Novel Approach to Degree, Balancedness, and Affine Equivalence of Boolean Functions and Construction of a Special Class of Non-Quadratic Balanced Boolean Functions

Abstract

In several stream cipher designs, Boolean functions (BFs) play a crucial role as non-linear components, either serving as filtering functions or being used within the combining process. The overall strength of stream ciphers mainly depends on certain cryptographic properties of BFs, including their balancedness, non-linearity, resistance to correlation, and algebraic degrees. In this paper, we present novel findings related to the algebraic degrees of BFs, which play an important role in the design of symmetric cryptographic systems, and propose a novel algorithm to directly deduce the algebraic degree of a Boolean function (BF) from its truth table. We also explore new results concerning balanced Boolean functions, specifically characterizing them by establishing new results regarding their support. Additionally, we propose a new approach for a subclass of affine equivalent Boolean functions and discuss well-known cryptographic properties in a very simple and lucid manner using this newly introduced approach. Moreover, we propose the first algorithm in the literature to construct non-quadratic balanced Boolean functions (NQBBFs) that possess no linear structure where their derivative equals 1. Finally, we discuss the complexity of this algorithm and present a table that shows the time taken by this algorithm, after its implementation in SageMath, for the generation of Boolean functions corresponding to different values of n (i.e., number of variables).

1. Introduction

Let ${\mathbb{F}}_2=\{0,1\}$ be a finite field of order 2, and let ${\mathbb{F}}_2^n$ be a vector space of n-tuples over ${\mathbb{F}}_2$ containing $2^n$ elements. A function $f:{\mathbb{F}}_2^n\to {\mathbb{F}}_2$ is known as a Boolean function (BF). Beyond their combinatorial significance in mathematics, BFs are critical in coding theory [1,2,3], cryptography [2,4], and combinatorics [5]. In cryptography, BFs are integral to the design of linear feedback shift registers (LFSRs) [6], the substitution boxes (S-boxes) of symmetric ciphers [7], and stream ciphers, where they serve as non-linear filter or combiner functions [8,9].

The cryptographic strength of systems employing BFs relies on properties such as the algebraic degree, non-linearity, algebraic immunity, autocorrelation, balancedness, bentness, and affine equivalence [10,11,12]. Recent advancements have significantly expanded the understanding and construction of BFs with optimal cryptographic properties. For instance, Behera and Gangopadhyay [13] developed an improved hybrid genetic algorithm (HGA) to construct balanced BFs with high non-linearity and low autocorrelation, demonstrating superior efficiency over traditional genetic algorithms through a novel cost function. Similarly, Carlet et al. [14] utilized evolutionary algorithms to enhance the cryptographic properties of BFs derived from algebraic constructions, achieving significant improvements in non-linearity for various BF sizes. Arshad and Khan [15] proposed a method to construct S-boxes using bent BFs via the Maiorana–McFarland method, addressing their inherent imbalance to create bijective S-boxes with high non-linearity, outperforming other heuristic approaches. Additionally, Abughazalah et al. [16] introduced a multi-criteria decision-making technique (IVPF–TOPSIS) to select optimal S-boxes based on multiple cryptographic properties, enhancing the design of modern block ciphers.

Furthermore, Çeşmelioğlu and Meidl [17] extended the study of equivalence classes for generalized BFs, introducing constructions of generalized bent functions that yield large affine spaces of bent functions, applicable to cryptographic designs. Cusick and Cheon [18] explored extended quadratic truncated rotation symmetric BFs, providing explicit generating functions for their weights and solving the Dickson form for such functions. Sun et al. [19] proposed systematic constructions of rotation symmetric BFs with even variables, satisfying nearly all cryptographic criteria, including high non-linearity and algebraic immunity. Ȯzçekiç et al. [20] employed a genetic algorithm to optimize balanced BFs close to bent functions, achieving improved autocorrelation and non-linearity for specific variable ranges. Liu [21] provided tight lower bounds on the second-order non-linearity of three classes of BFs, enhancing their applicability in cryptographic systems.

Among the key properties, the algebraic degree of a BF, defined as the highest degree of a monomial in its algebraic normal form (ANF), is crucial for applications in hash functions, Reed–Muller codes, pseudo-random number generators for stream ciphers, and S-boxes in block ciphers [8,22]. Balanced BFs, characterized by a Hamming weight of $2^{n-1}$, are essential in constructing symmetric ciphers resistant to differential cryptanalysis [11]. Recent designs, such as homophonic and FLIP ciphers [23], leverage balanced BFs on restricted subsets of ${\mathbb{F}}_2^n$ [9]. Affine equivalence, where two BFs f and g of n variables satisfy $f\left(\mathit{x}\right)=g(A\mathit{x}+\mathit{b})$ for some $A\in \mathcal{GL}(n,{\mathbb{F}}_2)$ and $\mathit{b}\in {\mathbb{F}}_2^n$, remains a vital property for cryptographic analysis [9].

This work builds on these advancements by proposing novel results and algorithms for BFs. Unlike prior studies that often rely on the ANF to determine algebraic degree [24], we introduce an algorithm to compute the algebraic degree directly from a BF’s truth table for any degree, extending the results of [24]. We also establish new properties of balanced BFs and propose criteria for the assessment of balancedness, complementing the optimization techniques in [13,14,20]. Additionally, our novel approach to a subclass of affine equivalent BFs simplifies proofs for properties like non-linearity and autocorrelation, aligning with the equivalence studies in [17]. Finally, we present the first algorithm to construct non-quadratic balanced BFs with no linear structure where their derivative equals 1, addressing a gap in the literature and enhancing the cryptographic utility of BFs as seen in [15,19]. We elaborate on the main contribution of this paper in the following subsection.

1.1. Our Contribution

Typically, the algebraic degree of a Boolean function is computed by examining its algebraic normal form ($\mathcal{ANF}$). However, as shown in [24], the algebraic degree of an n-variable Boolean function can, in some cases, be directly obtained without explicitly determining its $\mathcal{ANF}$—specifically when the degree lies in the set $\{n-1,n\}$. In this paper, we extend this idea to Boolean functions with degrees strictly less than $n-1$. We also present a new algorithm as an alternative to the Fast Binary Möbius Transform [9] for the calculation of the algebraic degree. While the computational complexity of our method matches that of existing technique, the proposed algorithm offers the advantage of determining the algebraic degree without computing the $\mathcal{ANF}$, making it particularly effective for the quick or off-hand computation of the algebraic degree for functions with small numbers of variables.

Additionally, we introduce several new and practically relevant results for balanced Boolean functions, which are of interest due to their applications in symmetric cryptography. These results provide tools for checking the balancedness of Boolean functions that lack unit linear structures (a concept formally defined later in the paper).

We also revisit a well-known subclass of affine equivalent Boolean functions [25], and, through a non-exhaustive yet novel approach, we simplify several classical results regarding their algebraic degree, non-linearity, and autocorrelation.

Finally, we propose an original algorithm for the construction of non-quadratic balanced Boolean functions that do not possess any linear structure and whose derivative equals one (see Section 2 for the definition). The correctness and complexity of this construction are discussed in detail. To the best of our knowledge, no prior work has addressed this specific construction, and the functions generated by our method possess desirable cryptographic properties.

1.2. Organization of This Paper

In Section 2, we recall some preliminaries relevant to our work. In Section 3, we discuss our main results on the algebraic degrees of BFs. The same section also includes an algorithm for determining the algebraic degree of a Boolean function. Section 4 is focused on examining key properties associated with the support of balanced BFs, and we also put forward a sufficient condition under which a Boolean function can be considered balanced. In Section 5, we present a novel approach to studying the properties of a subclass of affine equivalent BFs and provide simple, elegant, and novel proofs for certain well-known results. Moreover, we propose an algorithm to construct non-quadratic balanced BFs that have no linear structure at which the derivative is equal to 1. In Section 5.3, we also provide the time and space complexity of our algorithm and a table in which we present empirical results obtained by running our SageMath implementation. This helps to demonstrate the practicality of our algorithm for moderate values of n and provides insights into its computational behavior. The concluding remarks of the paper are presented in Section 6.

2. Preliminaries

In this paper, we use the notation ${\mathbb{F}}_2=\{0,1\}$ for a finite field of order 2, and, for any natural number n, we regard ${\mathbb{F}}_2^n$ as an ${\mathbb{F}}_2$ vector space of all n-tuples $(t_1,t_2,\dots ,t_n)$. Let ${\mathcal{BLF}}_n$ represent the set of all Boolean functions from ${\mathbb{F}}_2^n$ to ${\mathbb{F}}_2$. The functions from ${\mathbb{F}}_2^n$ to $\mathbb{R}$ are termed pseudo-Boolean functions, and the symbols $\wedge ,\mathcal{P}(\wedge )$ are, respectively, used to denote the set $\{1,2,\dots ,n\}$ and the power set of ∧. Throughout the paper, unless otherwise stated, $\mathfrak{J}$ will be used to denote an element of $\mathcal{P}(\wedge )$, and $\mathcal{S}(\wedge )$ denotes the set of all permutations on ∧. For $\mathit{x}=(x_1,x_2,\dots ,x_n)\in {\mathbb{F}}_2^n$, we define ${\mathit{x}}^{\mathfrak{J}}:={\prod }_{i\in \wedge }{x}_i^{k_i}$, where $k_i=1$ if $i\in \mathfrak{J}$ and 0 otherwise.

Generally, the truth table representation is a classical approach of representing every Boolean function $f\in {\mathcal{BLF}}_n$ in a unique way. However, for cryptographic and coding theory applications [8], the most commonly used form of Boolean function is the n-variable polynomial form over the quotient ring $\mathfrak{R}[x_1,x_2,\dots ,x_n]$, where

$$\mathfrak{R}[x_1,x_2,\dots ,x_n]={\displaystyle \frac{{\mathbb{F}}_2[x_1,x_2,\dots ,x_n]}{〈x_1^2-x_1,x_2^2-x_2,\dots ,x_n^2-x_n〉}}.$$

(1)

The algebraic normal form of f, denoted by $\mathcal{ANF}\left(f\right)$, is its representation as an element of $\mathfrak{R}[x_1,x_2,\dots ,x_n].$ As a result, for every $f\in {\mathcal{BLF}}_n$, we have

$$\mathcal{ANF}\left(f\right)=\underset{\mathfrak{J}\in \mathcal{P}(\wedge )}{⨁}{\mathfrak{a}}_{\mathfrak{J}}{\mathit{x}}^{\mathfrak{J}},$$

where ⨁ is addition in ${\mathbb{F}}_2$ and ${\mathfrak{a}}_{\mathfrak{J}}\in {\mathbb{F}}_2^n$.

