IEEE TRANSACTIONS ON INFORMATION THEORY, VOL.55, NO.12, PP. 5822-5831, DECEMBER 2009
1
Constructions of Almost Optimal Resilient Boolean
Functions on Large Even Number of Variables
Wei-Guo Zhang, Member, IEEE, and Guo-Zhen Xiao
Abstract—In this paper, a technique on constructing nonlinear
resilient Boolean functions is described. By using several sets
of disjoint spectra functions on a small number of variables,
an almost optimal resilient function on a large even number
of variables can be constructed. It is shown that given any m,
one can construct infinitely many n-variable (n even), m-resilient
functions with nonlinearity > 2n−1 −2n/2 . A large class of highly
nonlinear resilient functions which were not known are obtained.
Then one method to optimize the degree of the constructed
functions is proposed. Last, an improved version of the main
construction is given.
2)
Index Terms—Algebraic degree, Boolean function, disjoint
spectra functions, nonlinearity, resiliency, stream cipher.
I. I NTRODUCTION
Boolean functions are used as nonlinear combiners or
nonlinear filters in certain models of stream cipher systems. In
the design of cryptographic Boolean functions, there is a need
to consider a multiple number of criteria simultaneously. The
widely accepted criteria are balancedness, high nonlinearity,
high algebraic degree, and correlation immunity of high order
(for balanced functions, correlation immunity is referred to as
resiliency).
By an (n, m, d, Nf ) function we mean an n-variable, mresilient (order of resiliency m) Boolean function f with
algebraic degree d and nonlinearity Nf .
Unfortunately, all the criteria above cannot be maximized
together. For n even, the most notable example is perhaps bent
functions [19]. Achieving optimal nonlinearity 2n−1 −2n/2−1 ,
bent functions permit to resist linear attacks in the best possible
way. But they are improper for cryptographic use because
they are neither balanced nor correlation-immune and their
algebraic degrees are not more than n/2. When concerning
the order of resiliency, Siegenthaler [28] and Xiao [31] proved
that d ≤ n − m − 1 for m-reslient Boolean functions. Such a
function, reaching this bound, is called degree-optimized.
For the reasons above, it is more important to construct
those degree-optimized resilient Boolean functions which have
almost optimal (large but not optimal) nonlinearity, say between 2n−1 − 2n/2 and 2n−1 − 2n/2−1 , when n is even. This
is also what we do in this paper.
We now give a summary of earlier results that are related
to our work.
1)
To obtain nonlinear resilient functions, a modification of the Maiorana-McFarland (M-M) construction
The authors are with the ISN Laboratory, Xidian University, Xi’an 710071,
China (e-mail: [email protected]).
Digital Object Identifier 10.1109/TIT.2009.2032736
3)
4)
5)
6)
of bent functions (cf. [5]) by concatenating the small
affine functions was first employed by Camion et al
[1] and later studied in [27], [3], [21]. The nonlinearity of n-variable M-M resilient functions cannot
exceed 2n−1 −2⌊n/2⌋ . The M-M technique in general
does not generate degree-optimized functions and
the M-M functions are potentially cryptographically
weak [2], [9].
An interesting extension of the M-M technique has
been made by Carlet [2], where the concatenation
of affine functions is replaced by concatenation of
quadratic functions. In general, these constructed
functions can not be degree-optimized, and the other
parameters such as nonlinearity and resiliency are not
better than those of the M-M functions.
Pasalic [17] presented a revised version of the MM technique to obtain degree-optimized resilient
functions. The modification is simple and smart but
the nonlinearity value of the constructed functions is
at most 2n−1 − 2⌊n/2⌋ .
Sarkar and Maitra [21] indicated that for each order
of resiliency m, it is possible to find an even positive
integer n to construct an (n, m, n − m − 1, Nf )
function f with Nf > 2n−1 − 2n/2 . They showed
that for even n ≥ 12, the nonlinearity of 1-resilient
functions with maximum possible algebraic degree
n−2 can reach 2n−1 −2n/2−1 −2n/2−2 −2n/4−2 −4.
It was further improved due to the method proposed
by Maitra and Pasalic [12]. Thanks to the existence
of the (8, 1, 6, 116) functions, an (n, 1, n − 2, Nf )
function f with Nf = 2n−1 − 2n/2−1 − 2n/2−2 − 4
could be obtained, where n ≥ 10.
Seberry et al. [26] and Dobbertin [6] independently
presented constructions of highly nonlinear balanced
Boolean functions by modifying the M-M bent functions. To obtain an n-variable balanced function,
they concatenated 2n/2 −1 nonconstant distinct n/2variable linear functions and one n/2-variable modified M-M class highly nonlinear balanced Boolean
function which can be constructed in a recursive
manner. These constructed functions attain the best
known nonlinearity for n-variable (n even) balanced
functions. Unfortunately, these functions are not 1resilient functions.
To obtain m-resilient functions with nonlinearity
> 2n−1 − 2n/2−1 − 2n/2−2 for n even and n ≥ 14,
Maitra and Pasalic [11] applied the concatenation of
2n/2 −2k distinct linear m-resilient functions on n/2
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL.55, NO.12, PP. 5822-5831, DECEMBER 2009
7)
8)
variables together with a highly nonlinear resilient
function on n/2 + k variables. Moreover, they have
provided a generalized construction method for mresilient functions with nonlinearity 2n−1 −2n/2−1 −
2n/2−3 − 2n/2−4 for all n ≥ 8m + 6. For sufficiently
large n, it is possible to get such functions with
nonlinearity ≈ 2n−1 − 2n/2−1 − 23 2n/2−2 . And it is
the upper bound on maximum possible nonlinearity
under their construction method.
Computer search techniques have played an important role in the design of cryptographic Boolean
functions in the last ten years [14], [16], [15], [4].
For a small number of variables, Boolean functions
with good cryptographic parameters could be found
by using heuristic search techniques [12], [20], [8].
However, search techniques cannot be used for functions with a large number of variables at present.
During the past decade, the most infusive results
on the design of cryptographic Boolean functions
were centered on finding small functions with desirable cryptographic properties. When it comes to
constructing large functions, people used recursive
constructions [29], [30], [7] besides the M-M construction and its revised (extended) versions. With
the rapid development of integrated circuit technique,
Boolean functions with large number of variables can
be easily implemented in hardware [22].
In this paper we propose a technique to construct high
nonlinear resilient Boolean functions on large even number of
variables (n ≥ 12). We obtain a large class of resilient Boolean
functions with a nonlinearity higher than that attainable by any
previously known construction method.
The organization of this paper is as follows. In Section II,
the basic concepts and notations are presented. In Section III,
we present a method to construct a set of “disjoint spectra
functions” by using a class of “partially linear functions”.
Our main construction is given in Section IV. A method
for constructing resilient functions on large even number of
input variables is proposed. We show that all the constructed
functions are almost optimal. In Section V, the degrees of
the constructed functions are optimized. In Section VI, an
improved version of the main construction is given. Finally,
Section VII concludes the paper with an open problem.
II. P RELIMINARIES
To avoid confusion with the additions of integers in R,
denoted⊕
by + and Σi , we denote the additions over F2 by
⊕ and
i . For simplicity, we denote by + the addition of
vectors of Fn2 . A Boolean function of n variables is a function
from Fn2 into F2 , and we denote by Bn the set of all Boolean
functions of n variables. A Boolean function f (Xn ) ∈ Bn ,
where Xn = (x1 , · · · , xn ) ∈ Fn2 , is generally represented by
its algebraic normal form (ANF)
f (Xn ) =
⊕
u∈Fn
2
λu (
n
∏
i=1
xui i )
(1)
2
where λu ∈ F2 and u = (u1 , · · · , un ). The algebraic degree
of f (Xn ), denoted by deg(f ), is the maximal value of wt(u)
such that λu ̸= 0, where wt(u) denotes the Hamming weight
of u. A Boolean function with deg(f ) ≤ 1 is said to be affine.
In particular, an affine function with constant term equal to
zero is called a linear function. Any linear function on Fn2 is
denoted by
ω · Xn = ω1 x1 ⊕ · · · ⊕ ωn xn
where ω = (ω1 , · · · , ωn ) ∈ Fn2 . The Walsh spectrum of f ∈
Bn in point ω is denoted by Wf (ω) and calculated by
∑
Wf (ω) =
(−1)f (Xn )⊕ω·Xn .
