Construction of Boolean Functions from Hermitian Codes

Abstract

In 2005, Guillot published a method for the construction of Boolean functions using linear codes through the Maiorana–McFarland construction of Boolean functions. In this work, we present a construction using Hermitian codes, starting from the classic Maiorana–McFarland construction. This new construction describes how the set of variables is divided into two complementary subspaces, one of these subspaces being a Hermitian Code. The ideal theoretical parameters of the Hermitian code are proposed to reach desirable values of the cryptographic properties of the constructed Boolean functions such as nonlinearity, resiliency order, and order of propagation. An extension of Guillot’s work is also made regarding parameters selection using algebraic geometric tools, including explicit examples.

1. Introduction

One of the major challenges and problems today is in confusion symmetric key algorithms, which depend heavily on good cryptographic properties of Boolean functions such as nonlinearity. For example, implementing a substitution box or S-box needs nonlinear Boolean functions to resist attacks such as linear and differential cryptanalysis. Searching for Boolean functions with desirable cryptographic properties has been difficult because the search space can be huge. There are different algorithms and algebraic and heuristic constructions that allow us to find this type of function; however, these techniques can be highly complex and difficult to implement, where the result does not produce a sufficient number of these types of functions.

In [1], the author presents a good relation between Boolean functions and codes. Furthermore, in [2], the construction of bijective S-boxes from quasi-cyclic codes was shown. In 2005, Guillot [3] presented an extension of the Maiorana–McFarland method for building Boolean functions with good cryptographic properties. The classical construction splits the set of variables into two separate subsets, with a decomposition of the complete working space into two complementary vector spaces being proposed. One of these spaces is considered as a linear code and its parameters assign cryptographic properties to the constructed Boolean function. The cryptographical properties we are interested in are nonlinearity, resiliency, and propagation. Building on such an idea, in [4], a methodology to construct Boolean functions from Guillot’s ideas was presented but, in this case, using Reed–Solomon codes. In this way, from the properties of the code, the cryptographic properties of the Boolean functions that will be generated with this methodology and the number of Boolean functions with similar properties can be obtained. In this work, we follow on the same ideas of [4], a new methodology is proposed for the construction of Boolean functions using Hermitian codes and thus extends the construction of $\pi$ four to one giving the appropriate parameters for it. It theoretically bases the desirable values of the Hermitian code parameters to balance cryptographic properties such as nonlinearity, resiliency order, and propagation order.

2. Preliminaries

2.1. Boolean Function

The mathematical tool that we mainly use in this work is the Walsh–Hadamard transform. Let $n\in \mathbb{Z}$, with $n\ge 2$, and ${\mathbb{F}}_2^n$ be the n-dimensional vector space over the finite field ${\mathbb{F}}_2$. Given vectors a, $b\in {\mathbb{F}}_2^n$, we define the inner product $a·b=(a_1{b}_1\oplus \dots \oplus a_n{b}_n)$, and the sum $a\oplus b=(a_1\oplus b_1,\dots ,a_n\oplus b_n)$, where inner product, ·, and addition, ⊕ (called XOR), are over ${\mathbb{F}}_2$. A Boolean function f in n variables is a map $f:{\mathbb{F}}_2^n⟶{\mathbb{F}}_2$.The algebra of all Boolean functions on ${\mathbb{F}}_2^n$ will be denoted by ${\mathcal{B}}_n$. The polar form $\widehat{f}:{\mathbb{F}}_2^n⟶\{-1,1\}$, or sign function, of a Boolean function $f\in {\mathcal{B}}_n$, is defined by $\widehat{f}(x)={\left(-1\right)}^{f(x)}$.

2.2. Basic Definitions

For f a Boolean function, we call the support of f, and write $Sup(f)$, the set of vectors of ${\mathbb{F}}_2^n$ whose image times f is 1, i.e., $Sup(f)=\{i\in {\mathbb{F}}_2^n\mid f(i)=1\}$. If $f\in {\mathcal{B}}_n$, we call the weight of f, and we write $w(f)$, to the number of 1s from its truth table; therefore $w(f)=card(Sup(f))$. We say that a function $f\in {\mathcal{B}}_n$ is balanced if its truth table contains the same number of 0 as 1, i.e., if $w(f)=2^{n-1}$. We say that $f\in {\mathcal{B}}_n$ is an affine function if we can write it as $f(x)=⟨a,x⟩\oplus b$ for some $a\in {\mathbb{F}}_2^n$ and some $b\in {\mathbb{F}}_2$. If $b=0$, we say that f is a linear function. We denote the set of affine functions from ${\mathbb{F}}_2^n$ to ${\mathbb{F}}_2$ by ${\mathcal{A}}_n$. Let $f,g\in {\mathcal{B}}_n$, we call the distance between f and g, and write $d(f,g)$, to the weight of the function $f\oplus g$, i.e., $d(f,g)=w(f\oplus g)$. We call nonlinearity of a function $f\in {\mathcal{B}}_n$, and write ${\mathcal{N}}_{\mathbf{f}}$, to the minimum of the distances between f and any affine function, i.e., ${\mathcal{N}}_f=min\{d(f,\phi )\mid \phi \in {\mathcal{A}}_n\}$.

Definition 1.

The Walsh–Hadamard transform of a function f in ${\mathbb{F}}_2^n$ is an application $H(f):{\mathbb{F}}_2^n\to \mathbb{R}$, defined by

$$H(f)(h)=\sum _{x\in {\mathbb{F}}_2^n}f(x){(-1)}^{h·x}.$$

(1)

Theorem 1.

Let $f:{\mathbb{F}}_2^n⟶{\mathbb{F}}_2$ and $H(f)$ be the Walsh–Hadamard transform. Let S be an arbitrary subspace of ${\mathbb{F}}_2^n$ and let $S^{\perp }$ be the dual (annihilator) of S, i.e., $S^{\perp }=\{x\in {\mathbb{F}}_2^n:x·s=0,\forall s\in S\}$. Then,

$$\sum _{u\in S}H(f)(u)=2^{dim(S)}\sum _{u\in S^{\perp }}f(u).$$

(2)

Theorem 2.

The Nonlinearity of f is determined by the Walsh–Hadamard transform of f, i.e.,

$${\mathcal{N}}_f=2^{n-1}-{\displaystyle \frac{1}{2}}\underset{u\in {\mathbb{F}}_2^{{}^n}}{max}\left|H(\widehat{f})(u)\right|.$$

(3)

2.3. Cryptographic Properties of Boolean Functions

The following factors are important in the design of Boolean functions with good cryptographic properties [5,6,7]:

• Balance: An n-variables Boolean function, f, is said to be balanced if $w(f)=2^{n-1}$. Cryptographic Boolean functions must be balanced, i.e., for a uniformly random input string of bits, the probability of getting a 1 is $1/2$.
• Nonlinearity: This property reduces the effect of linear cryptanalysis attacks. As discussed before, the nonlinearity of a Boolean function can be calculated directly from the Walsh–Hadamard transform (see Theorem 2).
• Algebraic Degree: A Boolean function f can be represented as a multivariable polynomial on ${\mathbb{F}}_2$. This polynomial is called the Algebraic Normal Form (ANF) of f.
• Correlation Immunity: A Boolean function of n-variables is said to have Correlation Immunity of order l if and only if $H(\widehat{f})(u)=0$, with $1\le w(u)\le l$. A Boolean function with order of Correlation Immunity l and balanced is called l-resilient. There is a fundamental relationship between the number of variables n, the algebraic degree d, and the order of Correlation Immunity l of a function: $l+d\le n$.