For a vector $\mathit{u}\in {\mathbb{F}}_2^n$, the Hamming weight, represented by ${\mathfrak{W}}_{\mathcal{H}}\left(\mathit{u}\right)$, refers to the total number of positions in $\mathit{u}$ that contain non-zero entries. That is, ${\mathfrak{W}}_{\mathcal{H}}\left(\mathit{u}\right):=\left|\{i\in \wedge |u_i\ne \mathbf{0}\}\right|$, where $\left|\mathfrak{J}\right|$ indicates the cardinality of the set $\mathfrak{J}$. We define $Supp\left(\mathit{u}\right):=\{i\in \wedge |u_i\ne \mathbf{0}\}$ and the Hamming weight of $f\in {\mathcal{BLF}}_n$ as the number of $\mathit{u}\in {\mathbb{F}}_2^n$, where f has a non-zero value. Precisely, the Hamming weight of f is the size of the set $Supp\left(f\right):=\{\mathit{u}\in {\mathbb{F}}_2^n|f\left(\mathit{u}\right)=1\}.$

Definition 1

([9]). Let $f\in {\mathcal{BLF}}_n$ be expressed in its algebraic normal form as

$$\mathcal{ANF}\left(f\right)=\underset{\mathfrak{J}\in \mathcal{P}(\wedge )}{⨁}{\mathfrak{a}}_{\mathfrak{J}}{\mathit{x}}^{\mathfrak{J}},$$

(2)

where ${\mathfrak{a}}_{\mathfrak{J}}\in {\mathbb{F}}_2$ for each $\mathfrak{J}$. The algebraic degree of f, denoted ${\mathcal{ALG}}_d\left(f\right)$, is defined by

$${\mathcal{ALG}}_d\left(f\right):=max\left\{\right|\mathfrak{J}|:{\mathfrak{a}}_{\mathfrak{J}}\ne 0\}.$$

(3)

Theorem 1

([22]). Consider a Boolean function $f\in {\mathcal{BLF}}_n$ whose algebraic normal form is given by

$$\mathcal{ANF}\left(f\right)=\underset{\mathfrak{J}\in \mathcal{P}(\wedge )}{⨁}{\mathfrak{a}}_{\mathfrak{J}}{\mathit{x}}^{\mathfrak{J}}.$$

(4)

Then, for every $\mathfrak{J}\in \mathcal{P}(\wedge )$, the corresponding coefficient ${\mathfrak{a}}_{\mathfrak{J}}$ is computed as

$${\mathfrak{a}}_{\mathfrak{J}}=\underset{\begin{array}{c}\mathit{x}\in {\mathbb{F}}_2^n\\ Supp\left(\mathit{x}\right)\subseteq \mathfrak{J}\end{array}}{⨁}f\left(\mathit{x}\right).$$

(5)

Definition 2

([22]). Let $f\in {\mathcal{BLF}}_n$ and $\mathit{a}\in {\mathbb{F}}_2^n$. Then, the derivative of f at $\mathit{a}$, symbolized by ${\mathfrak{D}}_{\mathit{a}}f\left(\mathit{x}\right)$, is defined as ${\mathfrak{D}}_{\mathit{a}}f\left(\mathit{x}\right):=f\left(\mathit{x}\right)\oplus f\left(\mathit{x}+\mathit{a}\right).$

Definition 3

(Linear Kernel [8]). The linear kernel of any n-variable Boolean function f, represented by ${\mathcal{E}}_f,$ is the set of all those points $\mathit{c}\in {\mathbb{F}}_2^n$ for which ${\mathfrak{D}}_{\mathit{c}}f\left(\mathit{x}\right)$ is constant. Any element of ${\mathcal{E}}_f$ is called a linear structure of f.

Theorem 2

([22]). For any non-constant Boolean function $f\in {\mathcal{BLF}}_n$ and any $\mathit{a}\in {\mathbb{F}}_2^n$, we have

$${\mathcal{ALG}}_d\left({\mathfrak{D}}_{\mathit{a}}f\left(\mathit{x}\right)\right)<{\mathcal{ALG}}_d\left(f\left(\mathit{x}\right)\right)$$

and there exist some $\mathit{c}\in {\mathbb{F}}_2^n$ such that ${\mathcal{ALG}}_d\left({\mathfrak{D}}_{\mathit{c}}f\left(\mathit{x}\right)\right)={\mathcal{ALG}}_d\left(f\right)-1.$

Definition 4

([22]). Let $f\in {\mathcal{BLF}}_n$ and $\mathit{a}\in {\mathbb{F}}_2^n$. Then, the autocorrelation of f is defined as ${\mathcal{AC}}_f=\underset{\mathit{b}\in {\mathbb{F}}_2^n\setminus \mathbf{0}}{max}\left|{\mathcal{C}}_f\left(\mathit{b}\right)\right|$, where ${\mathcal{C}}_f\left(\mathit{b}\right)={\displaystyle \sum _{\mathit{x}\in {\mathbb{F}}_2^n}}{(-1)}^{{\mathfrak{D}}_{\mathit{b}}f\left(\mathit{x}\right)}$.

Definition 5

([22]). The non-linearity of a Boolean function $f\in {\mathcal{BLF}}_n$ is the minimum Hamming distance from f to all affine functions defined over ${\mathbb{F}}_2^n$. Formally, it is expressed as

$$\mathcal{NL}\left(f\right):=min\{\mathrm{dis}(f,\tilde{f}):\tilde{f}\in {\mathcal{A}}_n\},$$

(6)

where ${\mathcal{A}}_n$ denotes the set of all affine functions over ${\mathbb{F}}_2^n$, and $\mathrm{dis}(f,\tilde{f})$ represents the Hamming distance between f and $\tilde{f}$.

Theorem 3

([22]). An n-variable quadratic Boolean function (QBF) f is balanced if and only if there exists a vector $\mathit{b}\in {\mathbb{F}}_2^n$ for which ${\mathfrak{D}}_{\mathit{b}}f\left(\mathit{x}\right)=1$ holds.

Theorem 4

([24]). A Boolean function $f\in {\mathcal{BLF}}_n$ attains algebraic degree n if and only if its Hamming weight turns out to be an odd number.

Before proceeding to the main results, we introduce a new concept that will be instrumental in the subsequent analysis. While the notion of linear structures of Boolean functions is well established, we define a special case, which we refer to as a unit linear structure. This concept plays a central role in characterizing certain classes of balanced Boolean functions considered later in this paper. To the best of our knowledge, this terminology and its formal definition have not been previously explored in the literature.

Definition 6

(Unit Linear Structure). An element $\mathit{c}\in {\mathbb{F}}_2^n$ is said to be a unit linear structure of an n-variable Boolean function f if the derivative of f in the direction $\mathit{c}$ satisfies

$${\mathfrak{D}}_{\mathit{c}}f\left(\mathit{x}\right)=1forall\mathit{x}\in {\mathbb{F}}_2^n.$$

The set of all unit linear structures of f is denoted by ${\mathcal{E}}_f^1$.

Furthermore, we denote by ${\mathcal{BLF}}_n^1$ the set of all n-variable Boolean functions that admit at least one unit linear structure.

3. Algebraic Degrees of Boolean Functions: Novel Results and Computation Approach

In this section, we present new results on the algebraic degree, extending the findings discussed in [24]. In addition, we introduce an alternative method of computing the algebraic degree that maintains the same complexity as the Fast Binary Möbius Transform, yet determines the degree without requiring knowledge of the algebraic normal form ($\mathcal{ANF}$). This makes the method particularly useful for the quick estimation of the algebraic degree in Boolean functions with a small number of variables.

Theorem 5.

Any Boolean function $f={⨁}_{\mathfrak{J}\in \mathcal{P}(\wedge )}{\mathfrak{a}}_{\mathfrak{J}}{\mathit{x}}^{\mathfrak{J}}\in {\mathcal{BLF}}_n$ has algebraic degree $n-d$, where d is some positive integer such that $d<n$, if and only if

(a) 

f has an even weight; 

(b) 

there exists ${\delta }_{\wedge }\subseteq \wedge$, with $\left|{\delta }_{\wedge }\right|=d$, such that $\left|\{\mathit{x}\in Supp\left(f\right):x_k=0forallk\in {\delta }_{\wedge }\}\right|$ is odd; and 

(c) 

there does not exist ${\sigma }_{\wedge }\subseteq \wedge$, with  $\left|{\sigma }_{\wedge }\right|<d$, such that $\left|\{\mathit{x}\in Supp\left(f\right):x_k=0forallk\in {\sigma }_{\wedge }\}\right|$ is odd.

Proof. 

For the forward part, assume that the algebraic degree of $f={⨁}_{\mathfrak{J}\in \mathcal{P}(\wedge )}{\mathfrak{a}}_{\mathfrak{J}}{\mathit{x}}^{\mathfrak{J}}$ is $n-d.$ Then, we show the following:

(a)

Using Theorem 4, we find that the weight of f is even.

(b)

The algebraic degree of f is $n-d$, so the $\mathcal{ANF}$ of f has a monomial of degree $n-d.$ Let $x_{i_1}{x}_{i_2}\dots x_{i_{n-d}}$ be this monomial, where $i_j=\sigma \left(j\right)\mathrm{for}\mathrm{some}\sigma \in \mathcal{S}(\wedge ).$ Consequently, for $\mathfrak{J}=\{i_1,i_2,\dots ,i_{n-d}\}$, we have

$${\mathfrak{a}}_{\mathfrak{J}}=\underset{Supp\left(\mathit{x}\right)\subseteq \mathfrak{J}}{\underset{\mathit{x}\in {\mathbb{F}}_2^n}{⨁}}f\left(\mathit{x}\right)=1$$

or

$${\mathfrak{a}}_{\mathfrak{J}}=\underset{x_{i_{n-d+1}}=x_{i_{n-d+2}}=\cdots =x_{i_n}=0}{\underset{\mathit{x}\in {\mathbb{F}}_2^n}{⨁}}f\left(\mathit{x}\right)=1$$

or

$$\left|\{\mathit{x}\in {\mathbb{F}}_2^n:x_{i_{n-d+1}}=x_{i_{n-d+2}}=\cdots =x_{i_n}=0\mathrm{and}f\left(\mathit{x}\right)=1\}\right|\mathrm{is}\mathrm{odd}$$

or

$$\left|\{\mathit{x}\in Supp\left(f\right):x_{i_{n-d+1}}=x_{i_{n-d+2}}=\cdots =x_{i_n}=0\}\right|\mathrm{is}\mathrm{odd}.$$

Thus, if we let ${\delta }_{\wedge }=\wedge \setminus \{i_1,i_2,\dots ,i_{n-d}\}$, then we have

$$\left|\{\mathit{x}\in Supp\left(f\right):x_k=0forallk\in {\delta }_{\wedge }\}\right|\mathrm{is}\mathrm{odd}.$$

This means that $\left(b\right)$ holds.

(c)

Suppose that there exists ${\sigma }_{\wedge }\subseteq \wedge$, with  $\left|{\sigma }_{\wedge }\right|<d$, such that $\left|\{\mathit{x}\in Supp\left(f\right):x_k=0forallk\in {\sigma }_{\wedge }\}\right|$ is odd. Then, we have

$${\mathfrak{a}}_{\wedge \setminus {\sigma }_{\wedge }}=\underset{Supp\left(\mathit{x}\right)\subseteq \wedge \setminus {\sigma }_{\wedge }}{\underset{\mathit{x}\in {\mathbb{F}}_2^n}{⨁}}f\left(\mathit{x}\right)=1\mathrm{with}|\wedge \setminus {\sigma }_{\wedge }|>n-d.$$

This implies that f has an algebraic degree greater than $n-d.$ This is a contradiction to our assumption. Therefore, there does not exist ${\sigma }_{\wedge }\subseteq \wedge$, with  $\left|{\sigma }_{\wedge }\right|<d$, such that $\left|\{\mathit{x}\in Supp\left(f\right):x_k=0forallk\in {\sigma }_{\wedge }\}\right|$ is odd.

Conversely, suppose that conditions $\left(a\right)$–$\left(c\right)$ hold. This, along with Theorem 4, implies that ${\mathcal{ALG}}_d\left(f\right)<n.$ Moreover, from part (b), we have

$${\mathfrak{a}}_{\wedge \setminus {\delta }_{\wedge }}=\underset{Supp\left(\mathit{x}\right)\subseteq \wedge \setminus {\delta }_{\wedge }}{\underset{\mathit{x}\in {\mathbb{F}}_2^n}{⨁}}f\left(\mathit{x}\right)\mathrm{is}\mathrm{odd}\Rightarrow {\mathfrak{a}}_{\wedge \setminus {\delta }_{\wedge }}\ne 0.$$

This leads to ${\mathcal{ALG}}_d\left(f\right)\ge n-d.$ Additionally, from part (c), we know that there does not exist ${\sigma }_{\wedge }\subseteq \wedge$, with  $\left|{\sigma }_{\wedge }\right|<d$, and $|\{\mathit{x}\in Supp\left(f\right):x_k=0forallk\in {\sigma }_{\wedge }\}|$ is odd. So, ${\mathcal{ALG}}_d\left(f\right)\le n-d.$ Thus, we conclude that ${\mathcal{ALG}}_d\left(f\right)$ is $n-d$.    □

Next, we prove a result that can be used to find the algebraic degrees of BFs without obtaining their algebraic normal forms. This result appears to be a straightforward case of Theorem 5; however, it is not.

Proposition 1.