(2)
Xn ∈Fn
2
f ∈ Bn is said to be balanced if its output column in the truth
table contains equal number of 0’s and 1’s (i.e. Wf (0) = 0).
In [31], a spectral characterization of resilient functions has
been presented.
Lemma 1: An n-variable Boolean function is m-resilient if
and only if its Walsh transform satisfies
Wf (ω) = 0, for 0 ≤ wt(ω) ≤ m, ω ∈ Fn2 .
(3)
The Hamming distance between two n-variable Boolean
functions f and ρ is denoted by
d(f, ρ) = |{Xn ∈ Fn2 : f (Xn ) ̸= ρ(Xn )}|.
The set of all affine functions on Fn2 is denoted by A(n). The
nonlinearity of a Boolean function f ∈ Bn is its distance to
the set of all affine functions and is defined as
Nf = min (d(f, ρ)).
ρ∈A(n)
In term of Walsh spectra, the nonlinearity of f is given by
[13]
1
Nf = 2n−1 − · maxn |Wf (ω)|.
(4)
2 ω∈F2
Parseval’s equation [10] states that
∑
(Wf (ω))2 = 22n
(5)
ω∈Fn
2
and implies that Nf ≤ 2n−1 − 2n/2−1 . The equality occurs if
and only if f ∈ Bn are bent functions, where n is even.
Bent functions can be constructed by the M-M method. The
original M-M functions are defined as follows: for any positive
integers p, q such that n = p+q, an M-M function is a function
f ∈ Bn defined by
f (Yq , Xp ) = ϕ(Yq ) · Xp ⊕ π(Yq ), Xp ∈ Fp2 , Yq ∈ Fq2
(6)
where ϕ is any mapping from Fq2 to Fp2 and π ∈ Bq . When n
is even, p=q=n/2, and ϕ is injective, the M-M functions are
bent. Certain choices of ϕ can easily yield bent functions with
degree n/2. For the case of n = 2, f ∈ B2 is bent if and only
if deg(f ) = 2.
The M-M construction is in essence a concatenation of
affine functions. The following definition shows a more general approach to obtain a “large” Boolean function by concatenating the truth tables of any small Boolean functions.
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL.55, NO.12, PP. 5822-5831, DECEMBER 2009
Definition 1: Let Yq ∈ Fq2 , Xp ∈ Fp2 , and p, q be positive
numbers with p + q = n. f ∈ Bn is called a concatenation of
the functions in the set G = {gb | b ∈ Fq2 } ⊂ Bp if
⊕
f (Yq , Xp ) =
Yqb · gb (Xp ),
(7)
b∈Fq2
2n−1 − 2n/2 ≤ Nf < 2n−1 − 2n/2−1 .
=
(8)
(9)
III. A L ARGE S ET OF D ISJOINT S PECTRA F UNCTIONS
Disjoint spectra functions will play an important role in
constructing almost optimal resilient functions in this paper.
Definition 3: A set of Boolean functions {g1 , g2 , · · · , ge } ⊂
Bp such that for any α ∈ Fp2 ,
Wgi (α) · Wgj (α) = 0, 1 ≤ i < j ≤ e
(10)
is called a set of disjoint spectra functions.
The idea that two Boolean functions with disjoint spectra
can be used to construct highly nonlinear resilient functions
was clearly mentioned in [18], and it was also used in [29],
[7], [12]. In this section, we provide a simple construction
method for a large set of disjoint spectra functions by using a
set of “partially linear” functions.
As a family of special resilient functions, partially linear
functions were firstly considered by Siegenthaler [28]. Here is
the definition of such functions.
Definition 4: Let t be a positive integer and {i1 , · · · , it } ∪
{it+1 , · · · , ip } = {1, · · · , p}. Let Xp = (x1 , · · · , xp ) ∈ Fp2 ,
′′
Xt′ = (xi1 , · · · , xit ) ∈ Ft2 and Xp−t
= (xit+1 , · · · , xip ) ∈
p−t
t
F2 . For any c ∈ F2 , gc ∈ Bp is called a tth-order partially
linear function if
gc (Xp ) = c ·
⊕
′′
hc (Xp−t
)
(11)
where hc ∈ Bp−t .
Now we use partially linear functions to construct a set of
disjoint spectra functions.
Lemma 3: With the same notation as in Definition 4, a set
of tth-order partially linear functions
′′
T = {gc (Xp ) = c · Xt′ ⊕ hc (Xp−t
) | c ∈ Ft2 }
is a set of disjoint spectra functions.
Xp ∈Fp
2
∑
′
′′
(12)
∑
=
∑
′
(−1)(c+δ)·Xt
Xt′ ∈Ft2

′′
(−1)(c+δ)·Xt ⊕(hc (Xp−t )⊕θ·Xp−t )
Xp ∈Fp
2
Theorem 2 in [28] allows us to verify that the following
lemma is true.
Lemma 2: With the same notation as in Definition 1, if all
the functions in G are m-resilient functions, then f is an mresilient function.
From now on, we will focus on highly nonlinear resilient
Boolean functions with an even number of variables in the
following sense.
Definition 2: Let n ≥ 4 be even. f ∈ Bn is said to be almost
optimal if
Xt′
Proof: Let α = (δ, θ) ∈ Fp2 , where δ ∈ Ft2 and θ ∈ Fp−t
2 .
For any gc ∈ T ,
∑
′
′′
Wgc (α) =
(−1)c·Xt ⊕hc (Xp−t )⊕α·Xp
=
where the notation Yqb is defined by
{
1 if Yq = b
Yqb =
0 if Yq ̸= b.
3
∑
′′
′′
(−1)(hc (Xp−t )⊕θ·Xp−t )
′′ ∈Fp−t
Xp−t
2

′
(−1)(c+δ)·Xt  · Whc (θ)
(13)
Xt′ ∈Ft2
We have
{
0
2t · Whc (θ)
Wgc (α) =
if c ̸= δ
if c = δ.
(14)
For any gc′ ∈ T , c′ ̸= c, we have
Wgc (α) · Wgc′ (α) = 0.
According to Definition 3, T is a set of disjoint spectra
functions.
Disjoint spectra functions (partially linear functions) will be
used as the “components” to construct almost optimal resilient
Boolean functions in this paper.
Open Problem: Construct a large set of disjoint spectra
functions which are not (linearly equivalent to) partially linear
functions.
IV. M AIN C ONSTRUCTION
This section presents a method for constructing resilient
Boolean functions with very high nonlinearity. The algebraic
degrees of the functions are also given.
Construction 1: Let n ≥ 12 be an even number, m be a
positive number, and (a1 , · · · , as ) ∈ Fs2 such that


) ∑
)
n/2 (
n/2−2k (
s
∑
∑
n/2
n/2 − 2k 
a k ·
+
≥ 2n/2
j
j
j=m+1
j=m+1
k=1
(15)
where s = ⌊(n − 2m − 2)/4⌋. Let Xn/2 = (x1 , · · · , xn/2 ) ∈
n/2
′′
= (xt+1 , · · · , xn/2 )
F2 , Xt′ = (x1 , · · · , xt ) ∈ Ft2 , and X2k
2k
∈ F2 with t + 2k = n/2. Let
n/2
Γ0 = {c · Xn/2 | c ∈ F2 , wt(c) > m}.
(16)
For 1 ≤ k ≤ s, let Hk be a nonempty set of 2k-variable bent
functions with algebraic degree max(k, 2) and
′′
Γk = {c · Xt′ ⊕ hc (X2k
) | c ∈ Ft2 , wt(c) > m}
(17)
where hc ∈ Hk . Set
Γ=
s
∪
Γk .
(18)
k=0
n/2
Denote by ϕ any injective mapping from F2 to Γ. Then for
n/2
n/2
(Yn/2 , Xn/2 ) ∈ F2 ×F2 we construct the function f ∈ Bn
as follows:
⊕
b
Yn/2
· ϕ(b).
(19)
f (Yn/2 , Xn/2 ) =
n/2
b∈F2
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL.55, NO.12, PP. 5822-5831, DECEMBER 2009
Remark 1:
1) For Inequality (15) holds, we have
|Γ| =
s
∑
|Γk | ≥ 2
n/2
.
where
(20)
Due to this we can find an injective mapping ϕ.
2) All the functions in Γ are partially linear functions and
each Γk is a set of disjoint spectra functions.