In addition, there are some other important properties of Boolean functions that are used in S-boxes, such as the following two:

• Propagation Criterion: A Boolean function has Propagation Criterion of order k, $PC(k)$, if $f(x)\oplus f(x\oplus u)$ is balanced for all u with $1\le w(u)\le k$.
• Avalanche Effect: It is related to autocorrelation and is defined with respect to a specific input bit such that complementing it results in a change in the output bit with a probability of $1/2$. The Strict Avalanche Criterion (SAC) requires the avalanche effects of all input bits. A Boolean function f is said to satisfy SAC if $\left(f(x)\oplus f(x\oplus u)\right)$ is balanced for all u with $w(u)=1$

2.4. Maiorana–McFarland Construction

A classic and well-known way of building Boolean functions is the Maiorana–McFarland (MM) class, which was created to obtain Bent functions. [8,9] and has also been extended to construct resistant functions [10,11]. For $n\ge 2$ an integer, and ${\mathbb{F}}_2^n=E\oplus F$, a decomposition into two complementary vector subspaces: E of dimension p and F of dimension $q=n-p$. For any pair of maps $\pi :E⟶{\mathbb{F}}_2^n$ and $h:E⟶{\mathbb{F}}_2$ the Maiorana–McFarland (MM) construction defines a Boolean function f as follows:

$$\begin{array}{cccc}\hfill f:& E\oplus F& ⟶& {\mathbb{F}}_2\hfill \\ & x+y& \mapsto & \pi (x)·y+h(x).\hfill \end{array}$$

We note the following: the map $\pi$ is defined on ${\mathbb{F}}_2^n$, but since $\pi (x)$ is wrapped by an inner product with an F element, the value of f is invariant when $\pi (x)$ is translated by any vector of $F^{\perp }$. In this way, $\pi$ can be defined over the space ${\mathbb{F}}_2^n/F^{\perp }$, which is isomorphic to $E^{\perp }$. Thus, for any $p -$ dimensional vector subspace E of ${\mathbb{F}}_2^n$, the dual of E, denoted by $E^{\perp }$, is the $(n-p) -$ dimensional vector space of vectors that perpendicular to E, i.e., $E^{\perp }=\{u\in {\mathbb{F}}_2^n|\forall x\in E,u·x=0\}$.

3. Concatenation

Let $Q=q^h$, with $q\ge 2$, and $h\ge 1$. Consider two codes, which we call outer code and inner code. Let C be the outer code with parameters ${[N,K,D]}_Q$, and let I be the inner code with parameters ${[n,h,d]}_q$. The concatenation method [12,13] constructs a code F over ${\mathbb{F}}_q$ out of a code over ${\mathbb{F}}_Q$. The first step is to fix any isomorphism $\phi :{\mathbb{F}}_Q⟶I\subseteq {\mathbb{F}}_q^n$. Then,

$$F:=\left\{(\phi (x_1),\dots ,\phi (x_N))\right|(x_1,\dots ,x_N)\in C\}.$$

The code F has parameters ${[N·n,K·h,D·d]}_q$.

4. Goppa Codes

4.1. Basic Definitions

An algebraic function field $F/K$ of one variable over K is an extension field $F\supseteq K$ such that F is a finite algebraic extension of $K(x)$ for some element $x\in F$, which is transcendental over K [14]. A place P of the function field $F/K$ is the maximal ideal of some valuation ring of $F/K$, ${\mathbb{P}}_F:=\left\{P\right|PisaplaceofF/K\}$. A discrete valuation of $F/K$ is a function $v:F\to \mathbb{Z}\cup \{\infty \}$. The divisor group ${\mathcal{D}}_F$ of $F/K$ is defined as the free abelian group generated by the places of $F/K$. For a divisor $G\in {\mathcal{D}}_F$ we define the Riemann–Roch space associated to G by

$$\mathcal{L}(G):=\{x\in F|v_P(x)\ge -v_P(G),forallP\in {\mathbb{P}}_F\}\cup \left\{0\right\}.$$

It is well-known in the theory of error correcting codes that long block lengths, higher dimension, and a large minimum distance are necessary for the reliable transmission of information. Goppa codes provide a large family of codes with such properties. Let $F/K$ be an algebraic function field of genus g. Let $P_1,\dots ,P_n\in {\mathbb{P}}_F$, n places of degree 1 of F. We define the divisor $D:=P_1+\cdots +P_n\in {\mathcal{D}}_F$, and let $G\in {\mathcal{D}}_F$ be a divisor such that $Sup(G)\cap Sup(D)=\varnothing$. The Goppa code or algebraic code $C_{\mathcal{L}}(D,G)$ associated with the divisors D and G is defined as:

$$C_{\mathcal{L}}(D,G):=\left\{(f(P_1),\dots ,f(P_n))\right|f\in \mathcal{L}(G)\}\subseteq {\mathbb{F}}_q^n.$$

Note that all $f\in \mathcal{L}(G)$ are defined in $P_i$ ($v_{P_i}(f)\ge 0$), for $i=1,\dots ,n$, so $f(P_i)\in {\mathbb{F}}_q$. In this way, $C_{\mathcal{L}}(D,G)$ is simply the image of the space $\mathcal{L}(G)$ under the linear mapping evaluation

$$e{v}_D:\mathcal{L}(G)⟶{\mathbb{F}}_q^n,$$

given by $e{v}_D(f):=(f(P_1),\dots ,f(P_n))$. This definition is analogous to the Reed–Solomon codes [15]. In fact, in the case of the Reed–Solomon code $RS(k,q)$ we have that $F=K(x)$,

$$D=P_0+P_1+P_{\alpha }+\cdots +P_{{\alpha }^{q-2}}$$

and

$$G=m·P_{\infty },$$

where $m\in \mathbb{Z}$. It follows that $Ker(e{v}_D)=\mathcal{L}(G-D)$ so, using the Riemann–Roch theorem

$$dim(C_{\mathcal{L}}(D,G))=dim(G)-dim(G-D).$$

Now, let $f\in \mathcal{L}(G)$ be such that $d=weight(e{v}_D(f))$. Then f has exactly $n-d$ zeros $P_{i_1},\dots ,P_{i_{n-d}}\in Sup(D)$. The latter tells us that

$$f\in \mathcal{L}(G-(P_{i_1}+\dots +P_{i_{n-d}})),$$

where

$$0\le degree(G-(P_{i_1}+\dots +P_{i_{n-d}}))=degree(G)-(n-d).$$

So $d\ge n-degree(G)$. Then $C_{\mathcal{L}}(D,G)$ is a code with parameters

$${[n,dim(G)-dim(G-D),\ge n-degree(G)]}_q.$$

4.2. Goppa Codes Example

Consider the following example, let $m=3$ and $G=m·P_{\infty }$, here $degree(G)=3$. We will use as our base field the finite field of order 4 ${\mathbb{F}}_4=\{0,1,\alpha ,{\alpha }^2\}$ where ${\alpha }^2+\alpha +1=0$. Consider the function field $F:={\mathbb{F}}_4(x,y)$ with $y^2+y=x^3$. The places of degree one in ${\mathbb{P}}_F$ are: $(0,0),(0,1),(1,\alpha ),(1,{\alpha }^2),(\alpha ,\alpha ),(\alpha ,{\alpha }^2),({\alpha }^2,\alpha ),({\alpha }^2,{\alpha }^2)$. We may build a Goppa code by defining the divisors $D,G\in {\mathcal{D}}_F$ as

$$D:=(0,0)+(0,1)+(1,\alpha )+(1,{\alpha }^2)+(\alpha ,\alpha )+(\alpha ,{\alpha }^2)+({\alpha }^2,\alpha )+({\alpha }^2,{\alpha }^2),$$

and

$$G:=3·P_{\infty }.$$

The functions $1,x,y\in \mathcal{L}(G)$ constitute a basis for $\mathcal{L}(G)$. A generator matrix for the Goppa code associated with the divisors D and G is thus

$$(\begin{array}{cccccccc}1& 1& 1& 1& 1& 1& 1& 1\\ 0& 0& 1& 1& \alpha & \alpha & {\alpha }^2& {\alpha }^2\\ 0& 1& \alpha & {\alpha }^2& \alpha & {\alpha }^2& \alpha & {\alpha }^2\end{array})$$

and the generated code has parameters ${[8,3,5]}_4$.

4.3. Hermitian Codes

Throughout this section q will be a prime power, K denotes the finite field ${\mathbb{F}}_{q^2}$ and the function field $F=K(x,y)$ with

$$y^q+y=x^{q+1}.$$

(4)

is called the Hermitian function field [16].

Lemma 1

(See [16]). The Hermitian function field F has the following properties:

(a) 

F has a genus $g=q(q-1)/2$,

(b) 

F has $q^3+1$ places of degree one over ${\mathbb{F}}_{q^2}$.

Proof. 