Let f be a Boolean function with an even Hamming weight. Then, f possesses algebraic degree $n-d$, where $1\le d<n$, if and only if the following conditions are satisfied:

(a) 

There exists a reordering $i_1,i_2,\dots ,i_n$ of the integers $1,2,\dots ,n$ such that the set

$$A^{i_1,i_2,\dots ,i_d}:=\{\mathit{x}\in {\mathbb{F}}_2^n:f\left(\mathit{x}\right)=x_{i_{n-d+1}}=x_{i_{n-d+2}}=\cdots =x_{i_n}=1\}$$

has odd cardinality, or the restriction of f on ${\mathbb{F}}_2^n\setminus (A^{i_1,i_2,\dots ,i_d}\cup \mathcal{B})$ has an even Hamming weight, where $\mathcal{B}=\{\mathit{x}\in {\mathbb{F}}_2^n:f\left(\mathit{x}\right)=1and{x}_j=0forallj\in \{i_{n-d+1},i_{n-d+2},\dots ,i_n\}\}$.

(b) 

For all permutations $i_1,i_2,\dots ,i_n$ of the integers $1,2,\dots ,n$, the set

$$A^{i_1,i_2,\dots ,i_k}=\{\mathit{x}\in {\mathbb{F}}_2^n:f\left(\mathit{x}\right)=x_{i_{n-k+1}}=x_{i_{n-k+2}}=\cdots =x_{i_n}=1\}$$

has even cardinality for all $k<d.$

Proof. 

Assume that the Boolean function f has an algebraic degree equal to $n-d$ and let $\mathcal{ANF}\left(f\right)={⨁}_{\mathfrak{J}\in \mathcal{P}(\wedge )}{\mathfrak{a}}_{\mathfrak{J}}{\mathit{x}}^{\mathfrak{J}}$. This further implies that the $\mathcal{ANF}$ of f has a monomial of degree $n-d$, and all the monomials of degrees greater than $n-d$ have zero coefficients. Let $x_{i_1}{x}_{i_2}\cdots x_{i_{n-d}}$ be the monomial with coefficient 1, where $i_j=\sigma \left(j\right)\mathrm{for}\mathrm{some}\sigma \in \mathcal{S}(\wedge ).$ Then, for $\mathfrak{J}=\{i_1,i_2,\dots ,i_{n-d}\}$, we have

$$\underset{Supp\left(\mathit{x}\right)\subseteq \mathfrak{J}}{\underset{\mathit{x}\in {\mathbb{F}}_2^n}{⨁}}f\left(\mathit{x}\right)=\underset{x_{i_{n-d+1}}=x_{i_{n-d+2}}=\cdots =x_{i_n}=0}{\underset{\mathit{x}\in {\mathbb{F}}_2^n}{⨁}}f\left(\mathit{x}\right)=1.$$

(7)

Moreover, the algebraic degree of f is $n-d$ and its $\mathcal{ANF}$ has a monomial $x_{i_1}{x}_{i_2}\cdots x_{i_{n-d}}.$ So, we may suppose that

$$f(x_1,x_2,\dots ,x_n)=g(x_{i_1},x_{i_2},\dots ,x_{i_{n-d}})\oplus h(x_1,x_2,\dots ,x_n),$$

where $g(x_{i_1},x_{i_2},\dots ,x_{i_{n-d}})$ is the restriction of f on ${\mathbb{F}}_2^n\setminus \{\mathit{x}\in {\mathbb{F}}_2^n:x_j=0\mathrm{for}\mathrm{all}j\in \{i_{n-d+1},i_{n-d+2},\dots ,i_n\}\}.$ Consequently, $h(x_1,x_2,\dots ,x_n)=0\mathrm{for}\mathrm{all}(x_1,x_2,\dots ,x_n)\in {\mathbb{F}}_2^n\setminus \{\mathit{x}\in {\mathbb{F}}_2^n:x_j=0\mathrm{for}\mathrm{all}j\in \{i_{n-d+1},i_{n-d+2},\dots ,i_n\}\},$ since the $\mathcal{ANF}$ of g does not contain any monomials with an $\mathcal{ANF}$ of f that contain $\tilde{x}\in \{x_{i_{n-d+1}},x_{i_{n-d+2}},\dots ,x_{i_n}\}$. So, for any $\mathit{x},\mathit{y}\in {\mathbb{F}}_2^n$ with $x_{i_j}=y_{i_j}\mathrm{for}\mathrm{all}j\in \{1,2,\dots ,n-d\},$ we have $g\left(\mathit{x}\right)=g\left(\mathit{y}\right).$ Thus, if we consider $g\left(x\right)$ and $h\left(x\right)$ as two BFs on $\{\mathit{x}\in {\mathbb{F}}_2^n:x_{i_{n-d+1}}=x_{i_{n-d+2}}=\dots ,x_{i_n}=1\}$, then the algebraic degrees of g and h are $n-d$ and $n_0$ (where $n_0<n-d$), respectively. So, using Theorem 4, the Hamming weight of g is odd and that of h is even. This further implies that $f=g\oplus h$ has an odd Hamming weight on $\{\mathit{x}\in {\mathbb{F}}_2^n:x_{i_{n-d+1}}=x_{i_{n-d+2}}=\dots x_{i_n}=1\}$ or $A^{i_1,i_2,\dots ,i_d}$ has odd cardinality (as, if $A_{g\cap h}=\{\mathit{x}\in {\mathbb{F}}_2^n:g\left(\mathit{x}\right)=h\left(\mathit{x}\right)=1\}$, then ${\mathfrak{W}}_H\left(f=g\oplus h\right)={\mathfrak{W}}_H\left(g\right)+{\mathfrak{W}}_H\left(h\right)-2\left|A_{g\cap h}\right|$).

Moreover, there holds

$$\{\mathit{x}\in {\mathbb{F}}_2^n:f\left(\mathit{x}\right)=1\}=A^{i_1,i_2,\dots ,i_d}\cup \mathcal{B}\cup {\mathbb{F}}_2^n\setminus (A^{i_1,i_2,\dots ,i_d}\cup \mathcal{B}).$$

As the weight of f is even, this, along with (7), implies that f has an even Hamming weight on ${\mathbb{F}}_2^n\setminus (A^{i_1,i_2,\dots ,i_d}\cup \mathcal{B}).$ This completes the proof of part (a).

Now, we show part (b). Suppose that there exists a rearrangement $i_1,i_2,\dots ,i_n$ of the elements $1,2,\dots ,n$ such that the set

$$A^{i_1,i_2,\dots ,i_k}=\{\mathit{x}\in {\mathbb{F}}_2^n:f\left(\mathit{x}\right)=x_{i_{n-k+1}}=x_{i_{n-k+2}}=\cdots =x_{i_n}=1\}$$

(8)

has odd cardinality for some $k<d.$ Let $\tilde{f}$ be the restriction of f on $A^{i_1,i_2,\dots ,i_k}.$ Then, using a structure-transferring map, we may consider $\tilde{f}$ as a Boolean function on ${\mathbb{F}}_2^{n-k}.$ This, along with (8), implies that

$$\underset{\mathit{x}\in {\mathbb{F}}_2^{n-k}}{⨁}\tilde{f}\left(\mathit{x}\right)\ne 0.$$

(9)

Moreover, Theorem 4 along with (9) implies that ${\mathcal{ALG}}_d\left(\tilde{f}\right)$ is $n-k.$ This means that ${\mathcal{ALG}}_d\left(f\right)\ge n-k.$ However, $k<d$ and the algebraic degree of f is $n-d$. This is a contradiction. Therefore, there does not exist a rearrangement $i_1,i_2,\dots ,i_n$ of the elements $1,2,\dots ,n$ such that the set given in (8) has odd cardinality for some $k<d.$ This completes the proof of part (b).

Conversely, suppose that conditions (a) and (b) are met. Then, part (a) implies that there exists a permutation $i_1,i_2,\dots ,i_n$ of the integers $1,2,\dots ,n$ such that the set

$$A^{i_1,i_2,\dots ,i_d}:=\{\mathit{x}\in {\mathbb{F}}_2^n:f\left(\mathit{x}\right)=x_{i_{n-d+1}}=x_{i_{n-d+2}}=\cdots =x_{i_n}=1\}$$

has odd cardinality. By employing the technique incorporated in part (b), we note that ${\mathcal{ALG}}_d\left(f\right)\ge n-d.$ On the other hand, part (b) implies that ${\mathcal{ALG}}_d\left(f\right)<n-k\mathrm{for}\mathrm{all}k<d.$ Thus, we conclude that ${\mathcal{ALG}}_d\left(f\right)=n-d.$    □

Next, we present a result that can be applied to obtain the $\mathcal{ANF}$ of a Boolean function whose Hamming weight is even.

Proposition 2.

Let $f\in {\mathcal{BLF}}_n$ have $\mathcal{ANF}\left(f\right)={⨁}_{\mathfrak{J}\in \mathcal{P}(\wedge )}{\mathfrak{a}}_{\mathfrak{J}}{\mathit{x}}^{\mathfrak{J}}$, and let the weight of f be even. Then, for every $\mathfrak{J}\in \mathcal{P}(\wedge )$, we have

$${\mathfrak{a}}_{\mathfrak{J}}=\underset{\underset{Supp\left(\mathit{x}\right)\cap {\mathfrak{J}}_2=\varphi }{\underset{Supp\left(\mathit{x}\right)\cap {\mathfrak{J}}_1={\mathfrak{J}}_1}{\mathit{x}\in {\mathbb{F}}_2^n}}}{⨁}f\left(\mathit{x}\right),$$

where ${\mathfrak{J}}_1$ and ${\mathfrak{J}}_1$ are any two sets such that ${\mathfrak{J}}^c=\wedge \setminus \mathfrak{J}={\mathfrak{J}}_1\cup {\mathfrak{J}}_2.$

Proof. 

Suppose that $\mathfrak{J}=\{i_1,i_2,\dots ,i_{n-k}\}$ for some permutation $i_1,i_2,\dots ,i_n$ of the integers $1,2,\dots ,n\mathrm{and}k\le n.$ Using part (a) of Proposition 1, it can be easily shown that

$${\mathfrak{a}}_{\mathfrak{J}}=\underset{\underset{Supp\left(\mathit{x}\right)\cap {\mathfrak{J}}_2=\varphi }{\underset{Supp\left(\mathit{x}\right)\cap {\mathfrak{J}}_1={\mathfrak{J}}_1}{\mathit{x}\in {\mathbb{F}}_2^n}}}{⨁}f\left(\mathit{x}\right).$$

Hence, the proof is completed.    □

The corollary stated below directly follows as a consequence of Proposition 2.

Corollary 1.

Let $f\in {\mathcal{BLF}}_n$ have $\mathcal{ANF}\left(f\right)={⨁}_{\mathfrak{J}\in \mathcal{P}(\wedge )}{\mathfrak{a}}_{\mathfrak{J}}{\mathit{x}}^{\mathfrak{J}}$, and let the weight of f be even. Then, for each $\mathfrak{J}\in \mathcal{P}(\wedge )$, we have

$${\mathfrak{a}}_{\mathfrak{J}}=\underset{\underset{Supp\left(\mathit{x}\right)\cap {\mathfrak{J}}^c={\mathfrak{J}}^c}{\mathit{x}\in {\mathbb{F}}_2^n}}{⨁}f\left(\mathit{x}\right).$$

Next, with the help of Proposition 2, we discuss an efficient alternative procedure to determine the algebraic degrees of BFs without knowing their $\mathcal{ANF}$. This algorithm (i.e., Algorithm 1) has complexity $\mathcal{O}(n·2^n)$, which is the same as that of the Fast Binary Möbius Transform [22]. However, our algorithm offers the advantage of determining the algebraic degree without computing the $\mathcal{ANF}$, making it particularly effective for the quick or off-hand computation of the algebraic degree for functions with a small number of variables.