Theorem 1: Let f ∈ Bn be as in Construction 1. Then f is
an almost optimal (n, m, d, Nf ) function with
s
∑
(ak · 2n/2−k−1 )
{
ak =
k=0
Nf ≥ 2n−1 − 2n/2−1 −
4
(21)
k=1
0
1
if Ak = ∅
if Ak =
̸ ∅.
From (4), Inequality (21) holds. From Definition 2, f is almost
optimal.
Note that the algebraic degree of any function in Γ1 is 2.
Hence, when
max{k | ak ̸= 0, k = 1, 2, · · · s} = 1
(30)
d ≤ n/2 + 2 where the equality holds if and only if |A1 | is
odd. Note that the algebraic degree of any bent functions on
′
F2k
2 can reach k when k ≥ 2. So d can reach n/2 + k when
k ′ ≥ 2 and |Ak′ | is odd, where
k ′ = max{k | ak ̸= 0, k = 1, 2, · · · s}.
and
(29)
(31)
n/2
F2 ,
Let 0 ≤ k ≤ s. Any gb ∈ Γk is a partially linear function.
From (14), we have
Any gb ∈ Γ, b ∈
is an m-resilient function, where
gb (Xn/2 ) = ϕ(b). From Lemma 2, f is an m-resilient function
since it is a concatenation of m-resilient functions. Remark 2:
1) The nonlinearity of the resilient functions constructed
above is always strictly greater than 2n−1 − 2n/2 . For reasonable fixed n and m, the nonlinearity of the constructed
functions is always greater than that of the known ones except
some functions on small even number of variables.
2) Let m be the maximum number such that Inequality (15)
holds. Roughly speaking, m/n tends to 1/4.
Example 1: It is possible to construct a (16, 1, 10, 215 −27 −
5
2 ) function.
Note that s = ⌊(n − 2m − 2)/4⌋=3. For 1 ≤ k ≤
′
′′
3, let X8−2k
= (x1 , · · · , x8−2k ) ∈ F8−2k
and X2k
=
2
′
′′
8
2k
(x8−2k+1 , · · · , x8 ) ∈ F2 . Let X8 = (X8−2k , X2k ) ∈ F2 . We
construct four sets of disjoint spectra functions as follows:
Wgb (α) ∈ {0, ±2n/2−k }.
Γ0 = {c · X8 | wt(c) > 1, c ∈ F82 }.
d ≤ n/2 + max{2, max{k | ak ̸= 0, k = 1, 2, · · · s}}. (22)
n/2
n/2
Proof: For any (β, α) ∈ F2 × F2 we have
∑
Wf (β, α) =
(−1)f (Yn/2 ,Xn/2 )⊕(β,α)·(Yn/2 ,Xn/2 )
(Yn/2 ,Xn/2 )∈Fn
2
=
∑
(−1)β·b
n/2
=
(−1)gb (Xn/2 )⊕α·Xn/2
n/2
Xn/2 ∈F2
b∈F2
∑
∑
(−1)β·b Wgb (α)
n/2
=
b∈F2
s
∑
k=0
∑
(−1)β·b Wgb (α)
(23)
ϕ(b)∈Γk
n/2
b∈F2
For 1 ≤ k ≤ 3,
Let
n/2
Ak = Γk ∩ {ϕ(b) | b ∈ F2 }.
(24)
Since (15) holds, there exists an injective mapping ϕ such that
)
s
m (
∑
∑
n/2
|Ak | =
.
(25)
i
i=1
k=1
From Lemma 3, Γk is a set of disjoint spectra functions.
Noting (10), if Ak ̸= ∅, then we have
∑
(−1)β·b Wgb (α) ∈ {0, ±2n/2−k }.
(26)
ϕ(b)∈Γk
n/2
b∈F2
If Ak = ∅, then we have
∑
(−1)β·b Wgb (α) = 0.
where hc ∈ Hk . We have
8−2k
∑ (8 − 2k )
|Γk | =
, 0 ≤ k ≤ 3.
i
i=2
Notice that
|Γ0 | + |Γ2 | = 258 > 28 ,
it is possible to establish an injective mapping ϕ from F82 to
ℜ, where ℜ = Γ0 ∪ Γ2 . Then for (Y8 , X8 ) ∈ F82 × F82 we
construct the function f ∈ B16 as follows:
⊕
f (Y8 , X8 ) =
Y8b · ϕ(b).
b∈F82
(27)
ϕ(b)∈Γk
n/2
b∈F2
From (28), for any (β, α) ∈ F82 × F82 , we have
max 8 |Wf (β, α)| ≤
(β,α)∈F2
Combining (23), (26), and (27), we have
|Wf (β, α)| ≤ 2n/2 +
′′
′
) | wt(c) > 1, c ∈ F8−2k
}
⊕ hc (X2k
Γk = {c · X8−2k
2
s
∑
k=1
ak · 2n/2−k
(28)
3 ∑
∑
|Wg (α)|
k=0 g∈Γk
=
3
∑
k=0
|Wg (α)| = 28 + 26
max
8
α∈F2
g∈Γk
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL.55, NO.12, PP. 5822-5831, DECEMBER 2009
5
Theorem 2: The function f ′ ∈ Bn proposed by Construction
2 is an almost optimal (n, m, n − m − 1, Nf ′ ) function with
By (4), we have
Nf ≥ 215 − 27 − 25 .
Note that the partially linear function in Γ2 can be denoted by
g = c · X4′ ⊕ hc (X4′′ ) where hc is a bent function on F42 . Since
the algebraic degree of hc (X4′′ ) can reach 2, deg(f ) can reach
8+2=10. So it is possible to obtain a (16, 1, 10, 215 − 27 − 25 )
function.
V. D EGREE O PTIMIZATION
{i1 , · · · , im+1 } ∪ {im+2 , · · · , in/2 } = {1, · · · , n/2}.
The algebraic degree of any (n, m, d, Nf ) function f obtained
in Construction 1 can be optimized by adding a monomial
xim+2 · · · xin/2 to one function g ∈ Γ with ϕ−1 (g) ̸= ∅, where
g can be denoted by
(32)
It is not difficult to prove that Nf ′ ∈ {Nf , Nf −2m+1 }, where
Nf ′ is the nonlinearity of the degree-optimized function f ′ .
To optimize the algebraic degree of f and ensure that Nf ′ =
Nf , we below propose an idea to construct a set of disjoint
spectra functions Γ′0 including a nonlinear function g ′ = g +
xim+2 · · · xin/2 .
Construction 2: Let n ≥ 12 be an even number, m be a
positive number, and (a1 , · · · , as ) ∈ Fs2 such that


)
n/2 (
∑
n/2

− 2n/2−m−1 + 1
j
j=m+1


)
n/2−2k (
s
∑
∑
n/2 − 2k 
ak ·
≥ 2n/2
(33)
+
j
j=m+1
k=1
where s = ⌊(n − 2m − 2)/4⌋. Let
n/2
Proof: f ′ is an m-resilient function since it is a concatenation of m-resilient functions.
n/2
Let gb (Xn/2 ) = ϕ′ (b) ∈ Γ′ , b ∈ F2 . From the proof of
n/2
n/2
Theorem 1, for any (β, α) ∈ F2 × F2 , we have
ϕ(b)∈Γ′0
n/2
b∈F2
k=1
(34)
n/2
n/2
F2 .
We have
Wg′ (α) =
∑
Xn/2 ∈F
(−1)
= {g (Xn/2 )} ∪ {c · Xn/2 |c ∈
n/2
F2 , wt(c)
> m, c ∈
/ S}.
(36)
Set
Γ′ = Γ′0 ∪ Γ1 ∪ · · · ∪ Γs .
(37)
Denote by ϕ′ any injective mapping from F2 to Γ′ such
that ϕ′−1 (gc′ ) ̸= ∅. The function f ′ ∈ Bn is constructed as
follows:
⊕
b
Yn/2
· ϕ′ (b).
(38)
f ′ (Yn/2 , Xn/2 ) =
n/2
n/2
b∈F2
and α = (α1 , · · · , αn/2 ) ∈
(c′ +α)·Xn/2 ⊕xim+2 ··· xin/2
n/2
2

 2n/2 − 2m+2
=
±2m+2

0
if α = c′
if α =
̸ c′ and θ = δ
if α =
̸ c′ and θ ̸= δ.