We prove each of the properties of the Lemma as follows:

(a)

Because H is a nonsingular (see proof in [16]) plane curve of degree $q+1$, it follows, by the Riemann–Hurwitz theorem, that $g=q(q-1)/2$.

(b)

Let $P_{\infty }$ be the common pole of x and y. Furthermore, for every $\alpha \in {\mathbb{F}}_{q^2}$, there are q elements $\beta \in {\mathbb{F}}_{q^2}$ such that ${\beta }^q+\beta ={\alpha }^{q+1}$, and with respect to all pairs $\left(\alpha ,\beta \right)$ there is a single place $P_{\alpha ,\beta }\in {\mathbb{P}}_H$ of degree one with $x(P_{\alpha ,\beta })=\alpha$ and $y(P_{\alpha ,\beta })=\beta$. Thus, we have $q^3+1$ points on the Hermitian curve, denoted by $P_1,\dots ,P_{q^3}$ together with $P_{\infty }$.

□

For each $m\in {\mathbb{Z}}^{+}$, we define the m-th Hermitian code on ${\mathbb{F}}_{q^2}$ or AG code, $C_m:=C(D;m{P}_{\infty })$ whose parameters are ${[n;k_m;d_m]}_{q^2}$.

Proposition 1.

An ${\mathbb{F}}_{q^2}$-base of $\mathcal{L}(m{P}_{\infty }),m\ge 0$, is given by

$$A(m)=\{x^i{y}^j:iq+j(q+1)\le m;i\ge 0;0\le j\le q-1\}.$$

(5)

In particular, if we denote by $v(m)$ the dimension of $\mathcal{L}(m{P}_{\infty })$, we have $v(m)=\#(A(m))$.

Proof. 

The elements $1,y,\dots ,y^{q-1}$ form a basis for $F/K(x)$. In particular, for all places $P\in {\mathbb{P}}_{K(x)}$ different from $P_{\infty }$, we have $d(P_i\mid P)=v_{P_i}({\phi }^{\prime }(y)),$ where $\phi (T)=T^q+\mu T+f(x)$ is the minimal polynomial of y over $K(x)$. Observe that $\phi (T)$ is in ${\mathcal{O}}_P\left[T\right]$ for all places $P\in {\mathbb{P}}_{K(x)}$ different from $P_{\infty }$, therefore for all $Q\mid P$, we have that $v_Q({\phi }^{\prime }(y))=v_Q(\mu )=0=d(Q\mid P)$. Let $z\in \mathcal{L}(m{Q}_{\infty })$. Because $Q_{\infty }$ is the only pole of z, z is integral over ${\mathcal{O}}_P$ for all $P\in {\mathbb{P}}_{K(x)}$, with $P\ne P_{\infty }$, so $z={\sum }_{j=0}^{q-1}{z}_j{y}^j$ with $z_j\in K(x)$ and $z_j$ has no poles other than $P_{\infty }$. Therefore, $z_j$ is a polynomial in $K\left[x\right]$, i.e.,

$$z=\sum _{j=0}^{q-1}\sum _{i\ge 0}{a}_{ij}{x}^i{y}^j,$$

(6)

with $a_{ij}\in K$. The elements $x^i{y}^j$, for $0\le j\le q-1$, have pairs of different pole order because $v_{Q_{\infty }}(x)=-q$, $v_{Q_{\infty }}(y)=-(q+1)$, with q and $q+1$ being relative primes; therefore, applying the strict triangle inequality, we have $v_{Q_{\infty }}(z)=min\{-iq-(q+1)j\mid a_{ij}\ne 0\}$, therefore

$$di{m}_{{\mathbb{F}}_{q^2}}(\mathcal{L}(G))=\#\{x^i{y}^j:iq+j(q+1)\le m;i\ge 0;0\le j\le q-1\}.$$

□

Theorem 3.

Suppose that $0⩽m<q^3$. Then

$$dim{C}_m=\left\{\begin{array}{ccc}v(m)\hfill & if& m⩽q^2-q-2,\\ m+1-(q^2-q)/2\hfill & if& q^2-q-2<m<q^3.\end{array}\right.$$

Proof. 

See the proof in [16].  □

Observation: The Hermitian codes have as parameters ${\left[q^3,dim{C}_m,q^3-dim{C}_m\right]}_{q^2}$.

4.4. Hermitian Code Example

Notice that the example in the previous section corresponds to an Hermitian function field. Here we present an example with $m=6$. As before we will use ${\mathbb{F}}_4=\{0,1,\alpha ,{\alpha }^2\}$ as our base field, with ${\alpha }^2+\alpha +1=0$. Again we consider the function field $F:={\mathbb{F}}_4(x,y)$ with $y^2+y=x^3$. Recall that the places of degree one in ${\mathbb{P}}_F$ are $(0,0),(0,1),(1,\alpha ),(1,{\alpha }^2),(\alpha ,\alpha ),(\alpha ,{\alpha }^2),({\alpha }^2,\alpha ),({\alpha }^2,{\alpha }^2)$. To construct the Hermitian code $C_6$ we define the divisors $D,G\in {\mathcal{D}}_F$ as $D:=(0,0)+(0,1)+(1,\alpha )+(1,{\alpha }^2)+(\alpha ,\alpha )+(\alpha ,{\alpha }^2)+({\alpha }^2,\alpha )+({\alpha }^2,{\alpha }^2)$ and $G:=6·P_{\infty }$. The functions $\left\{1,x,x^2,x^3,y,xy\right\}$ constitute a basis for $\mathcal{L}(G)$, therefore, a generator matrix G for the Goppa code associated with the divisors D and G is given by

$$G=\left(\begin{array}{cccccccc}1& 1& 1& 1& 1& 1& 1& 1\\ 0& 0& 1& 1& \alpha & \alpha & \alpha +1& \alpha +1\\ 0& 0& 1& 1& \alpha +1& \alpha +1& \alpha & \alpha \\ 0& 0& 1& 1& 1& 1& 1& 1\\ 0& 1& \alpha & \alpha +1& \alpha & \alpha +1& \alpha & \alpha +1\\ 0& 0& \alpha & \alpha +1& \alpha +1& 1& 1& \alpha \end{array}\right).$$

The obtained code has parameters ${[8,6,2]}_4$.

5. Constructing ${\mathbf{x}}_{\mathbf{0}}$

Our proposal is determined by the order of resilience that we can and want to have in our Boolean function. As previously seen, the work fosters the basis of the Maiorana–McFarland construction. A complete description is made in [3,4].

Given a Hermitian code C with parameters ${\left[q^3,k_m=dim{C}_m,q^3-k_m\right]}_{q^2}$, which for $q=2^k$, its parameters can be written as ${\left[2^{3k},k_m=dim{C}_m,2^{3k}-k_m\right]}_{2^{2k}}$. For the isomorphism we continue with what was formalized previously, taking I as the image set of $\varphi :{\mathbb{F}}_{2^{2k}}⟶{\mathbb{F}}_2^{2k+1}$ by using a binary inner code with parameters ${\left[2k+1,2k,2\right]}_2$. So the concatenated code F has parameters ${\left[(2k+1)2^{3k},2k_m·k,2(2^{3k}-k_m)\right]}_2$. For convenience, let us denote the parameters of F by ${\left[n,q,d_F\right]}_2$. Without loss of generality, we assume our code F, which in turn will be our complementary subspace F, is systematic. The complementary subspace E will therefore have dimension $p=n-q$ and will be of the form $E=\{(x_1,x_2,\dots ,x_n)\in {\mathbb{F}}_2^n:x_1=0,x_2=0,\dots ,x_q=0\}$.

One of the properties of Boolean functions that interests us is the Propagation Criterion; in his article, Guillot showed that a Boolean function has Propagation Criterion of order k if for the lateral class $x_0+F$ where $x_0\in E$, it holds that $w(x_0+F)>>k$. In principle, because we want to find a Boolean function with $PC(k-1)$, we must select an appropriate $x_0$. Let L be a function in an Hermitian function field, a an element of ${\mathbb{F}}_{q^2}$. If $v_P(L-a)>0$ it means that P is a zero of the function $L-a$, and applying the natural map we have $(L-a)(P)=L(P)-a(P)=L(P)-a=0$, or simply $L(P)=a$. So we are looking for a function $L\in \mathcal{L}(t{P}_{\infty })$, for some $t\in \mathbb{Z}$ such that $L(P_1)=L(P_2)=\dots =L(P_q)=0$, preferably that those are its only zeros. So, function L is a linear combination of the functions of a basis for $\mathcal{L}(t{P}_{\infty })$.