To this end, we describe some notations before we discuss the algorithm. Let $\mathit{x},\mathit{y}\in {\mathbb{F}}_2^n$ and $i_1,i_2,\dots ,i_n$ be a permutation of the integers $1,2,\dots ,n.$ We say that $\mathit{x}$ is a k-layer related to $\mathit{y}$ with respect to the positions $i_1,i_2,\cdots ,i_k$ if $x_{i_1}=x_{i_2}=\cdots =x_{i_k}=y_{i_1}=y_{i_2}=\cdots =y_{i_k}=1.$ The set of all these elements will be denoted by $A^{k-l_{i_1,i_2,\dots ,i_k}}.$ For any $f\in {\mathcal{BLF}}_n$, the set of elements $A^{k-l_{i_1,i_2,\dots ,i_k}}\cap Supp\left(f\right)$ is denoted by $A_f^{k-l_{i_1,i_2,\dots ,i_k}}.$

Algorithm 1 An algorithm to compute the algebraic degrees of BFs

1: If $\left|Supp\right(f\left)\right|$ is odd, then, from Theorem 4, ${\mathcal{ALG}}_d\left(f\right)=n.$ Go to step 5. 2: Compute $A_f^{k-l_{i_t}},\mathrm{for}k=1\mathrm{and}t\in \{1,2,\dots ,n\}$, until we get $t_0\in \{1,2,\dots ,n\}$ (if exists) such that $\left|A_f^{k-l_{i_{t_0}}}\right|$ is odd. Then, ${\mathcal{ALG}}_d\left(f\right)$ is $n-1.$ Go to step 5. 3: Compute $A_f^{k-l_{i_{t_1},i_{t_2}}}$, for k = 2 and $t_1,t_2\in \{1,2,\dots ,n\}$, until we get $t_1^{\prime },t_2^{\prime }\in \{1,2,\dots ,n\}$ (if exists) such that $\left|A_f^{k-l_{i_{t_1},i_{t_2}}}\right|$ is odd. Then, ${\mathcal{ALG}}_d\left(f\right)$ is $n-2.$ Go to step 5. 4: Continue until a subset $S=\{t_1,t_2,\dots t_s\},$ where $1\le s\le n,$ of $\{1,2,\dots ,n\}$ is obtained such that $\left|A_f^{k-l_{i_{t_1},i_{t_2},\dots ,i_{t_s}}}\right|$ is odd. Then, ${\mathcal{ALG}}_d\left(f\right)$ is $n-s.$ Go to step 5. 5: End.

To show the practicality of Algorithm 1, we consider three BFs, each containing four variables, and deduce their algebraic degrees.

Example 1

(Algebraic degrees of Boolean functions). Consider three BFs $f,gandh$ on ${\mathbb{F}}_2^4$, whose truth tables are given in

Table 1. Truth tables of BFs $f,g$ and h.

${\mathit{x}}_1$	${\mathit{x}}_2$	${\mathit{x}}_3$	${\mathit{x}}_4$	f	g	h
0	0	0	0	0	0	0
1	0	0	0	1	1	1
0	1	0	0	0	0	1
1	1	0	0	0	1	0
0	0	1	0	1	1	1
1	0	1	0	0	0	0
0	1	1	0	0	1	0
1	1	1	0	1	0	1
0	0	0	1	0	0	1
1	0	0	1	0	1	0
0	1	0	1	0	1	0
1	1	0	1	1	0	1
0	0	1	1	0	1	0
1	0	1	1	0	0	1
0	1	1	1	1	0	1
1	1	1	1	1	1	0

. Then, we have

$$\begin{array}{cc}\hfill Supp\left(f\right)& =\{0001,0100,0111,1011,1110,1111\},\hfill \\ \hfill Supp\left(g\right)& =\{0001,0011,0100,0110,1001,1010,1100,1111\}and\hfill \\ \hfill Supp\left(h\right)& =\{0001,0010,0100,0111,1000,1011,1101,1110\}.\hfill \end{array}$$

Using these, we get

$$\begin{array}{c}\hfill A_f^{1-l_1}=\{1011,1110,1111\}and\underset{\mathit{x}\in A_f^{1-l_1}}{⨁x^0}=1\oplus 1\oplus 1\ne 0,\end{array}$$

(10)

$$\begin{array}{c}\hfill A_g^{1-l_1}=\{1001,1010,1100,1111\}and\underset{\mathit{x}\in A_g^{1-l_1}}{⨁x^0}=1\oplus 1\oplus 1\oplus 1=0,\end{array}$$

$$\begin{array}{c}\hfill A_g^{1-l_2}=\{0100,0110,1100,1111\}and\underset{\mathit{x}\in A_g^{1-l_2}}{⨁x^0}=1\oplus 1\oplus 1\oplus 1=0,\end{array}$$

$$\begin{array}{c}\hfill A_g^{1-l_3}=\{0011,0110,1010,1111\}and\underset{\mathit{x}\in A_g^{1-l_3}}{⨁x^0}=1\oplus 1\oplus 1\oplus 1=0,\end{array}$$

$$\begin{array}{c}\hfill A_g^{1-l_4}=\{0001,0011,1001,1111\}and\underset{\mathit{x}\in A_g^{1-l_4}}{⨁x^0}=1\oplus 1\oplus 1\oplus 1=0,\end{array}$$

$$\begin{array}{c}\hfill A_g^{2-l_{1,2}}=\{1100,1111\}and\underset{\mathit{x}\in A_g^{2-l_{1,2}}}{⨁x^0}=1\oplus 1=0,\end{array}$$

$$\begin{array}{c}\hfill \dots \end{array}$$

$$\begin{array}{c}\hfill A_g^{2-l_{2,4}}=\left\{1111\right\}and\underset{\mathit{x}\in A_g^{2-l_{2,4}}}{⨁x^0}=1\ne 0.\end{array}$$

(11)

Similarly, we have

$$\begin{array}{c}\hfill \underset{\mathit{x}\in A_h^{1-l_1}}{⨁x^0}=\cdots =\underset{\mathit{x}\in A_h^{1-l_4}}{⨁x^0}=\underset{\mathit{x}\in A_h^{2-l_{1,2}}}{⨁x^0}=\underset{\mathit{x}\in A_h^{2-l_{1,3}}}{⨁x^0}=\underset{\mathit{x}\in A_h^{2-l_{1,4}}}{⨁x^0}=\underset{\mathit{x}\in A_h^{2-l_{2,3}}}{⨁x^0}=\underset{\mathit{x}\in A_h^{2-l_{2,4}}}{⨁x^0}=\underset{\mathit{x}\in A_h^{2-l_{3,4}}}{⨁x^0}=0,\end{array}$$

and

$$\begin{array}{c}\hfill A_h^{3-l_{1,2,3}}=\left\{1110\right\}and\underset{\mathit{x}\in A_h^{3-l_{1,2,3}}}{⨁x^0}=1\ne 0.\end{array}$$

(12)

Thus, using (10)–(12) and Algorithm 1, we note that the algebraic degrees of f, g and h are 3, 2 and 1, respectively. Clearly, we have not used the $\mathcal{ANF}$s of $f,g$ and h to compute their algebraic degrees.

4. Balanced Boolean Functions: Structural Insights and New Characterizations

This section is devoted to exploring some new findings related to the balancedness of BFs. We begin by discussing two important results (Propositions 3 and 4) related to the support of a balanced Boolean function. Apart from this, we discuss a very interesting result in the form of Proposition 5, which is novel and very interesting from a linear algebra point of view and will be used in Proposition 6.

Proposition 3.

Let $f\in {\mathcal{BLF}}_n$ be a balanced Boolean function such that $f\notin {\mathcal{BLF}}_n^1.$ Then, $Supp\left(f\right)$ is not a subspace of ${\mathbb{F}}_2^n.$

Proof. 

For the sake of contradiction, let us suppose that $Supp\left(f\right)$ is a subspace of ${\mathbb{F}}_2^n.$ Then, it is a hyperplane, e.g., H. Thus, we have ${\mathbb{F}}_2^n=H\cup (\mathit{b}+H)$, for some $\mathit{b}\notin H$. Consequently, we have

$$f\left(\mathit{x}\right)+f\left(\mathit{x}+\mathit{b}\right)=1,\mathrm{for}\mathrm{all}\mathit{x}\in {\mathbb{F}}_2^n,$$

since $\mathit{x}$ and $\mathit{x}+\mathit{b}$ cannot be both in $H(\mathrm{or}\mathrm{in}b+H).$ This in turn implies that $f\in {\mathcal{BLF}}_n^1,$ which is a contradiction. So, $Supp\left(f\right)$ is not a subspace of ${\mathbb{F}}_2^n.$ This completes the result.    □

The following example illustrates that the converse of Proposition 3 is not valid.

Example 2.

Let f be a balanced Boolean function on ${\mathbb{F}}_2^4$ such that

$$Supp\left(f\right)=\{0000,0001,0010,0011,0100,0110,0111,1000\}.$$

We note that 0010 and 0111 are elements of $Supp\left(f\right),$ but $0010+0111=0101\notin Supp\left(f\right).$ This implies that $Supp\left(f\right)$ is not a subspace of ${\mathbb{F}}_2^4.$ If we take $\mathit{b}=1101,$ then we have

$$\mathit{b}+Supp\left(f\right)=\{\mathit{b}+\mathit{x}:\mathit{x}\in Supp(f\left)\right\}=\{1101,1100,1111,1110,1001,1011,1010,0101\}.$$

To this end, we observe that $(\mathit{b}+Supp(f\left)\right)\cap Supp\left(f\right)=\varnothing ,$ which further implies that $f\in {\mathcal{BLF}}_n^1.$

Proposition 4.

Let $f\in {\mathcal{BLF}}_n$ be a balanced Boolean function such that $f\notin {\mathcal{BLF}}_n^1.$ Then, $Supp\left(f\right)$ contains a set of n linearly independent vectors and

$$\bigcup _{i=1}^{2^{n-1}}({\mathit{x}}_i+Supp\left(f\right))={\mathbb{F}}_2^n,$$

where ${\mathit{x}}_1,{\mathit{x}}_2,\dots ,{\mathit{x}}_{2^{n-1}}\in Supp\left(f\right).$

Proof. 

Let $\Omega$ be the set of maximum linearly independent vectors in $Supp\left(f\right).$ If $|\Omega |<n$, then we have the following cases:

(a)

$|\Omega |<n-1$, or 

(b)

$|\Omega |=n-1.$

If (a) holds, then f is not balanced, and, if (b) holds, then $Supp\left(f\right)$ must be a subspace of ${\mathbb{F}}_2^n.$ However, from Proposition 3, if  $f\notin {\mathcal{BLF}}_n^1$, then $Supp\left(f\right)$ is not a subspace of ${\mathbb{F}}_2^n.$ So, in both cases, we have a contradiction. Consequently, we must have that $|\Omega |=n.$ Moreover, as $f\notin {\mathcal{BLF}}_n^1$, we have

$$(\mathit{a}+Supp(f\left)\right)\cap Supp\left(f\right)\ne \varnothing .$$

(13)

Let $\mathit{b}\in {\mathbb{F}}_2^n$ be an arbitrary element. Then, from (13), we obtain $(\mathit{b}+Supp(f\left)\right)\cap Supp\left(f\right)\ne \varnothing .$ This further implies that $\mathit{b}+\mathit{x}=\mathit{y}$ for some $\mathit{x},\mathit{y}\in Supp\left(f\right).$ So, ${\mathbb{F}}_2^n\subseteq {\bigcup }_{i=1}^{2^{n-1}}({\mathit{x}}_i+Supp\left(f\right))$ and hence the result holds.    □

The next key result of our work, namely Proposition 6, provides a sufficient condition under which a Boolean function is balanced. To establish this, we first require the following preliminary result.

Proposition 5.

Let V and W be two subsets of ${\mathbb{F}}_2^n$ such that

(a) 

$V\cup W={\mathbb{F}}_2^n;$

(b) 

$\mathbf{0}\in V$ and $V\cap W=\varnothing ;$ and

(c) 

there exists a unique element $\mathit{b}\in W$ such that $\mathit{b}\ne \mathit{x}+\mathit{y}$ for all $\mathit{x},\mathit{y}\in V.$

Then, there do not exist $\mathit{c},\mathit{d}\in W$ such that $\mathit{b}=\mathit{c}+\mathit{d}.$

Proof. 