(41)
where δ = (c′i1 , · · · , c′im+1 ) and θ = (αi1 , · · · , αim+1 ). Let
n/2
gb (Xn/2 ) = ϕ′ (b) ∈ Γ′ , b ∈ F2 . When gb ∈ Γ′0 and gb =
c · Xn/2 ̸= g ′ , we have
{
0
if α ̸= c
Wgb (α) =
(42)
2n/2 if α = c.
From (36), if α ̸= c′ and (αi1 , · · · , αim+1 ) = (1 · · · 1), then
α ̸= c. Obviously, Γ′0 is a set of disjoint spectra functions. So
we have
∑
(−1)β·b Wgb (α) ∈ {0, ±2m+2 , ±(2n/2 − 2m+2 ), ±2n/2 }.
n/2
Let Ak = Γk ∩ {ϕ(b) | b ∈ F2 }. Similarly to the proof of
Theorem 1, for any (β, α) ∈ Fn2 , we have
(35)
where c ∈ S. For 1 ≤ k ≤ s, Γk is defined as in Construction
1. And we modify the Γ0 in Construction 1 as follows:
′
ϕ(b)∈Γk
n/2
b∈F2
Let c′ = (c′1 , · · · , c′n/2 ) ∈ F2
|Wf ′ (β, α)| ≤ 2n/2 +
′
Γ′0
(39)
k=1
(43)
Let
g ′ (Xn/2 ) = c′ · Xn/2 ⊕ xim+2 xim+3 · · · xin/2
ak · 2n/2−k−1 .
ϕ(b)∈Γ′0
n/2
b∈F2
S = {c | c = (c1 , · · · ,cn/2 ) ∈ F2 , wt(c) > m,
(ci1 , · · · , cim+1 ) = (1 · · · 1)}.
s
∑
Wf ′ (β, α) =
s
∑
∑
∑
(−1)β·b Wgb (α) +
(−1)β·b Wgb (α). (40)
Let
g = xi1 ⊕ · · · ⊕ xim+1 ⊕ ~(xim+2 , · · · , xin/2 ).
Nf ′ ≥ 2n−1 − 2n/2−1 −
s
∑
ak · 2n/2−k
k=1
{
where
ak =
0
1
if Ak = ∅
if Ak =
̸ ∅.
From (3), Inequality (39) holds and f ′ is obviously almost
optimal. For the existence of g ′ , deg(f ′ ) = n − m − 1. Remark 3:
1) Apparently, the idea above to obtain degree-optimized
resilient functions is firstly considered by Pasalic [17].
2) A long list of input instances and the corresponding
cryptographic parameters can be found in Table I and Table
II. In Table II, the entries with “*” represent the functions that
can not be degree optimized via Construction 2 on the premise
of that Nf ′ = Nf .
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL.55, NO.12, PP. 5822-5831, DECEMBER 2009
6
TABLE I
E XISTENCE OF ALMOST OPTIMAL (n, m, n − m − 1, Nf ′ ) FUNCTIONS (1 ≤ m ≤ 4)
m
n≡0
(mod4)
1
n≡2
(mod4)
n≡0
(mod4)
2
n≡2
(mod4)
n≡0
(mod4)
3
n≡2
(mod4)
n≡0
(mod4)
4
n≡2
(mod4)
n
12 ≤ n ≤ 20
24 ≤ n ≤ 112
116 ≤ n ≤ 132
n = 136
140 ≤ n ≤ 492
496 ≤ n ≤ 512
n = 516
520 ≤ n ≤ 604
n = 608
612 ≤ n ≤ 628
632 ≤ n ≤ 2024
14 ≤ n ≤ 50
54 ≤ n ≤ 58
62 ≤ n ≤ 238
242 ≤ n ≤ 246
250 ≤ n ≤ 290
294 ≤ n ≤ 298
302 ≤ n ≤ 1002
n = 16
20 ≤ n ≤ 40
n = 44
48 ≤ n ≤ 84
n = 88
92 ≤ n ≤ 96
100 ≤ n ≤ 176
n = 180
n = 184
188 ≤ n ≤ 196
n = 200
18 ≤ n ≤ 26
30 ≤ n ≤ 58
62 ≤ n ≤ 66
70 ≤ n ≤ 122
n = 126
130 ≤ n ≤ 138
n = 142
146 ≤ n ≤ 250
n = 20
24 ≤ n ≤ 32
n = 36
40 ≤ n ≤ 56
n = 60
64 ≤ n ≤ 88
n = 92
n = 96
100 ≤ n ≤ 144
22 ≤ n ≤ 26
30 ≤ n ≤ 42
n = 46
50 ≤ n ≤ 70
n = 74
n = 78
82 ≤ n ≤ 114
28 ≤ n ≤ 32
36 ≤ n ≤ 48
n = 52
56 ≤ n ≤ 68
n = 72
76 ≤ n ≤ 100
n = 26
30 ≤ n ≤ 38
n = 42
46 ≤ n ≤ 58
n = 62
66 ≤ n ≤ 82
n = 86
n = 90
94 ≤ n ≤ 118
Nf ′
2n−1 − 2n/2−1 − 2n/4+1 − 4
2n−1 − 2n/2−1 − 2n/4+2 − 4
2n−1 − 2n/2−1 − 2n/4+2 − 2n/4+1 − 4
2n−1 − 2n/2−1 − 2n/4+2 − 2n/4+1 − 2n/4 − 4
2n−1 − 2n/2−1 − 2n/4+3 − 4
2n−1 − 2n/2−1 − 2n/4+3 − 2n/4+1 − 4
2n−1 − 2n/2−1 − 2n/4+3 − 2n/4+1 − 2n/4 − 4
2n−1 − 2n/2−1 − 2n/4+3 − 2n/4+2 − 4
2n−1 − 2n/2−1 − 2n/4+3 − 2n/4+2 − 2n/4 − 4
2n−1 − 2n/2−1 − 2n/4+3 − 2n/4+2 − 2n/4+1 − 4
2n−1 − 2n/2−1 − 2n/4+4 − 4
2n−1 − 2n/2−1 − 2(n+6)/4 − 4
2n−1 − 2n/2−1 − 2(n+6)/4 − 2(n+2)/4 − 4
2n−1 − 2n/2−1 − 2(n+10)/4 − 4
2n−1 − 2n/2−1 − 2(n+10)/4 − 2(n+2)/4 − 4
2n−1 − 2n/2−1 − 2(n+10)/4 − 2(n+6)/4 − 4
n−1
2
− 2n/2−1 − 2(n+10)/4 − 2(n+6)/4 − 2(n+2)/4 − 4
2n−1 − 2n/2−1 − 2(n+14)/4 − 4
2n−1 − 2n/2−1 − 2n/4+2 − 8
2n−1 − 2n/2−1 − 2n/4+3 − 8
2n−1 − 2n/2−1 − 2n/4+3 − 2n/4+2 − 8
2n−1 − 2n/2−1 − 2n/4+4 − 8
2n−1 − 2n/2−1 − 2n/4+4 − 2n/4+2 − 8
2n−1 − 2n/2−1 − 2n/4+4 − 2n/4+3 − 8
2n−1 − 2n/2−1 − 2n/4+5 − 8
2n−1 − 2n/2−1 − 2n/4+5 − 2n/4+3 − 8
2n−1 − 2n/2−1 − 2n/4+5 − 2n/4+3 − 2n/4+2 − 2n/4+1 − 8
2n−1 − 2n/2−1 − 2n/4+5 − 2n/4+4 − 8
2n−1 − 2n/2−1 − 2n/4+5 − 2n/4+4 − 2n/4+3 − 8
2n−1 − 2n/2−1 − 2(n+10)/4 − 8
2n−1 − 2n/2−1 − 2(n+14)/4 − 8
2n−1 − 2n/2−1 − 2(n+14)/4 − 2(n+10)/4 − 8
2n−1 − 2n/2−1 − 2(n+18)/4 − 8
2n−1 − 2n/2−1 − 2(n+18)/4 − 2(n+10)/4 − 8
2n−1 − 2n/2−1 − 2(n+18)/4 − 2(n+14)/4 − 8
2n−1 − 2n/2−1 − 2(n+18)/4 − 2(n+14)/4 − 2(n+10)/4 − 2(n+6)/4 − 8
2n−1 − 2n/2−1 − 2(n+22)/4 − 8
2n−1 − 2n/2−1 − 2n/4+3 − 2n/4+2 − 16
2n−1 − 2n/2−1 − 2n/4+4 − 16
2n−1 − 2n/2−1 − 2n/4+4 − 2n/4+3 − 16
2n−1 − 2n/2−1 − 2n/4+5 − 16
2n−1 − 2n/2−1 − 2n/4+5 − 2n/4+4 − 16
2n−1 − 2n/2−1 − 2n/4+6 − 16
2n−1 − 2n/2−1 − 2n/4+6 − 2n/4+4 − 16
2n−1 − 2n/2−1 − 2n/4+6 − 2n/4+5 − 16
2n−1 − 2n/2−1 − 2n/4+7 − 16
2n−1 − 2n/2−1 − 2(n+14)/4 − 16
2n−1 − 2n/2−1 − 2(n+18)/4 − 16
2n−1 − 2n/2−1 − 2(n+18)/4 − 2(n+14)/4 − 16
2n−1 − 2n/2−1 − 2(n+22)/4 − 16
n−1
2
− 2n/2−1 − 2(n+22)/4 − 2(n+18)/4 − 16
2n−1 − 2n/2−1 − 2(n+22)/4 − 2(n+18)/4 − 2(n+14)/4 − 16
2n−1 − 2n/2−1 − 2(n+26)/4 − 16
2n−1 − 2n/2−1 − 2n/4+5 − 32
2n−1 − 2n/2−1 − 2n/4+6 − 32
2n−1 − 2n/2−1 − 2n/4+6 − 2n/4+5 − 32