5.1. Construction of $x_0$

For the construction of the required function L we rely on the Strong Approximation theorem, employing an idea that Henning gave us, which is the following: Suppose we want our $x_0$ to have t zeros in the first coordinates, here t is the dimension of the subspace F, we distinguish the following three cases:

Case 1: If $t=q^3-q^2$, we choose $i=q^2-q$ different elements ${\alpha }_1,\dots ,{\alpha }_i\in {\mathbb{F}}_{q^2}$. Then the function L may be written as

$$L=\prod _{\nu =1}^i(x-{\alpha }_{\nu }),$$

and ${\mathbb{P}}_D^{\prime }=\{({\alpha }_{\nu },\delta )\in {\mathbb{P}}_D,\delta \in {\mathbb{F}}_{q^2},\nu =1\dots i\}$. We write $D=(D^{\prime })\bigcup (D-D^{\prime })$. In this case L will have exactly $qi=t$ different zeros, $P_{\alpha ,\beta }$ of degree one, so $e{v}_D(L)$ is a vector of weight less than or equal to $q^3-t$.

Case 2: If $t<q^3-q^2$, we write $t=iq+j(q+1)$, with $i⩾0$ and $0⩽j⩽q-1$, such that $i⩽q^2-q-1$. We fix an element $0\ne \gamma \in {\mathbb{F}}_q$ and we consider the set $A=\{\alpha \in {\mathbb{F}}_{q^2}\mid {\alpha }^{q+1}\ne \gamma \}$. Then $\#A=q^2-(q+1)⩾i$, and we can select different elements ${\alpha }_1,\dots ,{\alpha }_i\in A$. We select a subset $I\subseteq Awith\#I=i$. So, the function

$$L_1=\prod _{\nu \in I}(x-{\alpha }_{\nu }),$$

has $iq$ different zeros. As a next step, we choose j different elements ${\beta }_1,\dots ,{\beta }_j\in {\mathbb{F}}_{q^2}$ with ${\beta }_{\mu }^q+{\beta }_{\mu }=\gamma$ and we define now

$$L_2=\prod _{\mu =1}^j(y-{\beta }_{\mu }),$$

then $L_2$ has $j(q+1)$ zeros, which are distinct from the zeros of $L_1$ because ${\beta }_{\mu }^q+{\beta }_{\mu }=\gamma \ne {\alpha }_{\nu }^{q+1}$ for $\mu =1,\dots ,j$ y $\nu =1,\dots ,i$. So, $L=L_1·L_2$. Furthermore, let us define the set ${\mathbb{P}}_A=\{({\alpha }_{\nu },\delta )\in {\mathbb{P}}_D,\delta \in {\mathbb{F}}_{q^2},\nu =1\dots i\}$ and ${\mathbb{P}}_B=\{(\gamma ,{\beta }_{\mu })\in {\mathbb{P}}_D,\mu =1\dots j\}$. We redefine $D=\{{\mathbb{P}}_A,{\mathbb{P}}_B,D-({\mathbb{P}}_A\cup {\mathbb{P}}_B)\}$ and we evaluate $e{v}_D(L)$, which will give us a vector with $q^3-t$ zeros in the first coordinates.

Case 3: If $q^3-q^2<t<q^3$, by assumption, $s=q^3-t$ is of polar order and $0<s<q^2⩽q^3-q^2$. Case 2 there is a function $L^{\prime }\in H$ with main divisor $(L^{\prime })=\widehat{D}-s{P}_{\infty }$ where $0⩽\widehat{D}⩽D$ and $grad(\widehat{D})=s$. The function $u=x^{q^2}-x\in H$ has divisor $(u)=D-q^3{P}_{\infty }$, therefore, $({L^{\prime }}^{-1}·u)=(D-\widehat{D})-(q^3-s)P_{\infty }=(D-\widehat{D})-(t)P_{\infty }.$ So the function $L={L^{\prime }}^{-1}·u$. As we have shown so far, we redefined $D=\widehat{D}\bigcup (D-\widehat{D}).$

Example

Take the case of the Hermitian curve $y^2+y=x^3$ over ${\mathbb{F}}_{2^2}={\mathbb{F}}_4$, the base subfield is composed of ${\mathbb{F}}_2=\{0,1\}$ and ${\mathbb{F}}_4=\{0,1,\alpha ,{\alpha }^2\}$ where ${\alpha }^2+\alpha +1=0$. The points on the curve are: $(0,0),(0,1),(1,\alpha ),(1,{\alpha }^2),(\alpha ,\alpha ),(\alpha ,{\alpha }^2),({\alpha }^2,\alpha ),({\alpha }^2,{\alpha }^2)$.

Case 1: If $t=4=2^3-2^2$ and $q=2$, then $i=2$. Just take the first two elements of ${\mathbb{F}}_4$ to build L such that $L(x)=x(x-1)=x^2+x$. Then, $ev{a}_D(L(x))=\{0,0,0,0,1,1,1,1\}$.

Case 2: We take $t=3=0·q+1·(q+1)<2^3-2^2$, such that $i=0,j=1$. So, let us define the set B for $\gamma =1$ (it is important to clarify that A is not defined because $i=0$). $B=\left\{\alpha \right\}$, and ${\mathbb{P}}_B=\{(1,\alpha ),(\alpha ,\alpha ),({\alpha }^2,\alpha )\}$. Now, from B the first to form our function L, $L(x,y)=(y-\alpha )=y+\alpha$. We redefine $D=\{{\mathbb{P}}_B,D-{\mathbb{P}}_B\}$ such that $D=\{(1,\alpha ),(\alpha ,\alpha ),({\alpha }^2,\alpha ),(0,0),(0,1),(1,{\alpha }^2),(\alpha ,{\alpha }^2),({\alpha }^2,{\alpha }^2)\}$ and $e{v}_D(L(x,y))=\{0,0,0,\alpha ,{\alpha }^2,1,1,1\}.$

Case 3: Let us assume $t=5>2^3-2^2$, so $s=8-5=3$ and Case 2 applies but with $s=3$, which we already have built from the previous example. Then, $L^{\prime }(y)=(y+\alpha )$. Now $D^{\prime }={\mathbb{P}}_B=\{(1,\alpha ),(\alpha ,\alpha ),({\alpha }^2,\alpha )\}$. We redefine $D=\{{\mathbb{P}}_B,D-{\mathbb{P}}_B\}$ and thus $e{v}_D(L^{\prime }(y))=\{0,0,0,\alpha ,{\alpha }^2,1,1,1\}$. We define $L(x,y)=\frac{x^4+x}{L^{\prime }(y)}=\frac{x^4+x}{(y-\alpha )}$ and redefine $D=\{D-D^{\prime },D^{\prime }\}=\{(0,0),(0,1),(1,{\alpha }^2),(\alpha ,{\alpha }^2),({\alpha }^2,{\alpha }^2),(1,\alpha ),(\alpha ,\alpha ),({\alpha }^2,\alpha )\}$ and therefore $e{v}_D(L(x,y))=\{0,0,0,0,0,1,1,1\}$.

6. Construction of $\pi$ and h

Lemma 2.

If $w\in {\mathbb{F}}_2^n$, we have that

$$\sum _{w\in {\mathbb{F}}_2^n}{(-1)}^{u·w}=\left\{\begin{array}{ccc}{2}^n,\hfill & if& w=0\\ 0,\hfill & & inothercase\end{array}\right.$$

Proof. 

First, if $w=0$, then all the addends are 1. Now, let us assume that $w\ne 0$, and consider the hyperplanes $H=\{u\in {\mathbb{F}}_2^n:u·w=0\}$, $\overline{H}=\{u\in {\mathbb{F}}_2^n:u·w=1\}$. These hyperplanes generate a partition of ${\mathbb{F}}_2^n$. On the other hand, for any $u\in H$, the sum is 1, and for any $u\in \overline{H}$, the sum is $-1$. Since the cardinalities of H and $\overline{H}$ are the same, that is, $2^{n-1}$, we have proven the Lemma. □

Theorem 4.