Let $X=V\setminus \left\{\mathbf{0}\right\}$ and $Y=W\setminus \left\{\mathit{b}\right\}.$ From condition (c), if $\mathit{z}\in Y$, then there exist $\mathit{x},\mathit{y}\in V$ such that $\mathit{z}=\mathit{x}+\mathit{y}$ (as b is the only element in W which cannot be expressed as the sum of two elements from V). In this case, neither $\mathit{x}$ nor $\mathit{y}$ is zero as $V\cap W=\varnothing .$ In order to prove the result, we need to show that $\left|V\right|=\left|W\right|.$ We note that, if $\mathit{x}\in V$, then $\mathit{b}+\mathit{x}\notin V$ (as $\mathit{b}=\mathit{x}+(\mathit{b}+\mathit{x})$, since Char(${\mathbb{F}}_2$) = 2). Here, Char denotes the characteristics of a field. Consequently, we define a map $\theta$ as follows:

$$\theta :V\to W\mathrm{given}\mathrm{by}\theta \left(\mathit{x}\right)=\mathit{b}+\mathit{x}\mathrm{for}\mathrm{all}\mathit{x}\in V.$$

It is straightforward to see that $\theta$ is one–one. We note that $\left|V\right|=\left|W\right|$ holds, provided that $\theta$ is an onto map. We take $V_0=\left\{\mathbf{0}\right\}$ and $W_0=\left\{\mathit{b}\right\}.$ If ${\mathbb{F}}_2^n=V_0\cup W_0$, then $\theta$ is trivially onto. Next, we assume ${\mathbb{F}}_2^n\ne V_0\cup W_0.$ For $i\ge 1$, let us construct $V_i\subseteq V$ and $W_i\subseteq W$, each having 3 elements. To this end, we claim that $V\ne V_0.$ Let, on the contrary, $V=V_0$, and we take $\mathit{x}\in {\mathbb{F}}_2^n\setminus V_0\cup W_0$. This means that $\mathit{x}\in W$. As $\mathbf{0}\ne \mathit{x}\ne \mathit{b}$ and V contains only a zero element, we deduce that $\mathit{x}$ is not the sum of any two elements from V. However, this is a contradiction to condition $\left(c\right)$. Therefore, our claim holds, i.e., $V\ne V_0$. Let ${\mathit{x}}_1\in V\setminus V_0$. This means that $\mathit{b}+{\mathit{x}}_1\in W$. It follows from condition $\left(c\right)$ that there exist ${\mathit{y}}_1,{\mathit{z}}_1\in V$ satisfying $\mathit{b}+{\mathit{x}}_1={\mathit{y}}_1+{\mathit{z}}_1$. We note that, if ${\mathit{y}}_1={\mathit{x}}_1$, then $\mathit{b}={\mathit{z}}_1\in V$, which is not possible. Similarly, we have that ${\mathit{z}}_1\ne {\mathit{x}}_1$. Moreover, if ${\mathit{y}}_1={\mathit{z}}_1$, then $\mathit{b}={\mathit{x}}_1\in V$, which is again not possible. Consequently, we find that ${\mathit{x}}_1,{\mathit{y}}_1$ and ${\mathit{z}}_1$ are three distinct elements of V. We take $V_1=\{{\mathit{x}}_1,{\mathit{y}}_1,{\mathit{z}}_1\}$ and $W_1=\{\mathit{b}+{\mathit{x}}_1,\mathit{b}+{\mathit{y}}_1,\mathit{b}+{\mathit{z}}_1\}$. We observe that

$$\mathit{b}+{\mathit{x}}_1={\mathit{y}}_1+{\mathit{z}}_1,\mathit{b}+{\mathit{y}}_1={\mathit{z}}_1+{\mathit{x}}_1\mathrm{and}\mathit{b}+{\mathit{z}}_1={\mathit{x}}_1+{\mathit{y}}_1.$$

(14)

If ${\mathbb{F}}_2^n={\cup }_{i=0}^1(V_i\cup W_i)$, then $V={\cup }_{i=0}^1{V}_i$ and $W={\cup }_{i=0}^1{W}_i$ and, therefore, we are done. Otherwise, we have ${\mathbb{F}}_2^n\ne {\cup }_{i=0}^1(V_i\cup W_i)$. At this point, we claim that $V\ne {\cup }_{i=0}^1{V}_i$. Let, on the contrary, $V={\cup }_{i=0}^1{V}_i$ and $\mathit{x}\in {\mathbb{F}}_2^n\setminus {\cup }_{i=0}^1(V_i\cup W_i)$. This means that $\mathit{x}\in W$. Clearly, as $\mathit{x}\notin {\cup }_{i=1}^1{W}_i=\{\mathit{b},\mathit{b}+{\mathit{x}}_1,\mathit{b}+{\mathit{y}}_1,\mathit{b}+{\mathit{z}}_1\}$, (14) allows us to deduce that x cannot be the sum of two elements from $V=\{\mathbf{0},{\mathit{x}}_1,{\mathit{y}}_1,{\mathit{z}}_1\}$. This is a contradiction to condition $\left(c\right)$. Therefore, our claim holds, i.e., $V\ne {\cup }_{i=0}^1{V}_i$. Let ${\mathit{x}}_2\in V\setminus {\cup }_{i=0}^1{V}_i.$ This implies that $\mathit{b}+{\mathit{x}}_2\in W$ and ${\mathit{x}}_2\notin \{\mathbf{0},{\mathit{x}}_1,{\mathit{y}}_1,{\mathit{z}}_1\}$. This guarantees the existence of ${\mathit{y}}_2,{\mathit{z}}_2\in V$, fulfilling $\mathit{b}+{\mathit{x}}_2={\mathit{y}}_2+{\mathit{z}}_2$. If ${\mathit{y}}_2={\mathit{x}}_2$, then $\mathit{b}={\mathit{x}}_2\in V$, which is a contradiction. Similarly, we observe that ${\mathit{z}}_2\ne {\mathit{x}}_2$. Moreover, if ${\mathit{y}}_2={\mathit{z}}_2$, then $\mathit{b}={\mathit{x}}_2\in V$, which is not possible. Consequently, ${\mathit{x}}_2,{\mathit{y}}_2$ and ${\mathit{z}}_2$ are three distinct elements of V. We put $V_2=\{{\mathit{x}}_2,{\mathit{y}}_2,{\mathit{z}}_2\}$ and $W_2=\{\mathit{b}+{\mathit{x}}_2,\mathit{b}+{\mathit{y}}_2,\mathit{b}+{\mathit{z}}_2\}$. Thus, we have the following possibilities:

(i) 

If $V_2$ has an element ${\mathit{x}}_2$ different from the elements of $V_0\cup V_1$, then there exists an element $\mathit{b}+{\mathit{x}}_2\in W_2$ corresponding to the element ${\mathit{x}}_2$ with the condition that $\mathit{b}+{\mathit{x}}_2\notin W_0\cup W_1$. This is because the map $\theta$ is one–one.

(ii) 

If $V_2$ had two (or three) different elements from $V_0\cup V_1$, then, by the same logic, $W_2$ would also have two (or three) different elements from $W_0\cup W_1$.

Thus, with the increase in the index i of $V_i$, we obtain one or two or three elements of ${\mathbb{F}}_2^n$ that are not in the previous $V_i$s. The same is the case with $W_i$s due to the one–one property of $\theta$. Since n is finite, there must exist a $k\in \mathbb{N}$ such that ${\mathbb{F}}_2^n={\cup }_{i=0}^k(V_i\cup W_i)$. Additionally, we note that $\left|{\cup }_{i=0}^k{V}_i\right|=\left|{\cup }_{i=0}^k{W}_i\right|$. This confirms that $\theta$ is onto, which means that $\left|V\right|=\left|W\right|$. Finally, we assume that, for some $\mathit{c},\mathit{d}\in W$, we have $\mathit{b}=\mathit{c}+\mathit{d}$. As $\theta$ is onto, there exist $\mathit{x},\mathit{y}\in V$ such that $\mathit{c}=\mathit{b}+\mathit{x}$ and $\mathit{d}=\mathit{b}+\mathit{y}$. Hence, $\mathit{b}=\mathit{c}+\mathit{d}=\mathit{x}+\mathit{y}$, which goes against the assumption that $\mathit{b}$ is unique. Hence, the result is complete.    □

To conclude this section, we establish the principal result concerning the characterization of a balanced Boolean function.

Proposition 6.

Let $f\in {\mathcal{BLF}}_n$ be such that $f\left(\mathbf{0}\right)=1,$ and there exists a unique element $\mathit{b}\in {\mathbb{F}}_2^n\setminus Supp\left(f\right)$ such that $\mathit{b}\ne \mathit{c}+\mathit{d}$ for all $\mathit{c},\mathit{d}\in Supp\left(f\right).$ Then, f is a balanced Boolean function.

Proof. 

Let $A=Supp\left(f\right)=\{\mathit{x}\in {\mathbb{F}}_2^n:f\left(\mathit{x}\right)=1\},$$B^{\prime }=\{\mathit{b}+\mathit{x}:\mathit{x}\in A\}$ and $B={\mathbb{F}}_2^n\setminus A.$ Then, $\left|A\right|=\left|B^{\prime }\right|$ as $\mathit{b}+{\mathit{x}}_1=\mathit{b}+{\mathit{x}}_2$ if and only if ${\mathit{x}}_1={\mathit{x}}_2.$ Moreover, if there exists $\mathit{y}\in B^{\prime }$ such that $\mathit{y}\in A,$ then $\mathit{b}=\mathit{x}+\mathit{y}$ for some $\mathit{x},\mathit{y}\in A.$ So, there does not exist any $\mathit{y}\in B^{\prime }$ such that $\mathit{y}\in A$. This implies that $B^{\prime }\subseteq B$ and $\left|B^{\prime }\right|\le \left|B\right|.$ If $\left|B^{\prime }\right|=\left|B\right|,$ then clearly f is a balanced function. Otherwise, let $\left|B^{\prime }\right|<\left|B\right|.$ However, then, there exists $\mathit{z}\in B$ such that

$$\mathit{z}\notin B^{\prime }$$

or

$$\mathit{z}\ne \mathit{b}+\mathit{x}\mathrm{for}\mathrm{all}\mathit{x}\in A$$

or

$$\mathit{z}=\mathit{b}+\mathit{t}\mathrm{for}\mathrm{some}\mathit{t}\notin A$$

(since $\mathit{z}=\mathit{b}+\mathit{t}$ for some $\mathit{t}\in {\mathbb{F}}_2^n\mathrm{and},\mathrm{if}\mathit{t}\in A,\mathrm{then}\mathrm{we}\mathrm{have}\mathrm{a}\mathrm{contradiction})$ or

$$\mathit{b}=\mathit{z}+\mathit{t}\mathrm{for}\mathrm{some}\mathit{z},\mathit{t}\in B.$$

However, this is a contradiction to Proposition 5. So, we have $\left|B^{\prime }\right|=\left|B\right|,$ and f is a balanced Boolean function. This completes the proof.    □

5. A Revisit to a Subclass of Affine Equivalent Boolean Functions and the Construction of a Special Kind of Balanced Boolean Function

It has been established in [25,26,27] that affine equivalent Boolean functions (BFs) share important invariance properties, such as non-linearity, autocorrelation, algebraic degrees, and the absence of unit linear structures. Therefore, identifying criteria for affine equivalence or developing efficient tools to characterize such equivalence is a significant aspect of Boolean function analysis. Several criteria for determining affine equivalence have been discussed in the literature [9]. In this section, one of our aims is to revisit these criteria and derive them through alternative and simpler approaches. Specifically, we construct a subclass of affine equivalent BFs and demonstrate that all members of this subclass preserve the properties mentioned above. Consequently, from the perspective of affine equivalence, we offer new and simplified proofs of known results.