2n−1 − 2n/2−1 − 2n/4+7 − 32
2n−1 − 2n/2−1 − 2n/4+7 − 2n/4+5 − 2n/4+4 − 32
2n−1 − 2n/2−1 − 2n/4+8 − 32
2n−1 − 2n/2−1 − 2(n+18)/4 − 32
2n−1 − 2n/2−1 − 2(n+22)/4 − 32
2n−1 − 2n/2−1 − 2(n+22)/4 − 2(n+18)/4 − 32
2n−1 − 2n/2−1 − 2(n+26)/4 − 32
2n−1 − 2n/2−1 − 2(n+26)/4 − 2(n+22)/4 − 32
2n−1 − 2n/2−1 − 2(n+30)/4 − 32
2n−1 − 2n/2−1 − 2(n+30)/4 − 2(n+22)/4 − 2(n+18)/4 − 2(n+14)/4 − 32
2n−1 − 2n/2−1 − 2(n+30)/4 − 2(n+26)/4 − 2(n+22)/4 − 32
2n−1 − 2n/2−1 − 2(n+34)/4 − 32
Functions from Construction 2
(20, 2, 17, 219 − 29 − 28 )
(24, 3, 20, 223 − 211 − 210 )
(22, 3, 18, 221 − 210 − 29 )
(28, 4, 23, 227 − 213 − 212 )
(36, 4, 31, 235 − 217 − 215 )
(26, 4, 21, 225 − 212 − 211 )
(30, 4, 25, 229 − 214 − 213 )
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL.55, NO.12, PP. 5822-5831, DECEMBER 2009
7
TABLE II
A LMOST OPTIMAL (n, m, n − m − 1, Nf ′ ) FUNCTIONS (m ≥ 5) WHICH
(30, 5, 24, 2 − 2 − 2 )
(42, 5, 36, 241 − 220 − 217 − 214 − 26 )∗
(54, 5, 48, 253 − 226 − 221 − 26 )∗
(64, 5, 48, 263 − 231 − 224 − 26 )∗
(76, 5, 70, 275 − 237 − 228 − 26 )∗
(88, 5, 82, 287 − 243 − 231 − 230 − 26 )∗
(98, 5, 92, 297 − 248 − 234 − 232 − 26 )∗
(34, 6, 27, 223 − 216 − 215 )
(48, 6, 41, 247 − 223 − 220 − 27 )∗
(60, 6, 53, 259 − 229 − 224 − 27 )∗
(70, 6, 63, 269 − 234 − 227 − 27 )∗
(82, 6, 75, 281 − 240 − 231 − 27 )∗
(92, 6, 85, 291 − 245 − 234 − 27 )∗
(38, 7, 30, 237 − 218 − 217 − 216 )
(48, 7, 40, 247 − 223 − 221 )
(58, 7, 50, 257 − 228 − 224 − 223 − 28 )∗
(66, 7, 58, 265 − 232 − 227 − 28 )∗
(76, 7, 68, 273 − 237 − 230 − 28 )∗
(86, 7, 78, 285 − 242 − 233 − 232 − 28 )∗
(98, 7, 90, 297 − 248 − 237 − 28 )∗
(42, 8, 33, 241 − 220 − 219 − 218 )
(52, 8, 43, 251 − 225 − 223 )
(68, 8, 59, 267 − 233 − 225 − 229 )
(76, 8, 67, 275 − 237 − 231 − 228 − 29 )∗
(88, 8, 79, 287 − 243 − 235 − 29 )∗
(98, 8, 89, 297 − 248 − 238 − 236 − 29 )∗
(46, 9, 36, 245 −222 −221 −220 −219 −210 )∗
(56, 9, 46, 255 − 227 − 225 )
(68, 9, 58, 267 −233 −229 −228 −227 −210 )∗
(76, 9, 66, 275 − 237 − 232 − 210 )∗
(88, 9, 78, 287 − 243 − 236 − 210 )∗
(100, 9, 90, 299 − 249 − 240 − 210 )∗
(52, 10, 41, 251 − 225 − 224 )
(68, 10, 57, 267 − 233 − 230 )
(80, 10, 69, 279 −239 −234 −233 −211 )∗
(86, 10, 75, 285 −242 −236 −235 −234 −211 )∗
(94, 10, 83, 293 − 246 − 239 − 211 )∗
(200, 10, 189, 2199 −299 −271 −270 −211 )∗
(56, 11, 44, 255 − 227 − 226 )
(74, 11, 62, 273 − 236 − 233 )
(86, 11, 74, 285 − 242 − 237 − 235 − 212 )∗
(94, 11, 82, 293 − 246 − 240 − 212 )∗
(60, 12, 47, 259 − 229 − 228 − 226 )
(70, 12, 57, 269 − 234 − 232 )
(84, 12, 71, 283 − 241 − 237 − 236 )
(98, 12, 85, 297 − 248 − 242 − 213 )∗
(66, 13, 52, 265 − 232 − 231 )
(90, 13, 76, 289 − 244 − 240 )
(100, 13, 86, 299 − 249 − 244 − 214 )∗
(68, 14, 53, 267 − 233 − 232 − 231 )
(80, 14, 65, 279 − 239 − 237 )
(94, 14, 79, 293 − 246 − 242 − 241 )
(72, 15, 56, 271 − 235 − 234 − 233 )
(84, 15, 68, 283 − 241 − 239 )
(92, 15, 76, 291 − 246 − 243 )
(200, 15, 184, 2199 −299 −278 −276 −216 )∗
(76, 16, 59, 275 − 237 − 236 − 235 − 233 )
(88, 16, 71, 287 − 243 − 241 )
(100, 16, 83, 299 − 249 − 246 )
(80, 17, 62, 279 −239 −238 −237 −236 −235 )
(100, 17, 82, 299 − 249 − 246 − 245 )
(86, 18, 67, 285 − 242 − 241 )
(100, 18, 91, 299 − 249 − 247 )
(90, 19, 70, 289 − 244 − 243 − 241 )
(200, 19, 180, 2199 − 299 − 283 − 220 )∗
(94, 20, 73, 293 − 246 − 245 − 244 )
(300, 20, 279, 2299 − 2149 − 2115 − 221 )∗
(100, 21, 78, 299 − 249 − 248 )
(400, 94, 305, 2399 − 2199 − 2198 − 2197 )
(700, 167, 532, 2699 − 2349 − 2348 − 2347 )
(900, 216, 683, 2899 − 2449 − 2448 − 2447 )
29
14
13
6 ∗
(36, 5, 30, 2 − 2 − 2 − 2 )
(44, 5, 38, 243 − 221 − 218 − 26 )∗
(58, 5, 52, 257 − 228 − 222 − 221 − 26 )∗
(70, 5, 64, 269 − 234 − 226 − 26 )∗
(80, 5, 74, 279 − 239 − 229 − 26 )∗
(90, 5, 84, 289 − 244 − 232 − 26 )∗
(100, 5, 94, 299 − 249 − 235 − 26 )∗
(40, 6, 33, 239 − 219 − 217 − 216 − 27 )∗
(52, 6, 45, 251 − 225 − 222 )
(64, 6, 47, 263 − 231 − 225 − 224 − 27 )∗
(76, 6, 69, 275 − 237 − 229 − 27 )∗
(86, 6, 79, 285 − 242 − 232 − 27 )∗
(96, 6, 89, 295 − 247 − 235 − 27 )∗
(40, 7, 32, 239 − 219 − 218 )
(52, 7, 44, 251 − 225 − 222 − 221 − 28 )∗
(60, 7, 52, 259 − 229 − 225 − 28 )∗
(70, 7, 62, 269 − 234 − 228 − 227 − 28 )∗
(78, 7, 70, 277 − 238 − 231 − 28 )∗
(88, 7, 80, 287 − 243 − 234 − 28 )∗
(100, 7, 92, 299 − 249 − 238 − 28 )∗
(44, 8, 35, 243 − 221 − 220 )
(58, 8, 49, 257 − 228 − 225 − 29 )∗
(70, 8, 61, 269 − 234 − 229 − 227 − 29 )∗
(78, 8, 69, 277 − 238 − 232 − 29 )∗
(92, 8, 83, 291 − 245 − 236 − 235 − 29 )∗
(100, 8, 91, 299 − 249 − 239 − 29 )∗
(48, 9, 38, 247 − 223 − 222 )
(62, 9, 52, 261 − 230 − 227 − 226 )
(70, 9, 60, 269 − 234 − 230 − 210 )∗
(80, 9, 70, 279 − 239 − 234 − 210 )∗
(94, 9, 84, 293 − 246 − 238 − 210 )∗