Given p and q with $p+q=n$ and $1\le p<n$, we define $z=(z_1,\dots ,z_n)\in {\mathbb{F}}_2^n$, $x\in E$ and $y\in F$ such that ${\mathbb{F}}_2^n=E\oplus F$ with $dim(E)=p$ and $dim(F)=q$. In addition, we have the construction of MM, we define the Boolean function $f(z)$ by $f(z)=f(x,y)=\pi (x)·y+h(x)$, with $\pi :E⟶E^{\perp }$. Let

$$\lambda =min\{w(\pi (x)):x\in E\}\ge 1.$$

(7)

Then $f(x)$ has a resilience of order l with $l\ge \lambda -1$.

Proof. 

Recall that a Boolean function has resilience of order l if $H(\widehat{f})(u)=0$, with $0\le w(u)\le l$. We have

$$\sum _{z\in {\mathbb{F}}_2^n}{(-1)}^{f(z)}=\sum _{x\in E}{(-1)}^{h(x)}\sum _{y\in F}{(-1)}^{\pi (x)·y}=0,$$

since adding over y is always zero because $\pi (x)\ne 0$ by Definition 1 and using Lemma 2. So, $f(z)$ is balanced. For any $l⩽\lambda -1$ and any choice u with $1\le w(u)\le l$, we have

$$\begin{array}{cc}\hfill H(\widehat{f})(u)& =\sum _{\left(x,y\right)\in E\times F}{\left(-1\right)}^{\pi (x)·y+h(x)+u·(x+y)},\hfill \\ \hfill & =\sum _{x\in E}{\left(-1\right)}^{h(x)+u·x}\sum _{y\in F}{\left(-1\right)}^{(\pi (x)+u)·y}.\hfill \end{array}$$

(8)

Since $w(u)\le l$ and $w(\pi (x))\ge \lambda \ge l+1$, we obtain $\pi (x)\oplus u\ne 0$, so you add them over y are zero. So $H(\widehat{f})(u)=0$ for all u with $0\le w(u)\le l$, therefore, f has resilience of order l. □

Theorem 5.

Let $n,p,q\in {\mathbb{Z}}^{+}$. Consider $t_u=\#\{x\in E\mid \pi (x)=u\}$ and $t={max}_u{t}_u$. Then

$${\mathcal{N}}_f=2^{n-1}-t{2}^{q-1},$$

where f has an MM construction.

Proof. 

How $f(x,y)=\pi (x)·y+h(x)$ have MM construction. We have the mappings: $\pi :E\to E^{\perp }$, with $h:E\to {\mathbb{F}}_2$, and $dim(E)=dim(F^{\perp })=p$, $dim(F)=dim(E^{\perp })=q$ and $n=p+q$. By definition of Walsh–Hadamard transform, for any $w\in {\mathbb{F}}_2^n,w=u+v$, where $u\in E^{\perp },v\in F^{\perp }$, and expression (8). Now, if $\pi (x)=u$, the sum on the right is $2^q$ and and it will be zero otherwise. So that,

$$H(\widehat{f})(u)=2^q\sum _{\{x\in E\mid \pi (x)=u\}}{\left(-1\right)}^{h(x)+v·x}.$$

In this way, ${max}_w|H(\widehat{f})(w)|={max}_{u,v}|H(\widehat{f})(u,v)|=2^{q}ma{x}_u{t}_u=t{2}^q$. By the Theorem 2, we substitute

$${\mathcal{N}}_f=2^{n-1}-{\displaystyle \frac{1}{2}}\underset{w\in {\mathbb{F}}_2^{{}^n}}{max}\left|H(\widehat{f})(w)\right|=2^{n-1}-{\displaystyle \frac{1}{2}}t{2}^q=2^{n-1}-t{2}^{q-1}.$$

□

Theorem 6

([17]). Given $n,k\in {\mathbb{Z}}^{+}$ such that $n\ge 4,1\le k\le n-3$, and any $t\in {\mathbb{Z}}^{+}$, let $q_t$ be the smallest q such that

$$t\left\{\left(\genfrac{}{}{0pt}{}{q}{l+1}\right)+\left(\genfrac{}{}{0pt}{}{q}{l+2}\right)+\cdots +\left(\genfrac{}{}{0pt}{}{q}{q}\right)\right\}\ge 2^{n-q},$$

then $2^{q_1}\le t{2}^{q_t}$, i.e., $min\{t{2}^{q_t}\mid t=1,2,\cdots \}=2^{q_1}.$

To prove the above theorem, we need some lemmas. The following motto is well-known and we will omit its demonstration.

Lemma 3.

For $n,k\in {\mathbb{Z}}^{+}$, we have the following equality

$$\left(\genfrac{}{}{0pt}{}{n}{k}\right)=\left(\genfrac{}{}{0pt}{}{n-1}{k}\right)+\left(\genfrac{}{}{0pt}{}{n-1}{k-1}\right).$$

Lemma 4.

For $n,k\in {\mathbb{Z}}^{+}$, we have the following inequality

$$2\left\{\left(\genfrac{}{}{0pt}{}{n}{k+1}\right)+\left(\genfrac{}{}{0pt}{}{n}{k+2}\right)+\cdots +\left(\genfrac{}{}{0pt}{}{n}{n}\right)\right\}\le \left(\genfrac{}{}{0pt}{}{n+1}{k+1}\right)+\left(\genfrac{}{}{0pt}{}{n+1}{k+2}\right)+\cdots +\left(\genfrac{}{}{0pt}{}{n+1}{n+1}\right).$$

Proof. 

By Lemma 3, we have

$$\begin{array}{cc}\hfill \left(\genfrac{}{}{0pt}{}{n+1}{k+1}\right)+\left(\genfrac{}{}{0pt}{}{n+1}{k+2}\right)+\cdots +\left(\genfrac{}{}{0pt}{}{n+1}{n}\right)+\left(\genfrac{}{}{0pt}{}{n+1}{n+1}\right)& =\hfill \\ \hfill \left\{\left(\genfrac{}{}{0pt}{}{n}{k+1}\right)+\left(\genfrac{}{}{0pt}{}{n}{k}\right)\right\}+\left\{\left(\genfrac{}{}{0pt}{}{n}{k+2}\right)+\left(\genfrac{}{}{0pt}{}{n}{k+1}\right)\right\}+\cdots +\left\{\left(\genfrac{}{}{0pt}{}{n}{n}\right)+\left(\genfrac{}{}{0pt}{}{n}{n-1}\right)\right\}+\left(\genfrac{}{}{0pt}{}{n+1}{n+1}\right)& .\hfill \end{array}$$

Regrouping we have

$$\begin{array}{c}\hfill \left\{\left(\genfrac{}{}{0pt}{}{n}{k+1}\right)+\left(\genfrac{}{}{0pt}{}{n}{k+2}\right)+\cdots +\left(\genfrac{}{}{0pt}{}{n}{n}\right)\right\}+\left\{\left(\genfrac{}{}{0pt}{}{n}{k+1}\right)+\dots +\left(\genfrac{}{}{0pt}{}{n}{n-1}\right)+\left(\genfrac{}{}{0pt}{}{n}{n}\right)\right\}+\left(\genfrac{}{}{0pt}{}{n}{k}\right)\\ \hfill =2\left\{\left(\genfrac{}{}{0pt}{}{n}{k+1}\right)+\left(\genfrac{}{}{0pt}{}{n}{k+2}\right)+\cdots +\left(\genfrac{}{}{0pt}{}{n}{n}\right)\right\}+\left(\genfrac{}{}{0pt}{}{n}{k}\right).\end{array}$$

□

Lemma 5.

If $q\ge q_t$, then

$$t\left\{\left(\genfrac{}{}{0pt}{}{q}{l+1}\right)+\left(\genfrac{}{}{0pt}{}{q}{l+2}\right)+\cdots +\left(\genfrac{}{}{0pt}{}{q}{q}\right)\right\}\ge 2^{n-q}.$$

Proof. 