Non-quadratic balanced Boolean functions with no linear structure where the derivative equals 1 are known to have significant applications in cryptography [9,22]. For quadratic functions, it is both necessary and sufficient that $f\in {\mathcal{BLF}}_n^1$ for f to be balanced, as shown in [9]. However, for non-quadratic BFs, this condition remains sufficient but not necessary. To construct a non-quadratic Boolean function f such that $f\in {\mathcal{BLF}}_n^1$, we consider a non-quadratic function g defined over $n-1$ variables and choose a hyperplane $\mathrm{H}\subset {\mathbb{F}}_2^n$. We then define a linear bijection $\varphi :\mathrm{H}\to {\mathbb{F}}_2^{n-1}$ and construct f on $\mathrm{H}$ using $f\left(\mathit{x}\right)=g\left(\varphi \right(\mathit{x}\left)\right)$. The values of f on the rest of ${\mathbb{F}}_2^n$ are then extended by defining $f(\mathit{x}+\mathit{b})=f\left(\mathit{x}\right)+1$ for every $\mathit{x}\in \mathrm{H}$, where $\mathit{b}$ is not in the direction of $\mathrm{H}$. This yields a balanced function that lies in ${\mathcal{BLF}}_n^1$.

On the other hand, to the best of our knowledge, no construction is known in the literature for a non-quadratic balanced Boolean function f satisfying $f\notin {\mathcal{BLF}}_n^1$. Therefore, another objective of this section is to present an algorithm that generates such functions—that is, non-quadratic balanced Boolean functions without any unit linear structure at which the derivative equals 1.

Before this, let us define some new terms that are necessary to comprehend our findings. For any $\mathcal{A}\subseteq {\mathbb{F}}_2^n,$ let $matrix\left(\mathcal{A}\right)$ be the matrix of order $\left|\mathcal{A}\right|\times n,$ obtained by assuming the elements of $\mathcal{A}$ as a row in lexicographic order, where bits with greater significance are placed towards the right. Let $set\left(\mathcal{B}\right)$ be the set of all rows of matrix $\mathcal{B}.$ If $f\in {\mathcal{BLF}}_n$ and H is any square matrix of order n over ${\mathbb{F}}_2$, then, by $f_H$, we mean the $n-$variable Boolean function with $Supp\left(f_H\right)=\mathrm{set}(\mathrm{matrix}\left(Supp\left(f\right)\right)⊠H)$ (and ⊠ is the matrix product). From this point on, we call this $f_H$ the H equivalent of f. Additionally, in the following part of this article, by ${\mathcal{E}}_{f}H$, we mean the set of rows of matrix $\left({\mathcal{E}}_f\right)⊠H.$ We begin the section by showing that, for any $f\in {\mathcal{BLF}}_n$ and $H\in \mathcal{GL}(n,{\mathbb{F}}_2),$ f and $f_H$ have the same non-linearity.

5.1. Novel Results on Affine Equivalence of Boolean Functions

In this subsection, we revisit known results on the cryptographic properties of Boolean functions and derive them using alternative and simpler approaches.

Theorem 6.

For any Boolean function $f\in {\mathcal{BLF}}_n$ and $H\in \mathcal{GL}(n,{\mathbb{F}}_2)$, there holds $\mathcal{NL}\left(f\right)=\mathcal{NL}\left(f_H\right)$, where $\mathcal{NL}\left(f\right)$ is the same as defined in Definition 5.

Proof. 

In order to prove that $\mathcal{NL}\left(f\right)=\mathcal{NL}\left(f_H\right)$ for any Boolean function $f\in {\mathcal{BLF}}_n$ and $H\in \mathcal{GL}(n,{\mathbb{F}}_2)$, it is sufficient to give the following statements:

(a)

If $f\in {\mathcal{A}}_n$, then $f_H\in {\mathcal{A}}_n$ for all $H\in \mathcal{GL}(n,{\mathbb{F}}_2);$

(b)

If $dis(f,\tilde{f})=t$ for some $\tilde{f}\in {\mathcal{BLF}}_n$ and $f\in {\mathcal{A}}_n,$ then $dis(f_H,{\tilde{f}}_H)=t$ for all $H\in \mathcal{GL}(n,{\mathbb{F}}_2)$.

Let us begin by proving statement $\left(a\right)$. Suppose that $f\in {\mathcal{A}}_n$ is a linear function and $f\left(\mathit{x}\right)=a⊠{\mathit{x}}^t$ for some $\mathit{a}\in {\mathbb{F}}_2^n$ (here, ${\mathit{x}}^t$ is a transpose of $\mathit{x}=(x_1,x_2,\dots ,x_n)\in {\mathbb{F}}_2^n$). Let matrix $\left(Supp\left(f\right)\right)={\mathcal{A}}_{2^{n-1}\times n}$ (or simply $\mathcal{A}$) and $H\in \mathcal{GL}(n,{\mathbb{F}}_2)$. Then, there exists some Boolean function g such that $Supp\left(g\right)=\mathrm{set}(\mathcal{A}⊠H).$ Consider $h\left(\mathit{x}\right)=(\mathit{a}⊠{\left(H^t\right)}^{-1})⊠{\mathit{x}}^t\in {\mathcal{BLF}}_n.$ At this point, we claim that $g=h$ or $Supp\left(h\right)=\mathrm{set}(\mathcal{A}⊠H)$. To prove our claim, we consider $\mathit{y}\in Supp\left(h\right)$. This means that $\mathit{a}⊠{\left(H^t\right)}^{-1}⊠{\mathit{y}}^t=1=\mathit{a}⊠\left[{(y⊠H^{-1})}^t\right]$. Consequently, $y⊠H^{-1}\in Supp\left(f\right)$, which further implies that $y⊠H^{-1}$ is a row of $\mathcal{A}$. In other words, we deduce that y is a matrix multiplication of a row of $\mathcal{A}$ with H. From this, we conclude that $y\in \mathrm{set}(\mathcal{A}⊠H)$. So, we have shown that $Supp\left(h\right)\subseteq \mathrm{set}(\mathcal{A}⊠H)$.

The reverse direction, i.e., $\mathrm{set}(\mathcal{A}⊠H)\subseteq Supp\left(h\right)$, can be proven along similar lines. Hence, our claim holds, i.e.,  $\mathrm{set}(\mathcal{A}⊠H)=Supp\left(h\right)$. The proof of statement $\left(a\right)$ will be completed if we show that $f_H\in {\mathcal{A}}_n$ for all $H\in \mathcal{GL}(n,{\mathbb{F}}_2)$, where $f\left(\mathit{x}\right)\in {\mathcal{A}}_n$ is of the form $f\left(x\right)=a⊠{\mathit{x}}^t\oplus 1$. We remark that its proof is similar to the case when $f\left(x\right)$ is of the form $f\left(\mathit{x}\right)=a⊠{\mathit{x}}^t$.

Next, we give the proof of statement (b). It is straightforward to note that statement $\left(b\right)$ holds if we prove that, for all $\tilde{f},f\in {\mathcal{BLF}}_n$, there holds ${\mathfrak{W}}_{\mathcal{H}}(f\oplus \tilde{f})={\mathfrak{W}}_{\mathcal{H}}(f_H\oplus {\tilde{f}}_H)$, where $H\in \mathcal{G}\mathcal{L}(n,{\mathbb{F}}_2)$ is arbitrary. Since ${\mathfrak{W}}_{\mathcal{H}}(f\oplus \tilde{f})=\left|Supp(f\oplus \tilde{f})\right|=\left|Supp{(f\oplus \tilde{f})}_H\right|$ for any $H\in \mathcal{G}\mathcal{L}(n,{\mathbb{F}}_2)$, statement $\left(b\right)$ holds, provided that $\left|Supp{(f\oplus \tilde{f})}_H\right|=\left|Supp(f_H\oplus {\tilde{f}}_H)\right|$ for any $H\in \mathcal{G}\mathcal{L}(n,{\mathbb{F}}_2)$.

To see this, let H be an arbitrary but fixed element of $\mathcal{G}\mathcal{L}(n,{\mathbb{F}}_2)$. We may write H as

$$H=\left[\begin{array}{ccc}\hfill ¯\hfill & \hfill R_1\hfill & ¯\\ \hfill ¯\hfill & \hfill R_2\hfill & ¯\\ \hfill \hfill & \hfill ⋮\hfill & \\ \hfill ¯\hfill & \hfill R_{\mathrm{n}}\hfill & ¯\end{array}\right],$$

where $R_1,R_2,\dots ,R_n$ are rows of $H.$ Let $\mathit{x}\in Supp{(f\oplus \tilde{f})}_H$. This in turn guarantees the existence of an element $\mathit{y}=(y_1,y_2,\dots ,y_n)\in Supp(f\oplus \tilde{f})$ fulfilling

$$y_1{R}_1+y_2{R}_2+\cdots +y_n{R}_n=\mathit{x}.$$

Since $\mathit{y}\in Supp(f\oplus \tilde{f})$, we conclude that either $(f\left(\mathit{y}\right),\tilde{f}\left(\mathit{y}\right))=(0,1)$ or $(f\left(\mathit{y}\right),\tilde{f}\left(\mathit{y}\right))=(1,0).$ Without loss of generality, we may suppose that $(f\left(\mathit{y}\right),\tilde{f}\left(\mathit{y}\right))=(0,1)$. This allows us to deduce that $\mathit{x}=y_1{R}_1+y_2{R}_2+\cdots +y_n{R}_n\notin Supp\left(f_H\right)$ and $\mathit{x}=y_1{R}_1+y_2{R}_2+\cdots +y_n{R}_n\in Supp\left({\tilde{f}}_H\right).$ Consequently, we have $Supp{(f\oplus \tilde{f})}_H\subseteq Supp(f_H\oplus {\tilde{f}}_H).$ We remark that the reverse part of the proof, i.e., $Supp(f_H\oplus {\tilde{f}}_H)\subseteq Supp{(f\oplus \tilde{f})}_H$, can be obtained by reversing the steps of the proof of $Supp{(f\oplus \tilde{f})}_H\subseteq Supp(f_H\oplus {\tilde{f}}_H).$ This completes the proof of statement $\left(b\right)$, as well as that of the theorem.    □

Next, in Theorem 7, we prove a result about the algebraic degrees of a Boolean function and its H equivalent. Before this, we discuss two results in the form of Propositions 7 and 8, which will be used in the proof of Theorem 7.

Proposition 7.

Let $\{{\mathit{h}}_1,{\mathit{h}}_2,\dots ,{\mathit{h}}_d\}\subseteq {\mathbb{F}}_2^n$ be a linearly independent set over ${\mathbb{F}}_2$. Suppose that

$$\mathfrak{R}[x_1,x_2,\dots ,x_n]={\displaystyle \frac{{\mathbb{F}}_2[x_1,x_2,\dots ,x_n]}{〈x_1^2-x_1,x_2^2-x_2,\cdots ,x_n^2-x_n〉}}$$

and $\mathit{x}=(x_1,x_2,\dots ,x_n)\in {\mathfrak{R}}^n$. Then, viewing $(\mathit{x}·{\mathit{h}}_1)(\mathit{x}·{\mathit{h}}_2)\cdots (\mathit{x}·{\mathit{h}}_d)$ as a polynomial in $\mathfrak{R}$, there holds

$$deg((\mathit{x}·{\mathit{h}}_1)(\mathit{x}·{\mathit{h}}_2)\dots (\mathit{x}·{\mathit{h}}_d))=d.$$

Proof. 

First, since each $\mathit{x}·{\mathit{h}}_j$ is a linear polynomial, multiplying d of these linear polynomials results in the polynomial with maximum degree d. Secondly, since $\{{\mathit{h}}_1,{\mathit{h}}_2,\dots ,{\mathit{h}}_d\}$ is a linearly independent set of vectors, the matrix obtained by assuming ${\mathit{h}}_1,{\mathit{h}}_2,\dots ,{\mathit{h}}_d$ as rows over ${\mathbb{F}}_2$ has rank d. Thus, there exist indices $i_1,i_2,\dots ,i_d$ for which the sub-matrix

$$D=\left[\begin{array}{cccc}{h}_{1,i_1}& h_{1,i_2}& \dots & h_{1,i_d}\\ h_{2,i_1}& h_{2,i_2}& \dots & h_{2,i_d}\\ ⋮& ⋮& ⋮& ⋮\\ h_{d,i_1}& h_{d,i_2}& \dots & h_{d,i_d}\end{array}\right]$$

is non-singular over ${\mathbb{F}}_2$. In particular, $det\left(D\right)=1$. Since $x_{i_1}{h}_{j,i_1}+x_{i_2}{h}_{j,i_2}+\cdots +x_{i_d}{h}_{j,i_d}$ is a sub-polynomial in $(\mathit{x}·{\mathit{h}}_j)$ for all $1\le j\le d$, it is easy to observe that $(x_{i_1}{x}_{i_2}\dots x_{i_d})det\left(D\right)$ is a sub-polynomial in $(\mathit{x}·{\mathit{h}}_1)(\mathit{x}·{\mathit{h}}_2)\cdots (\mathit{x}·{\mathit{h}}_d)$. Hence, $x_{i_1}{x}_{i_2}\dots x_{i_d}$ is a monomial in $(\mathit{x}·{\mathit{h}}_1)(\mathit{x}·{\mathit{h}}_2)\cdots (\mathit{x}·{\mathit{h}}_d)$. This completes the proof.    □

Proposition 8.