(200, 9, 190, 2199 − 299 − 270 − 210 )∗
(60, 10, 49, 259 − 229 − 227 )
(74, 10, 63, 273 −236 −232 −230 −211 )∗
(82, 10, 71, 281 − 240 − 235 − 211 )∗
(88, 10, 77, 287 − 243 − 237 − 211 )∗
(98, 10, 87, 297 −248 −240 −239 −238 −211 )∗
(300, 10, 289, 2299 −2149 −299 −298 −211 )∗
(66, 11, 54, 265 − 232 − 230 )
(80, 11, 68, 279 − 239 − 235 )
(88, 11, 76, 287 − 243 − 238 )
(98, 11, 86, 297 − 248 − 241 − 240 − 212 )∗
(62, 12, 49, 261 − 230 − 229 )
(76, 12, 63, 275 − 237 − 234 − 233 )
(86, 12, 73, 285 − 242 − 238 )
(100, 12, 87, 299 − 249 − 243 − 213 )∗
(74, 13, 60, 273 − 236 − 234 )
(96, 13, 82, 295 − 247 − 242 − 241 )
(200, 13, 186, 2199 − 299 − 276 − 214 )∗
(70, 14, 55, 269 − 234 − 233 )
(86, 14, 71, 285 − 242 − 239 − 238 )
(96, 14, 81, 295 − 247 − 243 )
(74, 15, 58, 273 − 236 − 235 )
(86, 15, 70, 285 − 242 − 240 )
(98, 15, 82, 297 − 248 − 244 − 243 − 242 )
(300, 15, 284, 2299 − 2149 − 2108 − 216 )∗
(78, 16, 61, 277 − 238 − 237 )
(96, 16, 79, 295 − 247 − 244 − 242 )
(200, 16, 183, 2199 − 299 − 280 − 217 )∗
(82, 17, 64, 281 − 240 − 239 )
(200, 17, 182, 2199 − 299 − 281 − 218 )∗
(96, 18, 77, 295 − 247 − 245 − 243 )
(200, 18, 191, 2199 − 299 − 282 − 219 )∗
(92, 19, 72, 291 − 245 − 244 )
(300, 19, 280, 2299 − 2149 − 2114 − 220 )∗
(96, 20, 75, 295 − 247 − 246 )
(500, 20, 479, 2499 − 2249 − 2173 − 221 )∗
(200, 45, 154, 2199 − 299 − 298 )
(500, 118, 381, 2499 − 2249 − 2248 − 2247 )
(800, 191, 608, 2799 − 2399 − 2398 − 2396 )
(1000, 241, 758, 2999 − 2499 − 2498 − 2497 )
35
17
15
WERE NOT KNOWN EARLIER
(38, 5, 32, 237 − 218 − 216 )
(48, 5, 42, 247 − 223 − 219 − 26 )∗
(60, 5, 54, 259 − 229 − 223 − 26 )∗
(74, 5, 68, 273 − 236 − 227 − 224 − 26 )∗
(84, 5, 78, 283 − 241 − 230 − 26 )∗
(94, 5, 88, 293 − 246 − 233 − 26 )∗
(200, 5, 194, 2199 − 299 − 262 − 261 − 26 )∗
(42, 6, 35, 241 − 220 − 218 )
(54, 6, 47, 253 − 226 − 222 − 27 )∗
(66, 6, 59, 265 − 232 − 226 − 27 )∗
(80, 6, 73, 279 − 239 − 230 − 229 − 27 )∗
(90, 6, 83, 289 − 244 − 233 − 232 − 27 )∗
(100, 6, 93, 299 − 249 − 236 − 235 − 27 )∗
(46, 7, 38, 245 − 222 − 220 )
(54, 7, 46, 253 − 226 − 223 )
(64, 7, 46, 263 − 231 − 226 − 225 − 28 )∗
(72, 7, 64, 271 − 235 − 229 − 28 )∗
(82, 7, 74, 281 − 240 − 232 − 28 )∗
(92, 7, 84, 291 − 245 − 235 − 28 )∗
(200, 7, 182, 2199 − 299 − 266 − 263 − 28 )∗
(50, 8, 41, 249 − 224 − 222 − 221 )
(64, 8, 45, 263 − 231 − 227 − 29 )∗
(72, 8, 63, 271 − 235 − 230 − 29 )∗
(82, 8, 73, 281 − 240 − 233 − 29 )∗
(94, 8, 85, 293 − 246 − 237 − 29 )∗
(200, 8, 191, 2199 − 299 − 268 − 29 )∗
(54, 9, 44, 253 − 226 − 224 − 223 − 222 )
(64, 9, 44, 263 − 231 − 228 )
(74, 9, 64, 273 − 236 − 232 − 210 )∗
(82, 9, 72, 281 − 240 − 234 − 210 )∗
(98, 9, 88, 297 − 248 − 239 − 238 − 210 )∗
(300, 9, 290, 2299 −2159 −2107 −2106 −2104 −210 )∗
(66, 10, 55, 265 −232 −229 −228 −227 −226 −225 −211 )∗
(76, 10, 65, 275 − 237 − 233 )
(84, 10, 73, 283 − 241 − 236 − 211 )∗
(92, 10, 81, 291 −245 −238 −237 −236 −235 −211 )∗
(100, 10, 89, 299 − 249 − 241 − 211 )∗
(500, 10, 489, 2499 − 2249 − 2153 − 211 )∗
(72, 11, 60, 271 − 235 − 232 − 230 )
(84, 11, 72, 283 − 241 − 237 )
(92, 11, 80, 291 − 245 − 239 − 238 − 212 )∗
(100, 11, 88, 299 − 249 − 242 − 212 )∗
(68, 12, 55, 267 − 233 − 231 − 230 )
(78, 12, 65, 277 − 238 − 235 )
(92, 12, 79, 291 − 245 − 240 )
(200, 12, 187, 2199 −299 −274 −272 −271 −213 )∗
(82, 13, 68, 281 − 240 − 237 )
(98, 13, 84, 297 − 248 − 243 )
(300, 13, 286, 2299 − 2149 − 2105 − 214 )∗
(78, 14, 63, 277 − 238 − 236 − 234 )
(88, 14, 73, 287 − 243 − 240 )
(200, 14, 185, 2199 − 299 − 276 − 215 )∗
(82, 15, 66, 281 − 240 − 238 − 237 )
(90, 15, 74, 289 − 244 − 241 − 240 − 239 )
(100, 15, 84, 299 − 249 − 245 )
(500, 15, 484, 2499 − 2249 − 2164 − 216 )∗
(86, 16, 69, 285 − 242 − 240 − 239 )
(98, 16, 81, 297 − 248 − 245 )
(300,16,283,2299 −2149 −2109 −2108 −2107 −2105 −217 )∗
91
45
43
(92, 17, 74, 2 − 2 − 2 )
(300, 17, 282, 2299 − 2149 − 2111 − 218 )∗
(98, 18, 79, 297 − 248 − 246 )
(300, 18, 291, 2299 − 2149 − 2112 − 219 )∗
(100, 19, 80, 299 − 249 − 247 − 244 − 243 )
(500, 19, 480, 2499 − 2249 − 2171 − 220 )∗
(200, 20, 179, 2199 − 299 − 284 − 221 )∗
(1000, 20, 979, 2999 − 2499 − 2308 − 221 )∗
(300,70,229,2299 −2149 −2148 −2147 −2146 −2145 )
(600,143,456,2599 −2299 −2298 −2297 )
(5000,1232,3767,24999 −22499 −22498 −22497 −22496 )
(10000,2475,7524,29999 −24999 −24998 −24997 −24996 )
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL.55, NO.12, PP. 5822-5831, DECEMBER 2009
VI. I MPROVED V ERSION OF THE M AIN C ONSTRUCTION
Both constant functions and balanced Boolean functions are
regarded as 0-resilient functions. The Boolean functions that
are neither balanced nor correlation-immune are regarded as
(−1)-resilient functions (e.g. bent functions).
