\mathsf{\Omega }}_{f_1}\left|\right|{\mathsf{\Omega }}_{f_2}|,$

(iii)$hwt(f_1\odot f_2)=|{\mathsf{\Omega }}_{f_1}\left|\right|{\mathsf{\Omega }}_{f_2}|+|{\mathsf{\Omega }}_{f_1}|+|{\mathsf{\Omega }}_{f_2}|,$

(iv)$hwt(f_1\circ f_2)=2^{n_2}|{\mathsf{\Omega }}_{f_1}|+|{\mathsf{\Omega }}_{f_2}|.$ □

4. Conclusions

Boolean functions have many applications in fault-tolerant distributed computing and quantum cryptographic key. The fundamental tool in analysis of cryptographic boolean functions is the Walsh spectrum. In this paper, we introduced four new constructions of cryptographic boolean functions by using Cayley graph products. These boolean functions are constructed from smaller ones and the Walsh spectrum of them can be derived by Walsh spectrum of the smaller ones. Next, we investigated the conditions of correlation, algebraic immunity and nonlinearity of these families by the smaller boolean functions. These conditions help designers to design large boolean functions with desired cryptography properties. In future works, we can apply our method for other graph products.