By the definition of $q_t$,

$$t\left\{\left(\genfrac{}{}{0pt}{}{q_t}{l+1}\right)+\left(\genfrac{}{}{0pt}{}{q_t}{l+2}\right)+\cdots +\left(\genfrac{}{}{0pt}{}{q_t}{q_t}\right)\right\}\ge 2^{n-q_t}.$$

Then, for $q\ge q_t$,

$$\begin{array}{cc}\hfill t\left\{\left(\genfrac{}{}{0pt}{}{q}{l+1}\right)+\left(\genfrac{}{}{0pt}{}{q}{l+2}\right)+\cdots +\left(\genfrac{}{}{0pt}{}{q}{q_t}\right)+\cdots +\left(\genfrac{}{}{0pt}{}{q}{q}\right)\right\}& \ge \hfill \\ \hfill t\left\{\left(\genfrac{}{}{0pt}{}{q_t}{l+1}\right)+\left(\genfrac{}{}{0pt}{}{q_t}{l+2}\right)+\cdots +\left(\genfrac{}{}{0pt}{}{q_t}{q_t}\right)\right\}& \ge 2^{n-q_t}\ge 2^{n-q}.\hfill \end{array}$$

□

Now, let us prove Theorem 6.

Proof. 

If $t=1$, then $t{2}^{q_t}=2^{q_1}$. So let us show that $t{2}^{q_t}\ge 2^{q_1}$ when $t\ge 2$. If $t\ge 2$, then there exists an $r\ge 1$ such that $2^r\le t<2^{r+1}$. If $q_1-r\le q_t$, then $t{2}^{q_t}\ge t{2}^{q_1-r}\ge 2^r{2}^{q_1-r}=2^{q_1}$, the proof is completed if $q_1-r\le q_t$.

□

6.1. $\pi$ One-to-One

Following the ideas presented in [4], we observe that we need to have all the values of $\pi (E)$ available. For $u\in E^{\perp }$, we will construct the lateral class $u+F^{\perp }$ and compute the minimum weight of this class for each u. Let us store these weights in the set $U(l)=\{u\in E^{\perp }:w(u+F^{\perp })\ge l\}$. In order to build $\pi$ one by one, we should have that $q>p$, since we want our Boolean function to be balanced. To construct a Boolean function with a high resilience of $(l-1)$-order, we must take care of the cardinality of $U(l)\ge 2^p$. We then construct the image of $\pi (E)$, $2^p$ nonzero elements of $U(l)$, and we assign it randomly. Likewise, for $h(E)$, we randomly generate its values using any pseudo-random number generator.

Theorem 7.

For $f\in {\mathbb{B}}_n$, the maximum nonlinearity of f is ${\mathcal{N}}_f=2^{n-1}-2^{q_1-1}$, and it can obtained if $t=1$.

Proof. 

By the definition of $\pi$, t and q satisfy the following inequality:

$$t\left\{\left(\genfrac{}{}{0pt}{}{n-q}{l+1}\right)+\left(\genfrac{}{}{0pt}{}{n-q}{l+2}\right)+\cdots +\left(\genfrac{}{}{0pt}{}{n-q}{n-q}\right)\right\}\ge 2^q,$$

or

$$t\left\{\left(\genfrac{}{}{0pt}{}{q}{l+1}\right)+\left(\genfrac{}{}{0pt}{}{q}{l+2}\right)+\cdots +\left(\genfrac{}{}{0pt}{}{q}{q}\right)\right\}\ge 2^{n-q}.$$

The maximum of nonlinearity is obtained if q is the smallest value satisfying the previous equation. That is to say, $ma{x}_t{\mathcal{N}}_f=ma{x}_t{\mathcal{N}}_f=2^{n-1}-t{2}^{q_t-1}=2^{n-1}-mi{n}_{t}t{2}^{q_t-1}=2^{n-1}-2^{q_1-1}.$ □

Lemma 6.

Let $n,l,q_1$ be given as in Theorem 7. Then $q_1\ge ⌈\frac{n}{2}⌉+1.$

Proof. 

By the definition of $q_1$,

$$\left(\genfrac{}{}{0pt}{}{q_1}{l+1}\right)+\left(\genfrac{}{}{0pt}{}{q_1}{l+2}\right)+\cdots +\left(\genfrac{}{}{0pt}{}{q_1}{q_1}\right)\ge 2^{n-q_1}.$$

In this way

$$\begin{array}{c}\hfill \left(\genfrac{}{}{0pt}{}{q_1}{0}\right)+\left(\genfrac{}{}{0pt}{}{q_1}{1}\right)+\cdots +\left(\genfrac{}{}{0pt}{}{q_1}{l}\right)+\left(\genfrac{}{}{0pt}{}{q_1}{l+1}\right)+\left(\genfrac{}{}{0pt}{}{q_1}{l+2}\right)+\cdots +\left(\genfrac{}{}{0pt}{}{q_1}{q_1}\right)\ge \\ \hfill \left(\genfrac{}{}{0pt}{}{q_1}{0}\right)+\left(\genfrac{}{}{0pt}{}{q_1}{1}\right)+\cdots +\left(\genfrac{}{}{0pt}{}{q_1}{l}\right)+2^{n-q_1},\end{array}$$

and

$$2^{q_1}\ge \left(\genfrac{}{}{0pt}{}{q_1}{0}\right)+\left(\genfrac{}{}{0pt}{}{q_1}{1}\right)+\cdots +\left(\genfrac{}{}{0pt}{}{q_1}{l}\right)+2^{n-q_1},$$

leading to

$$2^{q_1}-2^{n-q_1}\ge \left(\genfrac{}{}{0pt}{}{q_1}{0}\right)+\left(\genfrac{}{}{0pt}{}{q_1}{1}\right)+\cdots +\left(\genfrac{}{}{0pt}{}{q_1}{l}\right).$$

Since the right hand side of the above inequality is positive, $q_1>n-q_1\Rightarrow 2q_1>n\Rightarrow q_1\ge ⌈\frac{n}{2}⌉+1.$ □

Theorem 8.

Let $n\in 2\mathbb{Z}$, with $n\ge 4$, and let $q_1=\frac{n}{2}+1$. Then the nonlinearity of f is ${\mathcal{N}}_f=2^{n-1}-2^{\frac{n}{2}}.$

Proof. 

The proof is simple, just substitute the value of $q_1=\frac{n}{2}+1$ in Theorem 7. □

Corollary 1.

If $n\in 2\mathbb{Z}$, and ${\mathcal{N}}_f=2^{n-1}-2^{\frac{n}{2}}$, then the upper bound of the correlation immunity order is

$$l\le ⌊\frac{n}{4}+0.238468\sqrt{n+2}⌋.$$

Proof. 

Let us start with the fact that the Theorem 7 we had obtained that,

$$\left(\genfrac{}{}{0pt}{}{q_1}{l+1}\right)+\left(\genfrac{}{}{0pt}{}{q_1}{l+2}\right)+\cdots +\left(\genfrac{}{}{0pt}{}{q_1}{q_1}\right)\ge 2^{n-q_1}.$$

We substitute $q_1=\frac{n}{2}+1$ and we have

$$\left(\genfrac{}{}{0pt}{}{\frac{n}{2}+1}{l+1}\right)+\left(\genfrac{}{}{0pt}{}{\frac{n}{2}+1}{l+2}\right)+\cdots +\left(\genfrac{}{}{0pt}{}{\frac{n}{2}+1}{\frac{n}{2}+1}\right)\ge 2^{\frac{n}{2}-1}.$$

(9)

Recall a classic fact from statistics: If X is a random variable and has a binomial distribution, i.e., $X\sim B\left(n,\frac{1}{2}\right)$ where n is the number of Bernoulli trials then,

$$P(X\ge l)=\sum _{k=l}^n\left(\genfrac{}{}{0pt}{}{n}{k}\right){\left(\frac{1}{2}\right)}^n.$$

If we have that $X\sim B\left(\frac{n}{2}+1,\frac{1}{2}\right)$, then

$$P(X\ge l+1)=\sum _{k=l+1}^{\frac{n}{2}+1}\left(\genfrac{}{}{0pt}{}{\frac{n}{2}+1}{k}\right){\left(\frac{1}{2}\right)}^{\frac{n}{2}+1}={\left(\frac{1}{2}\right)}^{\frac{n}{2}+1}\sum _{k=l+1}^{\frac{n}{2}+1}\left(\genfrac{}{}{0pt}{}{\frac{n}{2}+1}{k}\right).$$

Thus we have that

$$2^{\frac{n}{2}+1}P(X\ge l+1)=\sum _{k=l+1}^{\frac{n}{2}+1}\left(\genfrac{}{}{0pt}{}{\frac{n}{2}+1}{k}\right).$$

If we assume the fact that $P(X\ge l+1)\ge \frac{1}{4}$ we have that

$$\sum _{k=l+1}^{\frac{n}{2}+1}\left(\genfrac{}{}{0pt}{}{\frac{n}{2}+1}{k}\right)\ge 2^{\frac{n}{2}-1}.$$

That is, when $P(X\ge l+1)\ge \frac{1}{4}$, we have the desired inequality.