Lemma 4: With the same notation as in the Definition 4, if
hc is a v-resilient function, then gc is a (wt(c) + v)-resilient
function.
Proof: Let α ∈ Fp2 and l = c·Xt′ . It is not difficult to deduce
that Wgc (α) = Wl (αi1 , · · · , αit )·Whc (αit+1 , · · · , αip ). When
wt(αi1 , · · · , αit ) < wt(c), Wl (αi1 , · · · , αit ) = 0. From
Lemma 1, for hc is a v-resilient function, we have
8
Let
n/2
Ak = Ωk ∩ {φ(b) | b ∈ F2 }.
(51)
Note that each Ωk (k = 0, 1, · · · , ⌊n/4⌋) is a set of disjoint
spectra functions. Similarly to the proof of Theorem 1, we
obtain
⌊n/4⌋
|Wf (β, α)| ≤ 2n/2 +
∑
ak · 2n/2−2k · (22k − 2Nhk ) (52)
k=1
{
where
ak =
0
1
if Ak = ∅
if Ak =
̸ ∅.
Whc (αit+1 , · · · , αip ) = 0, for wt(αit+1 , · · · , αip ) ≤ v.
From (3), Inequality (49) holds.
From Lemma 4, all the functions in Ω are m-resilient
Obviously, Wgc (α) = 0 when wt(α) ≤ wt(c) + v. From
functions.
Due to Lemma 2, f is an m-resilient function.
Lemma 1, gc is a (wt(c) + v)-resilient function. For
the
existence
of a degree-optimized function gb ∈ Ω with
Construction 3: Let n ≥ 12 be an even number, m be a
−1
φ
(g
)
=
̸
∅,
we
have deg(f ) = n − m − 1. b
positive number, ek be a nonnegative number with 0 ≤ ek ≤
Fixing
n
and
m,
we can also obtain lots of degree-optimized
k + 1, and ak ∈ F2 (k = 1, · · · , ⌊n/4⌋) such that
resilient functions whose nonlinearity are better than that of


) ⌊n/4⌋
)
n/2 (
n/2−2k (
functions constructed by Construction 1. See the following
∑
∑
∑
n/2
n/2 − 2k 
a k ·
+
≥ 2n/2 . example.
i
j
i=m+1
j=m−ek +1
k=1
Example 2: It is possible to construct a (28, 1, 26, 227 −
(44) 213 − 28 − 26 ) function. Let
Let Xn/2 = (x1 , · · · , xn/2 ) ∈ F2 , Xt′ = (x1 , · · · , xt ) ∈ Ft2
′′
and X2k
= (xt+1 , · · · , xn/2 ) ∈ F2k
2 , where t + 2k = n/2. Let
n/2
n/2
Ω0 = {c · Xn/2 | c ∈ F2 , wt(c) > m}.
(45)
For 1 ≤ k ≤ ⌊n/4⌋ and 0 ≤ ek ≤ m + 1, let Rk be a
nonempty set of nonlinear (2k, ek − 1, −, Nhk ) functions with
high nonlinearity and
′′
Ωk = {c · Xt′ ⊕ hc (X2k
) | c ∈ Ft2 , wt(c) > m − ek }
(46)
where hc ∈ Rk . Set
⌊n/4⌋
Ω=
∪
Ωk .
(47)
k=0
Ω0 = {c · Xt′ | c ∈ F14
2 , wt(c) ≥ 2}
and
′′
) | c ∈ F42 , hc ∈ R5 }
Ω5 = {c · X4′ ⊕ hc (X10
where R5 is a nonempty set of (10, 1, 8, 492) functions [8].
Note that |Ω0 | = 16369, |Ω5 | = 16. For 16369 + 16 > 214 , it
is possible to select 214 many 14-variable 1-resilient functions
from Ω0 ∪ Ω5 . We concatenate these functions and obtain a
(28, 1, 26, 227 − 213 − 28 − 26 ) function.
Similarly, one can obtain the following resilient functions:
(36, 3, 32, 235 −217 −213 ), (42, 5, 36, 241 −220 −217 −214 ),
(86, 4, 81, 285 −242 −229 −227 −226 −218 −214 −213 −25 ),
(66, 10, 55, 265 − 232 − 229 − 228 − 227 − 226 − 225 ), etc.
n/2
Denote by φ any injective mapping from F2 to Ω such that
there exists an (n/2, m, n/2 − m − 1, Ngb ) function gb ∈ Ω
with φ−1 (gb ) ̸= ∅ . We construct the function f ∈ Bn as
follows:
⊕
b
f (Yn/2 , Xn/2 ) =
Yn/2
· φ(b)
(48)
n/2
b∈F2
Theorem 3: If f ∈ Bn is proposed by Construction 3, then
f is an almost optimal (n, m, n − m − 1, Nf ) function with
⌊n/4⌋
Nf ≥ 2n−1 − 2n/2−1 −
∑
(ak · 2n/2−2k · (22k−1 − Nhk )).
k=1
(49)
n/2
Proof: For any (β, α) ∈ F2
⌊n/4⌋
Wf (β, α) =
n/2
× F2
∑
∑
k=0
φ(b)∈Ωk
n/2
b∈F2
we have
(−1)β·b Wgb (α)
(50)
VII. C ONCLUSION AND AN O PEN P ROBLEM
In this paper, we described a technique for constructing resilient functions with good nonlinearity on large even
number variables. As a consequence, we obtained general
constructions of functions which were not known earlier.
Sarkar and Maitra [23] have shown that the nonlinearity of
any (n, m, n − m − 1, Nf ) function (m ≤ n − 2) is divisible
by 2m+2 . And they have deduced the following result: If n is
even, and m ≤ n/2 − 2, then Nf ≤ 2n−1 − 2n/2−1 − 2m+1 .
But we suppose that this upper bound could be improved. So
we propose an open problem as follows:
Does there exist n-variable (n ≥ 12 even), m-resilient
(m ≤ ⌈n/4⌉) functions with nonlinearity > 2n−1 − 2n/2−1 −
2⌊n/4⌋+m−1 ? If there does, how to construct these functions?
Conjecture: Let n ≥ 12 be even and m < ⌈n/4⌉. For any
(n, m, −, Nf ) function, the following inequality always holds:
Nf ≤ 2n−1 − 2n/2−1 − 2⌊n/4⌋+m−1 .
(53)
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL.55, NO.12, PP. 5822-5831, DECEMBER 2009
R EFERENCES
[1] P. Camion, C. Carlet, P. Charpin, and N. Sendrier, “On correlationimmune functions,” in Advances in Cryptology - CRYPTO’91 (Lecture
Notes in Computer Sceince). Berlin, Germany: Springer-Verlag, 1992,
vol. 547, pp. 86-100.
[2] C. Carlet, “A larger class of cryptographic Boolean functions via a study
of the Maiorana-Mcfarland constructions,” in Advances in Cryptology CRYPTO 2002 (Lecture Notes in Computer Sceince), Berlin, Germany:
Springer-Verlag, 2002, vol. 2442, pp. 549-564.