Let $f\in {\mathcal{BLF}}_n$ and let $Supp\left(f\right)=\{\mathit{x}\in {\mathbb{F}}_2^n:f\left(\mathit{x}\right)=1\}$ be its support. Then, for all $\mathit{x}\in {\mathbb{F}}_2^n$, we have

$$f_H\left(\mathit{x}\right)=f\left(\mathit{x}⊠H^{-1}\right).$$

(15)

Proof. 

Since, for any $\mathit{x}\in {\mathbb{F}}_2^n,f_H\left(\mathit{x}\right)=1$ holds, if and only if $\mathit{x}\in Supp\left(f_H\right)$, if and only if $\mathit{x}\in matrix\left(Supp\right(f\left)\right)⊠H$, if and only if $\mathit{x}⊠H^{-1}\in Supp\left(f\right)$, if and only if $f(\mathit{x}⊠H^{-1})=1$. Hence, the proof is complete.    □

Remark 1.

It is clear from Proposition 8 that f and $f_H$ have the same autocorrelation as

$${\mathcal{C}}_{f_H}\left(\mathit{b}\right)=\sum _{\mathit{x}\in {\mathbb{F}}_2^n}{(-1)}^{{\mathcal{D}}_{\mathit{b}}{f}_H\left(\mathit{x}\right)}=\sum _{\mathit{x}\in {\mathbb{F}}_2^n}{(-1)}^{f(\mathit{x}⊠H^{-1})\oplus f(\mathit{x}⊠H^{-1}+\mathit{b}⊠H^{-1})}={\mathcal{C}}_f(\mathit{b}⊠H^{-1}).$$

So, we have ${\mathcal{AC}}_f=\underset{\mathit{b}\in {\mathbb{F}}_2^n\setminus \mathbf{0}}{max}\left|{\mathcal{C}}_f\left(\mathit{b}\right)\right|={\mathcal{AC}}_{f_H}.$

Theorem 7.

For any Boolean function $f\in {\mathcal{BLF}}_n$ and $H\in \mathcal{GL}(n,{\mathbb{F}}_2)$, ${\mathcal{ALG}}_d\left(f\right)={\mathcal{ALG}}_d\left(f_H\right)$.

Proof. 

Assuming that ${\mathcal{ALG}}_d\left(f\right)=d$, our aim is to show that ${\mathcal{ALG}}_d\left(f_H\right)=d$. For this, without loss of generality, we assume that $x_1{x}_2\dots x_d$ is a monomial in the algebraic normal form of f. By following Proposition 8, we note that

$$f_H(x_1,x_2,\dots ,x_n)=f\left((x_1{x}_2\dots x_n)⊠H^{-1}\right)=f\left(\mathit{x}⊠H^{-1}\right).$$

(16)

Let the columns of the matrix $H^{-1}$ be ${\mathit{h}}_1,{\mathit{h}}_2,\dots ,{\mathit{h}}_n$. Clearly, the set of all these columns is linearly independent over ${\mathbb{F}}_2$. In particular, the first d columns, namely ${\mathit{h}}_1,{\mathit{h}}_2,\dots ,{\mathit{h}}_d$, are also linearly independent over ${\mathbb{F}}_2$. It follows from (16) that

$$f_H(x_1,x_2,\dots ,x_n)=f\left(\mathit{x}·{\mathit{h}}_1,\mathit{x}·{\mathit{h}}_2,\dots ,\mathit{x}·{\mathit{h}}_n\right).$$

(17)

By assumption, the monomial $x_1{x}_2\dots x_d$ is in the algebraic normal form of f; therefore, (17) implies that the monomial $(\mathit{x}·{\mathit{h}}_1)(\mathit{x}·{\mathit{h}}_2)\cdots (\mathit{x}·{\mathit{h}}_d)$ is in the algebraic normal form of $f_H$. Therefore, it follows by Proposition 7 that the degree of $(\mathit{x}·{\mathit{h}}_1)(\mathit{x}·{\mathit{h}}_2)\cdots (\mathit{x}·{\mathit{h}}_d)$ and hence the algebraic degree of $f_H$ is d. Conversely, we assume that $f_H=g$. Thus, $f=g_{H^{-1}}$, and the result follows as above.    □

Next, we examine how the set of linear structures of f relates to its H-equivalent counterpart through the upcoming proposition and theorem.

Proposition 9.

For a Boolean function $f\in {\mathcal{BLF}}_n$ and $H\in \mathcal{GL}(n,{\mathbb{F}}_2)$, we have ${\mathcal{E}}_{f_H}={\mathcal{E}}_{f}H$.

Proof. 

We have $\mathit{a}\in {\mathcal{E}}_{f_H}$ if and only if $D_{\mathit{a}}{f}_H\left(\mathit{x}\right)=c$ for every $\mathit{x}\in {\mathbb{F}}_2^n$, where c is some constant. The latter holds if and only if $f_H\left(\mathit{x}\right)\oplus f_H(\mathit{a}+\mathit{x})=c$ for every $\mathit{x}\in {\mathbb{F}}_2^n$, if and only if $f(\mathit{x}⊠H^{-1})\oplus f(\mathit{a}⊠H^{-1}+\mathit{x}⊠H^{-1})=c$ for every $\mathit{x}\in {\mathbb{F}}_2^n$; equivalently, $f\left(\mathit{x}\right)\oplus f(\mathit{a}⊠H^{-1}+\mathit{x})=c$ for every $\mathit{x}\in {\mathbb{F}}_2^n$. This holds if and only if $D_{\mathit{a}⊠H^{-1}}f\left(\mathit{x}\right)=c$ for every $\mathit{x}\in {\mathbb{F}}_2^n$, which means that $\mathit{a}⊠H^{-1}\in {\mathcal{E}}_f$ or $\mathit{a}\in {\mathcal{E}}_{f}H$. This completes the proof.    □

Theorem 8.

For any Boolean function $f\in {\mathcal{BLF}}_n$, if f is constant on ${\mathcal{E}}_f$, then $f_H$ is constant on ${\mathcal{E}}_{f_H}$.

Proof. 

Let f be constant on ${\mathcal{E}}_f$. Then, for any $\mathit{x}\ne \mathit{y}\in {\mathcal{E}}_{f_H}$, we have $f_H\left(\mathit{x}\right)=f_H\left(\mathit{y}\right)$ if and only if

$$f(\mathit{x}⊠H^{-1})=f(\mathit{y}⊠H^{-1}).$$

(18)

Using Proposition 9, $\mathit{x}={\mathit{x}}^{\prime }⊠H$ and $\mathit{y}={\mathit{y}}^{\prime }⊠H$ for some ${\mathit{x}}^{\prime }$ and ${\mathit{y}}^{\prime }\in {\mathcal{E}}_f$ in (18) to attain that $f\left({\mathit{x}}^{\prime }\right)=f\left({\mathit{y}}^{\prime }\right)$, and this is vacuously true. This completes the proof.    □

5.2. Construction of NQBBFs

Now, we discuss an algorithm for the construction of non-quadratic balanced BFs that have no linear structure at which the derivative is equal to 1. It can be readily observed that the construction of such BFs is equivalent to finding a subset $\mathcal{B}$ of ${\mathbb{F}}_2^n$ such that $\mathcal{B}\cap (b+\mathcal{B})\ne \varnothing$ for every $b\in {\mathbb{F}}_2^n$ and $\left|\mathcal{B}\right|=2^{n-1}.$ Let us denote ${}^{*}\mathbb{F}_2^n={\mathbb{F}}_2^n\setminus \mathbf{0}$.   

Claim: 

The set $\mathcal{B}$ constructed in the above algorithm satisfies the desired property, i.e., $\mathcal{B}\cap (b+\mathcal{B})\ne \varnothing$ for every $b\in {\mathbb{F}}_2^n$.

Proof. 

Suppose, on the contrary, that there exists a $b\in {\mathbb{F}}_2^n$ such that $(b+\mathcal{B})\cap \mathcal{B}=\varnothing$. This means that $(b+\mathcal{B})\cup \mathcal{B}={\mathbb{F}}_2^n$, since $\left|B\right|=2^{n-1}$. Therefore, either $b\in \mathcal{B}$ or $b\in b+\mathcal{B}$. In the latter case, i.e., if $b\in b+\mathcal{B}$, then $0\in \mathcal{B}$, which, by construction, is never possible. Hence, $b\in \mathcal{B}$, but this implies that $b=a_1+a_2$ for some $a_1,a_2\notin \mathcal{B}$. Equivalently, $b=a_1+a_2$ for some $a_1,a_2\in {}^{*}\mathbb{F}_2^n\setminus \mathcal{B}$ or, in fact, $b=a_1+a_2$ for some $a_1,a_2\in (b+\mathcal{B})\setminus \mathbf{0}.$ However, this further implies that $b=a_1+a_3+b$ for some $a_1\in (b+\mathcal{B})\setminus \mathbf{0}$ and $a_3\in \mathcal{B}$ (we explicitly write $a_2=a_3+b$ and keep $a_1$ as it is). Consequently, $a_1+a_3=\mathbf{0}$$\Rightarrow a_1=a_3$ for $a_1\in b+\mathcal{B}\setminus \mathbf{0}$ and $a_3\in \mathcal{B},$ which is a contradiction as $(b+\mathcal{B})\cap \mathcal{B}=\varnothing .$ This proves the claim. Therefore, $\mathcal{B}\cap (b+\mathcal{B})\ne \varnothing$ for every $b\in {\mathbb{F}}_2^n$.    □

Example 3

(Construction of a Non-Quadratic Balanced Boolean Function for $n=4$). We illustrate Algorithm 2 by constructing a non-quadratic balanced Boolean function (NQBBF) on ${\mathbb{F}}_2^4$ with no linear structure where the derivative equals 1. The set $\mathcal{B}\subset {\mathbb{F}}_2^4$ is constructed to satisfy $\mathcal{B}\cap (b+\mathcal{B})\ne \varnothing$ for all $b\in {\mathbb{F}}_2^4$ and $\left|\mathcal{B}\right|=2^{4-1}=8$.