As $P(X\ge l+1)=1-P(X<l+1)=1-P(X\le l)\ge \frac{1}{4}\Rightarrow P(X\le l)\le \frac{3}{4}$. Recall that de Moivre showed that when certain conditions are met, a binomial distribution can be approximated to a normal distribution of mean $\mu =n·a$ and standard deviation $\sigma =\sqrt{n·a·b}$, i.e., $X\sim B(n,a)\cong N(n·a,\sqrt{n·a·b})$, where n is the sample size and $a=1-b$. The goodness of the approximation is the better the larger $n\ge 10$ and the closer is to of $0.5$ with a correction of $-\frac{1}{2}$ because it is fitting a discrete distribution to a continuous one. We decided to give an approximation with the normal distribution $B\left(\frac{n}{2}+1,\frac{1}{2}\right)\cong N\left(\frac{n}{4}+\frac{1}{2},\sqrt{\frac{n}{8}+\frac{1}{4}}\right),$ i.e., $X\sim N\left(\frac{n}{4}+\frac{1}{2},\sqrt{\frac{n}{8}+\frac{1}{4}}\right)$, and we want to see which quartile satisfies that $P(X\le l)\le \frac{3}{4}$, and gives that $l\le ⌊\frac{n}{4}+0.238468\sqrt{n+2}⌋$. □

6.2. $\pi$ Two-to-One

In this case the methodology is different. We observe that we need to have all the values of $\pi (E)$ for $u\in E^{\perp }$. We will build the lateral class $u+F^{\perp }$, where the same lateral class is divided into two parts according to the linear function

$$v\mapsto v·x_0.$$

We define $E_0=\{v\in u+F^{\perp }\mid v·x_0=0\}$ and $E_1=\{v\in u+F^{\perp }\mid v·x_0=1\}$. We calculate the minimum weight of $E_0$ and $E_1$, and denote them $w(E_0)$ and $w(E_1)$, respectively. For each $u\in E^{\perp }$ we determine $w(E_0)$ and $w(E_1)$. If we want to construct a Boolean function $(l-1)$-resilient, we need $max\{w(E_0),w(E_1)\}\ge l$. Then we save u with this property, i.e., we save the pair $(u,0/1)$, where $0/1$ corresponds to the fact where the maximum is reached in $E_0$ or $E_1$. After that, we define the h function and call this set $U_l$. It is clear that $U_l\subseteq E^{\perp }$. With these elements of $U_l$ we will build the image of $\pi (E)$ and the image of $h(E)$. As in the previous section, we must take care that the cardinality of $2^p\ge U_l\ge 2^{p-1}$.

Proposition 2.

The optimal value of l, when $2^p\ge U_l\ge 2^{p-1}$, is given by

$$\sum _{i=1}^{q_2}\left(\genfrac{}{}{0pt}{}{q_2}{l+i}\right)\ge 2^{n-q_2-1}.$$

Proof. 

This happens due to the fact of the Theorem 5, since $\pi$ is two to one, $t=2$. If we substitute this value in the results of Theorem 5 and in Lemma 5, we have that ${\mathcal{N}}_f=2^{n-1}-2^{q_2}$ and ${\sum }_{i=1}^{q_2}\left(\genfrac{}{}{0pt}{}{q_2}{l+i}\right)\ge 2^{n-q_2-1}.$ □

Using part of the proof of Lemma 5, to estimate $q_2$, as $t=2$ and $r=1$, then $q_1-1<q_2$, we had previously calculated $q_1\ge \frac{n}{2}+1$, this implies that $q_2\ge \frac{n}{2}$. If we take $q_2=\frac{n}{2}$,

$$\left\{\left(\genfrac{}{}{0pt}{}{\frac{n}{2}}{l+1}\right)+\left(\genfrac{}{}{0pt}{}{\frac{n}{2}}{l+2}\right)+\cdots +\left(\genfrac{}{}{0pt}{}{\frac{n}{2}}{\frac{n}{2}}\right)\right\}\ge 2^{\frac{n}{2}-1}.$$

(10)

Corollary 2.

If $n\in 2\mathbb{Z}$ and ${\mathcal{N}}_f=2^{n-1}-2^{\frac{n}{2}}$, then the upper bound of the correlation immunity order is

$$l\le ⌊\frac{n}{4}-\frac{1}{2}⌋.$$

Proof. 

Following the procedure from the previous section to find a bound for the value of resilience using statistics and find the uneven from the binomial distribution. If X is a random variable and has a binomial distribution, i.e., $X\sim B\left(\frac{n}{2},\frac{1}{2}\right)$ where $\frac{n}{2}$ is the number of Bernoulli trials then,

$$P(X\ge l+1)=\sum _{k=l+1}^{\frac{n}{2}}\left(\genfrac{}{}{0pt}{}{\frac{n}{2}}{k}\right){\left(\frac{1}{2}\right)}^{\frac{n}{2}}.$$

We have

$$2^{\frac{n}{2}}P(X\ge l+1)=\sum _{k=l+1}^{\frac{n}{2}}\left(\genfrac{}{}{0pt}{}{\frac{n}{2}}{k}\right).$$

If we assume the fact that $P(X\ge l+1)\ge \frac{1}{2}$, we have that

$$\sum _{k=l+1}^{\frac{n}{2}}\left(\genfrac{}{}{0pt}{}{\frac{n}{2}}{k}\right)\ge 2^{\frac{n}{2}-1},$$

i.e., when $P(X\ge l+1)\ge \frac{1}{2}$, we have the desired inequality, as $P(X\ge l+1)=1-P(X<l+1)=1-P(X\le l)\ge \frac{1}{2}\Rightarrow P(X\le l)\le \frac{1}{2}$.

We decided to give an approximation with the normal distribution $B\left(\frac{n}{2},\frac{1}{2}\right)\cong N\left(\frac{n}{4},\sqrt{\frac{n}{8}}\right)$, i.e., $X\sim N\left(\frac{n}{4},\sqrt{\frac{n}{8}}\right)$ and we want to see which quartile satisfies that $P(X\le l)\le \frac{1}{2}$, and gives that $l\le ⌊\frac{n}{4}-\frac{1}{2}⌋$. □

From the set $U_l$, let us take exactly $2^{p-1}$, and let none of them be the zero element to ensure the balance. We construct the image of $\pi$ in such a way that $\pi (x)=\pi (x+x_0)$. The construction of h is carried out in such a way that the value of $h(x)$ is random and the value of $h(x+x_0)=h(x)+h_u$, the value $h_u$ is associated to the image value of $\pi (x)=u$. On the other hand, if the vector space F and the lateral class $x_0+F$ have minimum weight k, then f satisfies $PC(k-1)$.