[3] S. Chee, S. Lee, D. Lee, and S. H. Sung, “On the correlation immune
functions and their nonlinearity,” in Advances in Cryptology - Asiacrypt’96 (Lecture Notes in Computer Sceince). Berlin, Germany: SpringerVerlag, 1997, vol. 1163, pp. 232-243.
[4] J. Clark, J. Jacob, S. Stepney, S. Maitra, and W. Millan, “Evolving
Boolean functions satisfying multiple criteria,” in Progress in INDOCRYPT 2002 (Lecture Notes in Computer Science). Berlin, Germany: Springer-Verlag, 2002, vol. 2551, pp. 246-259.
[5] J. F. Dillon, Elementary Hadamard difference set, Ph.D. Thesis, University of Maryland, 1974.
[6] H. Dobbertin, “Construction of bent functions and balanced Boolean
functions with high nonlinearity,” in Workshop on Fast Software Encryption (FES 1994) (Lecture Notes in Computer Science). Berlin, Germany:
Springer-Verlag, 1995, vol. 1008, pp. 61-74.
[7] M. Fedorova and Y. V. Tarannikov, “On the constructing of highly
nonlinear resilient Boolean functions by means of special matrices,”
in Progress in Cryptology - INDOCRYPT 2001 (Lecture Notes in
Computer Science). Berlin, Germany: Springer-Verlag, 2001, vol. 2247,
pp. 254-266.
[8] S. Kavut, S. Maitra, and M. D. Yücel, “Search for Boolean functions
with excellent profiles in the rotation symmetric class,” IEEE Transations
on Information Theory, vol. 53, no. 5, pp. 1743-1751, 2007.
[9] K. Khoo, G. Gong, and H.-K. Lee, “The rainbow attack on stream
ciphers based on Maiorana-McFarland functions,” in Appiled Cryptography and Network Security - ACNS 2006 (Lecture Notes in Computer
Sceince), Berlin, Germany: Springer-Verlag, 2006, vol. 3989, pp. 194209.
[10] F. J. MacWilliams and N. J. A. Sloane, The Theory of Error-Correcting
Codes, Amsterdam, The Netherlands: North-Holland, 1977.
[11] S. Maitra and E. Pasalic, “A Maiorana-McFarland type construction for
resilient Boolean functions on variables (n even) with nonlinearity >
2n−1 − 2n/2 + 2n/2−2 ,” Discrete Applied Mathematics, vol. 154, pp.
357-369, 2006.
[12] S. Maitra and E. Pasalic, “Further constructions of resilient Boolean
functions with very high nonlinearity,” IEEE Transations on Information
Theory, vol. 48, no. 7, pp. 1825-1834, 2002.
[13] W. Meier and O. Staffelbach, “Nonlinearity criteria for cryptographic
functions,” in Advances in Cryptology - EUROCRYPT’89 (Lecture
Notes in Computer Sceince), Berlin, Germany: Springer-Verlag, 1990,
vol. 434, pp. 549-562.
[14] W. Millan, A. Clark, and E. Dawson, “An effective genetic algorithm for
finding highly nonlinear Boolean functions,” in Proceedings of the First
International Conference on Information and Communication Security
(Lecture Notes in Computer Science). Berlin, Germany: Springer-Verlag,
1997, vol. 1334, pp. 149-158.
[15] W. Millan, A. Clark, and E. Dawson, “Boolean function design using
hill climbing methods,” in Proceedings of the 4th Australasian Conference on Information Security and Privacy (Lecture Notes in Computer
Science). Berlin, Germany: Springer-Verlag, 1999, vol. 1587, pp. 1-11.
[16] W. Millan, A. Clark, and E. Dawson. “Heuristic design of cryptographically strong balanced Boolean functions,” in Advances in Cryptology
- EUROCRYPT’98 (Lecture Notes in Computer Science). Berlin, Germany: Springer-Verlag, 1998, vol. 1403, pp. 489-499.
[17] E. Pasalic, “Maiorana-McFarland class: degree optimization and algebraic properties,” IEEE Transactions on Information Theory, vol. 52,
no.10, pp. 4581-4594, 2006.
[18] E. Pasalic, S. Maitra, T. Johansson, and P. Sarkar, “New constructions
of resilient and correlation immune Boolean functions achieving upper
bounds on nonlinearity,” in Workshop on Coding and Cryptography
- WCC 2001, Paris, France, Jan. 8-12, 2001. Published in Electronic
Notes in Discrete Mathematics. Amsterdam, The Netherlands: Elsevier
Science, 2001, vol. 6, pp. 158-167.
[19] O. S. Rothaus, On ’bent’ functions, Journal of Combinatorial Theory,
Ser. A, vol. 20, pp. 300-305, 1976.
[20] Z. Saber, M. F. Uddin, and A. Youssef, “On the existence of
(9, 3, 5, 240) resilient functions,” IEEE Transations on Information
Theory, vol. 52, no. 5, pp. 2269-2270, 2006.
9
[21] P. Sarkar and S. Maitra, “Construction of nonlinear Boolean functions
with important cryptographic properties,” in Advances in Cryptology
- EUROCRYPT 2000 (Lecture Notes in Computer Sceince), Berlin,
Germany: Springer-Verlag, 2000, vol. 1807, pp. 485-506.
[22] P. Sarkar and S. Maitra, “Efficient implementation of cryptographically
useful large Boolean functions, IEEE Transactions on Computers, vol.
52, no. 4, pp. 410-417, 2003.
[23] P. Sarkar and S. Maitra, “Nonlinearity bounds and constructions of
resilient Boolean functions,” in Advances in Cryptology - CRYPTO 2000
(Lecture Notes in Computer Sceince), Berlin, Germany: Springer-Verlag,
2000, vol. 1880, pp. 515-532.
[24] P. Sarkar and S. Maitra, “Construction of nonlinear resilient Boolean
functions using small affine functions,” IEEE Transactions on Information Theory, vol. 50, no. 9, pp. 2185-2193, 2004.
[25] J. Seberry, X.-M. Zhang, and Y. Zheng, “Nonlinearity and propagation
characteristics of balanced Boolean functions,” Information and Computation, vol. 119, pp. 1-13, 1995.
[26] J. Seberry, X.-M. Zhang, and Y. Zheng, “Nonlinearly balanced Boolean
functions and their propagation characteristics,” in Advances in Cryptology - CRYPTO’93 (Lecture Notes in Computer Sceince), Berlin,
Germany: Springer-Verlag, 1994, vol. 773, pp. 49-60.
[27] J. Seberry, X.-M. Zhang, and Y. Zheng, “On constructions and nonlinearity of correlation immune Boolean functions,” in Advances in
Cryptology - EUROCRYPT’93 (Lecture Notes in Computer Sceince),
Berlin, Germany: Springer-Verlag, 1984, vol. 765, pp. 181-199.
[28] T. Siegenthaler, “Correlation-immunity of nonlinear combining functions
for cryptographic applications,” IEEE Transactions on Information Theory, vol. 30, no.5, pp. 776-780, 1984.
[29] Y. V. Tarannikov, “On resilient Boolean functions with maximum
possible nonlinearity,” in Progress in Cryptology - INDOCRYPT 2000
(Lecture Notes in Computer Science). Berlin, Germany: Springer Verlag,
2000, vol. 1977, pp. 19-30.
[30] Y. V. Tarannikov, “New constructions of resilient Boolean functions with
maximal nonlinearity,” in Workshop on Fast Software Encryption (FSE
2001) (Lecture Notes in Computer Science). Berlin, Germany: SpringerVerlag, 2001, vol. 2355, pp. 66-77.
[31] G.-Z. Xiao and J. L. Massey, “A spectral characterization of correlationimmune combining functions,” IEEE Transactions on Information Theory, vol. 34, no. 3, pp. 569-571, 1988.
WeiGuo ZHANG received the B.S. degree and Ph.D. degree from Xidian
University, Xi’an, China, in 2001 and 2007, respectively. In 2007, he joined
ISN Lab (State Key Laboratory of Integrated Service Networks) at Xidian
University. His research interests include cryptography, sequence design, and
coding theory.
GuoZhen XIAO received the B.S. degree in mathematics from Northeast
Normal University, Changchun, China, in 1954, and the M.S. degree in
mathematics from the East China Normal University, Shanghai, China, in
1956. From 1956 to 1960, he was an Associate Instructor in Northeast Normal
University. He joined Xidian University, Xi’an, China, in 1960, and became
a Full Professor in 1981. His research interests include cryptography, coding
and information theory.