• Let ${\mathbb{F}}_2^4$ be the ambient space with $2^4=16$ elements, and ${}^{*}\mathbb{F}_2^4={\mathbb{F}}_2^4\setminus \left\{(0,0,0,0)\right\}$.
• Initialization: Select $x_1=(0,0,1,1)$, $y_1=(0,1,1,0){\in }^{*}{\mathbb{F}}_2^4$. Compute $z_1=x_1+y_1=(0,0,1,1)+(0,1,1,0)=(0,1,0,1)$. Set $A_1=\{(0,0,1,1),(0,1,1,0),(0,1,0,1)\}$ and

  $$\mathcal{B}=\left\{\right(0,1,0,1\left)\right\}.$$
• Iteration 1: Choose $x_2=(1,0,0,1)$, $y_2=(0,0,0,1){\in }^{*}{\mathbb{F}}_2^4\setminus \mathcal{B}$. Compute $z_2=x_2+y_2=(1,0,0,1)+(0,0,0,1)=(1,0,0,0)\notin A_1$. Update $A_2=\{(1,0,0,1),(0,0,0,1),(1,0,0,0)\}\cup A_1$,

  $$\mathcal{B}=\left\{\right(0,1,0,1\left)\right(1,0,0,0\left)\right\}.$$
• Iteration 2: Choose $x_3=(1,1,1,0)$, $y_3=(0,0,1,0){\in }^{*}{\mathbb{F}}_2^4\setminus \mathcal{B}$. Compute $z_3=x_3+y_3=(1,1,1,0)+(0,0,1,0)=(1,1,0,0)\notin A_2$. Update $A_3=\{(1,1,1,0),(0,0,1,0),(1,1,0,0)\}\cup A_2$,

  $$\mathcal{B}=\left\{\right(0,1,0,1),(1,0,0,0),(1,1,0,0\left)\right\}.$$
• Iteration 3: Choose $x_4=(1,0,1,0)$, $y_4=(0,1,0,0){\in }^{*}{\mathbb{F}}_2^4\setminus \mathcal{B}$. Compute $z_4=x_4+y_4=(1,0,1,0)+(0,1,0,0)=(1,1,1,0)\notin A_3$. Update $A_4=\{(1,0,1,0),(0,1,0,0),(1,1,1,0)\}\cup A_3$,

  $$\mathcal{B}=\left\{\right(0,1,0,1),(1,0,0,0),(1,1,0,0),(1,1,1,0\left)\right\}.$$
• Iteration 4: Choose $x_5=(1,0,1,1)$, $y_5=(0,0,0,1){\in }^{*}{\mathbb{F}}_2^4\setminus \mathcal{B}$. Compute $z_5=x_5+y_5=(1,0,1,1)+(0,0,0,1)=(1,0,1,0)\notin A_4$. Update $A_5=\{(1,0,1,1),(0,0,0,1),(1,0,1,0)\}\cup A_4$,

  $$\mathcal{B}=\left\{\right(0,1,0,1),(1,0,0,0),(1,1,0,0),(1,1,1,0),(1,0,1,0\left)\right\}.$$
• Iteration 5: Choose $x_6=(0,1,1,1)$, $y_6=(0,0,1,1){\in }^{*}{\mathbb{F}}_2^4\setminus \mathcal{B}$. Compute $z_6=x_6+y_6=(0,1,1,1)+(0,0,1,1)=(0,1,0,0)\notin A_5$. Update $A_6=\{(0,1,1,1),(0,0,1,1),(0,1,0,0)\}\cup A_5$,

  $$\mathcal{B}=\left\{\right(0,1,0,1),(1,0,0,0),(1,1,0,0),(1,1,1,0),(1,0,1,0),(0,1,0,0\left)\right\}.$$
• Iteration 6: Choose $x_7=(1,1,0,1)$, $y_7=(0,0,1,0){\in }^{*}{\mathbb{F}}_2^4\setminus \mathcal{B}$. Compute $z_7=x_7+y_7=(1,1,0,1)+(0,0,1,0)=(1,1,1,1)\notin A_6$. Update $A_7=\{(1,1,0,1),(0,0,1,0),(1,1,1,1)\}\cup A_6$,

  $$\mathcal{B}=\left\{\right(0,1,0,1),(1,0,0,0),(1,1,0,0),(1,1,1,0),(1,0,1,0),(0,1,0,0),(1,1,1,1\left)\right\}.$$
• Iteration 7: Choose $x_8=(0,1,1,0)$, $y_8=(0,1,0,1){\in }^{*}{\mathbb{F}}_2^4\setminus \mathcal{B}$. Compute $z_8=x_8+y_8=(0,1,1,0)+(0,1,0,1)=(0,0,1,1)\notin A_7$. Update $A_8=\{(0,1,1,0),(0,1,0,1),(0,0,1,1)\}\cup A_7$,

  $$\begin{array}{cc}\hfill \mathcal{B}=& \left\{\right(0,1,0,1),\hfill \\ & (1,0,0,0),\hfill \\ & (1,1,0,0),\hfill \\ & (1,1,1,0),\hfill \\ & (1,0,1,0),\hfill \\ & (0,1,0,0),\hfill \\ & (1,1,1,1),\hfill \\ & (0,0,1,1)\}.\hfill \end{array}$$
• Balancedness: The set $\mathcal{B}$ has $\left|\mathcal{B}\right|=8=2^{4-1}$, confirming that the Boolean function with support $\mathcal{B}$ is balanced.
• No Linear Structure: For each $b\in {\mathbb{F}}_2^4\setminus \left\{(0,0,0,0)\right\}$, verify that $\mathcal{B}\cap (b+\mathcal{B})\ne \varnothing$. For example, for $b=(1,0,0,0)$, compute

  $$\begin{array}{cc}\hfill b+\mathcal{B}=& \left\{\right(1,1,0,1),(0,0,0,0),(0,1,0,0),(0,1,1,0),\hfill \\ & (0,0,1,0),(1,1,0,0),(0,1,1,1),(1,0,1,1)\},\hfill \end{array}$$

  and $\mathcal{B}\cap (b+\mathcal{B})=\left\{\right(1,1,0,0\left)\right\}\ne \varnothing$. Similar checks for all other $b{\in }^{*}{\mathbb{F}}_2^4$ confirm that the property holds, ensuring that no linear structure exists where the derivative is 1.
• Non-Quadratic Property: The Boolean function f with support $\mathcal{B}$ has an algebraic normal form (ANF) with terms of degree at least 3. For instance, the vector $(0,1,0,1)\in \mathcal{B}$ contributes a monomial $x_2{x}_4$ (degree 2), but combinations of vectors in $\mathcal{B}$ (e.g., via the Möbius Transform) yield higher-degree terms, such as $x_1{x}_2{x}_3$ from interactions among $(1,1,1,0)$, $(1,1,1,1)$, and others. The maximum degree is 3, confirming that f is non-quadratic.
  Thus, the constructed $\mathcal{B}$ defines an NQBBF on ${\mathbb{F}}_2^4$ satisfying all required properties.

Algorithm 2 Construction of a set $\mathcal{B}\subset {\mathbb{F}}_2^n$ with property $\mathcal{B}\cap (b+\mathcal{B})\ne \varnothing ,$ for every $b\in {\mathbb{F}}_2^n$ and $\left|\mathcal{B}\right|=2^{n-1}$

INPUT: An integer n 1: Let $A_1=\{x_1,y_1\}\subset {}^{*}\mathbb{F}_2^n$ be a random set with $\left|A_1\right|=2$. Compute $x_1+y_1$ and append this with $A_1$. Thus, $A_1\to \{x_1,y_1,x_1+y_1\}$. 2: Initialize: $\mathcal{B}\to \{x_1+y_1\}$. 3: Let $A_2=\{x_2,y_2\}\subset {}^{*}\mathbb{F}_2^n\setminus \mathcal{B}$ be a random set such that $x_2+y_2\notin A_1$ and $\left|A_2\right|=2$. Append $x_2+y_2$ and elements of $A_1$ with $A_2$. Thus, $A_2\to \{x_2,y_2,x_2+y_2\}\cup A_1$. 4: Update $\mathcal{B}\to \mathcal{B}\cup \{x_2+y_2\}$. 5: While $\left|\mathcal{B}\right|<2^{n-1}$:      $A\to A\cup A_2$      $A_3=\{x_3,y_3\}\subset {}^{*}\mathbb{F}_2^n\setminus \mathcal{B}$ be a random set such that $x_3+y_3\notin A_2$ and $\left|A_3\right|=2$. Append $x_3+y_3$       and elements of $A_2$ with $A_3$.       $A_3\to \{x_3,y_3,x_3+y_3\}\cup A_2$       $\mathcal{B}\to \mathcal{B}\cup \{x_3+y_3\}$ OUTPUT: $\mathcal{B}$.

5.3. Computational Complexity and Performance Evaluation

The proposed algorithm incrementally constructs a subset $\mathcal{B}\subset {\mathbb{F}}_2^n$ of size $2^{n-1}$ such that, for every $b\in {\mathbb{F}}_2^n$, the intersection $\mathcal{B}\cap (\mathcal{B}+b)$ is non-empty. Each iteration involves selecting random pairs $(x_i,y_i)$ from ${}^{*}\mathbb{F}_2^n$, computing their sum $x_i+y_i$, and validating the newly formed element against the accumulated sets to avoid repetition. Since only one new element is added to $\mathcal{B}$ per iteration, the total number of iterations grows linearly with $\left|\mathcal{B}\right|=2^{n-1}$.

The primary computational cost lies in generating random, valid pairs and checking their admissibility against the previously accumulated elements. As a result, the expected time complexity of the algorithm is $\mathcal{O}(2^n·T_{\mathrm{pair-check}})$, where $T_{\mathrm{pair-check}}$ denotes the average time needed to find a suitable, non-redundant pair at each iteration.

The space complexity is determined by the storage required for three dynamic sets: $\mathcal{B}$, the set of previously seen pairs, and the remaining unused elements of ${\mathbb{F}}_2^n$. Each of these has at most $\mathcal{O}\left(2^n\right)$ elements, leading to the overall space complexity of $\mathcal{O}\left(2^n\right)$.

Importantly, to the best of our knowledge, this algorithm is the first in the literature to construct non-quadratic balanced Boolean functions with the additional constraint that no linear structure exists at which the derivative is equal to one. While its growth in complexity is exponential, this is expected due to the underlying combinatorial hardness of the imposed constraint. Nevertheless, the algorithm remains practically valuable for moderate values of n and provides a foundational step toward the structured generation of cryptographically relevant Boolean functions.

To evaluate its practical viability, the algorithm was implemented in SageMath and tested on functions of varying dimensions. The results, shown in

Table 2. Execution time and space usage for construction of non-quadratic balanced Boolean functions (NQBBFs) without linear structure at which derivative equals one.

Variables (n)	Size of $\mathcal{B}$	Time (s)	Space Usage (Approx.)	Sample Elements from $\mathcal{B}$
4	8	0.003	∼20 entries	{(0,1,1,1), (1,0,0,0), (0,0,0,1), …}
5	16	0.008	∼40 entries	{(1,1,0,0,1), (0,1,1,1,0), (0,0,0,0,1), …}
6	32	0.15	∼100 entries	{(1,0,1,1,0,0), (0,1,0,1,1,1), (1,1,0,0,0,1), …}
7	64	0.90	∼200 entries	{(1,1,1,0,1,0,1), (0,0,1,1,1,1,0), (1,0,0,0,0,1,1), …}
8	128	5.40	∼400 entries	{(0,1,1,1,0,0,1,0), (1,1,0,1,1,1,1,1), (0,0,0,0,1,0,1,1), …}

System Specifications: (1) Processor: Intel(R) Core(TM) i5-8300H CPU @ 2.30 GHz, 4 Cores, 8 Logical Processors; (2) RAM: 8 GB; (3) System Type: x64-based PC; (4) System Model: Dell G3 3579.

, include both runtime measurements and sample elements of the generated subset $\mathcal{B}$. Since the algorithm uses randomized pair selection, the reported times reflect average-case behavior. Experiments were conducted on a general-purpose computing platform with the given hardware configuration to ensure reproducibility and context for the measured performance.

6. Conclusions

In this paper, we have discussed results regarding the algebraic degrees of Boolean functions and proposed an algorithm to directly compute the algebraic degree from the truth table without requiring its algebraic normal form. Furthermore, we have studied a number of important properties concerning the support of balanced Boolean functions and offered new tools for the analysis of balancedness in the absence of certain linear structures. Additionally, the class of affine equivalent Boolean functions has been revisited through a novel, non-exhaustive approach, offering simplified proofs for several classical results. Moreover, we propose an algorithm to construct non-quadratic balanced Boolean functions (NQBBFs) that do not admit any unit linear structure at which the derivative equals 1. To the best of our knowledge, this is the first known algorithm in the literature that guarantees such a construction. We also implemented the algorithm in SageMath and provide empirical results to demonstrate its practical effectiveness for moderate values of n. Although the proposed algorithm for constructing NQBBFs achieves the desired combinatorial properties, its current time complexity remains exponential in n. As a direction for future research, it would be valuable to investigate whether such Boolean functions can be constructed through a more efficient, possibly polynomial-time method. Developing a theoretical framework or heuristic to reduce the computational burden while preserving the intersection property would constitute a significant contribution to the field.