6.3. $\pi$ Four-to-One

We assume that $\pi$ is a four-to-one mapping, i.e., for any $u\in \pi (E)$, the preimage ${\pi }^{-1}(u)$ contains exactly four elements. This implies that $p+3\ge q$. We will first examine the Walsh–Hadamard Transform of f in such a case. Since any quartet $\{t,x_0+t,y_0+t,x_0+y_0+t\}$ is a two-dimensional affine subspace, the proposition is applicable. With the notation of the statement, $⟨V_u⟩$ is the vector space $\{0,t\}$ and for any $v\in F^{\perp }$,

$$\begin{array}{cc}\hfill H(\widehat{h_u})(v)& ={(-1)}^{h(t)+v·t}+{(-1)}^{h(x_0+t)+v·(x_0+t)}+{(-1)}^{h(y_0+t)+v·(y_0+t)}+{(-1)}^{h(x_0+y_0+t)+v·(x_0+y_0+t)}\hfill \\ \hfill & =\left\{\begin{array}{c}0\hfill \\ \pm 2\hfill \\ \pm 4\hfill \end{array}\right.\hfill \end{array}$$

For convenience, we want to build a Boolean function as optimal as possible, so we will take the values in our opinion the most favorable and without losing generality, we have that the Walsh–Hadamard transform of f is expressed, for any $u\in E^{\perp }$ and any $v\in F^{\perp }$, in the following way

$$H(\widehat{f})(u+v)=\left\{\begin{array}{ccc}0\hfill & ,if\hfill & {\pi }^{-1}=\varnothing orinanothercase\hfill \\ \pm 2^{q+1}\hfill & ,if\hfill & (h(t)+h(x_0+t)=v·x_0)\wedge (h(x_0+t)+h(x_0+y_0+t)\ne v·x_0)\hfill \end{array}\right.$$

We assume that our affine subspace is $\{t,x_0+t,y_0+t,x_0+y_0+t\}$, where $t\in ⟨V⟩$ is of dimension two, for the construction of $\pi$ and h.

For $u\in E^{\perp }$, we construct the lateral class $u+F^{\perp }$, the same lateral class is divided into two parts according to the linear functional

$$v\mapsto v·x_0.$$

We define $E_0=\{v\in u+F^{\perp }\mid v·x_0=0\}$ and $E_1=\{v\in u+F^{\perp }\mid v·x_0=1\}$. We calculate the minimum weight of $E_0$ and $E_1$, we will denote it by $w(E_0)$ and $w(E_1)$ For each $u\in E^{\perp }$ we determine $w(E_0)$ and $w(E_1)$, if we want to construct a Boolean function $(l-1)$-resilient, we need $max\{w(E_0),w(E_1)\}\ge l$ and also $w(E_0)\ge l$ and $w(E_1)\ge l$. Then we save u with this property, i.e., we save the pair $(u,0/1)$ to define the function h later, we will call this set $U_l$, it is clear that $U_l\subseteq E^{\perp }$. With these elements of $U_l$ we will build the image of $\pi (E)$ and the image of $h(E)$. As in the previous section, we must take care that the cardinality of $2^p>U_l\ge 2^{p-2}$.

Proposition 3.

The optimal value of l, when $2^p>U_l\ge 2^{p-2}$, is given by

$$\sum _{i=1}^q\left(\genfrac{}{}{0pt}{}{q}{l+i}\right)\ge 2^{n-q-2}.$$

Proof. 

This happens due to the fact derived from Theorem 5, since $\pi$ is four-to-one, $t=4$. If we substitute this value in the results of Theorem 5 and in Lemma 5, we have ${\mathcal{N}}_f=2^{n-1}-2^{q_4+1}$ and

$$\sum _{i=1}^{q_4}\left(\genfrac{}{}{0pt}{}{q_4}{l+i}\right)\ge 2^{n-q_4-2}.$$

□

Using part of the proof from Lemma 5, to estimate $q_4$, as $t=4$ and $r=2$, then $q_1-2<q_4$, we had previously calculated $q_1\ge \frac{n}{2}+1$. This implies that $q_4\ge \frac{n}{2}-1$, but we want $p\le q$, so for the inequality of Lemma 5, we will use $q_4=\frac{n}{2}$. If we take $q_4=\frac{n}{2}$ and substitute, then we have

$$\left\{\left(\genfrac{}{}{0pt}{}{\frac{n}{2}}{l+1}\right)+\left(\genfrac{}{}{0pt}{}{\frac{n}{2}}{l+2}\right)+\cdots +\left(\genfrac{}{}{0pt}{}{\frac{n}{2}}{\frac{n}{2}}\right)\right\}\ge 2^{\frac{n}{2}-2}.$$

Corollary 3.

If $n\in 2\mathbb{Z}$ and ${\mathcal{N}}_f=2^{n-1}-2^{\frac{n}{2}}$, then the upper bound of the correlation immunity order is given by

$$l\le ⌊\frac{n}{4}+0.238468\sqrt{n}-\frac{1}{2}⌋.$$

Proof. 

Following the procedure from the previous construction to find a bound for the resilience value using statistics and find the uneven from the binomial distribution. If X is a random variable and has a binomial distribution, i.e., $X\sim B(\frac{n}{2},\frac{1}{2})$ where $\frac{n}{2}$ is the number of Bernoulli trials then,

$$P(X\ge l+1)=\sum _{k=l+1}^{\frac{n}{2}}\left(\genfrac{}{}{0pt}{}{\frac{n}{2}}{k}\right){\left(\frac{1}{2}\right)}^{\frac{n}{2}}.$$

It remains that

$$2^{\frac{n}{2}}P(X\ge l+1)=\sum _{k=l+1}^{\frac{n}{2}}\left(\genfrac{}{}{0pt}{}{\frac{n}{2}}{k}\right).$$

If we assume the fact that $P(X\ge l+1)\ge \frac{1}{4}$ we have that

$$\sum _{k=l+1}^{\frac{n}{2}}\left(\genfrac{}{}{0pt}{}{\frac{n}{2}}{k}\right)\ge 2^{\frac{n}{2}-2},$$

i.e., when $P(X\ge l+1)\ge \frac{1}{4}$ we have the desired inequality. Since $P(X\ge l+1)=1-P(X<l+1)=1-P(X\le l)\ge \frac{1}{4}\Rightarrow P(X\le l)\le \frac{3}{4}.$

We decided to give an approximation with the normal distribution $B\left(\frac{n}{2},\frac{1}{2}\right)\cong N\left(\frac{n}{4},\sqrt{\frac{n}{8}}\right)$, i.e., $X\sim N\left(\frac{n}{4},\sqrt{\frac{n}{8}}\right)$, and we want to see which curtail satisfies that $P(X\le l)\le \frac{3}{4}$, and gives us that $l\le ⌊\frac{n}{4}+0.238468\sqrt{n}-\frac{1}{2}⌋$. □

From the set $U_l$, let us take exactly $2^{p-2}$, and let none of them be the zero element to ensure the balance. We construct the image of $\pi$ in such a way that $\pi (t)=\pi (t+x_0)=\pi (t+y_0)=\pi (t+x_0+y_0)$. The construction of h is carried out in such a way that the values of $h(t)$ and $h(t+y_0)$ are random. The values of $h(t+x_0)=h(t)+h_u$ and $h(t+x_0+y_0)=h(t+y_0)+h_u+1$, the value $h_u$ is associated with the value from the image of $\pi (t)=u$. As previously, if the vector space F and the lateral class $x_0+F$ have minimum weight k, then f satisfies $PC(k-1)$.

6.4. Boolean Functions from $C_{\mathcal{L}}(D,G)$

Let $C_{\mathcal{L}}(D,G)$ be a code with parameters

$${[n,dim(G)-dim(G-D),\ge n-degree(G)]}_q.$$

For our construction of Boolean functions, we will use a concatenated Hermitian code. Let $C_{\mathcal{L}}(D,G)$, which is our outer code. Let I be the all even-weight codewords, then with parameters ${\left[k+1,k,2\right]}_2$. After concatenation, we obtain a code F with parameters

$${\left[n(k+1),k·(dim(G)-dim(G-D)),2(n-degree(G))\right]}_2.$$

We will use our code F as the main ingredient to the MM construction, obtaining a new family of Boolean functions, in $n(k+1)$ variables.

7. Conclusions

In this work, the methodology for constructing Boolean functions from Hermitian codes using the MM construction has first been presented. Further, the way to build $x_0$ has been given from the Strong Approximation Theorem on a Hermitian field. Moreover, we have established the optimal parameters based on the dimension of the Hermitian code and, on this, adjust the value of resilience to build cryptographically strong Boolean functions. Furthermore, a complete description is made of what the parameters of the Hermitian code should be, in order to select the appropriate $\pi$, and thus the much-desired Boolean functions. Desirable cryptographic properties given the chosen construct were carefully reviewed. We established what the optimal parameters are in order to find the Boolean functions according to the Hermitian code. Thus, it will be possible to know when the functions will be balanced and what propagation order criteria they will have; thus, it will be possible to know the order of nonlinearity and resilience.