On the Higher Order Nonlinearities of Boolean Functions and S-Boxes, and Their Generalizations

(Invited Paper)
  • Claude Carlet
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5203)


The r-th order nonlinearity of a Boolean function \(f:F_2^n\to F_2\) is its minimum Hamming distance to all functions of algebraic degrees at most r, where r is a positive integer. The r-th order nonlinearity of an S-box \(F:F_2^n\to F_2^m\) is the minimum r-th order nonlinearity of its component functions v·F, \(v\in F_2^m\setminus \{0\}\). The role of this cryptographic criterion against attacks on stream and block ciphers has been illustrated by several papers. Its study is also interesting for coding theory and is related to the covering radius of Reed-Muller codes (i.e. the maximum multiplicity of errors that have to be corrected when maximum likelihood decoding is used on a binary symmetric channel). We give a survey of what is known on this parameter, including the bounds involving the algebraic immunity of the function, the bounds involving the higher order nonlinearities of its derivatives, and the resulting bounds on the higher order nonlinearities of the multiplicative inverse functions (used in the S-boxes of the AES). We show an improvement, when we consider an S-box instead of a Boolean function, of the bounds on the higher order nonlinearity expressed by means of the algebraic immunity. We study a generalization (for S-boxes) of the notion and we give new results on it.


Block cipher Boolean function Covering radius Cryptography Higher-order nonlinearity Reed-Muller code S-box Stream cipher 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Armknecht, F., Carlet, C., Gaborit, P., Künzli, S., Meier, W., Ruatta, O.: Efficient computation of algebraic immunity for algebraic and fast algebraic attacks. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 147–164. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  2. 2.
    Armknecht, F., Krause, M.: Constructing single- and multi-output boolean functions with maximal immunity. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 180–191. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. 3.
    Baignères, T., Junod, P., Vaudenay, S.: How far can we go beyond linear cryptanalysis? In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 432–450. Springer, Heidelberg (2004)Google Scholar
  4. 4.
    Braeken, A., Preneel, B.: On the Algebraic Immunity of Symmetric Boolean Functions. In: Maitra, S., Veni Madhavan, C.E., Venkatesan, R. (eds.) INDOCRYPT 2005. LNCS, vol. 3797, pp. 35–48. Springer, Heidelberg (2005), http://homes.esat.kuleuven.be/~abraeken/thesisAn.pdf CrossRefGoogle Scholar
  5. 5.
    Carlet, C.: The monograph Boolean Methods and Models. In: Crama, Y., Hammer, P. (eds.) Boolean Functions for Cryptography and Error Correcting Codes. Cambridge University Press, Cambridge (to appear), http://www-rocq.inria.fr/codes/Claude.Carlet/pubs.html
  6. 6.
    Carlet, C.: The monography Boolean Methods and Models. In: Crama, Y., Hammer, P. (eds.) Vectorial (multi-output) Boolean Functions for Cryptography. Cambridge University Press, Cambridge (to appear), http://www-rocq.inria.fr/codes/Claude.Carlet/pubs.html
  7. 7.
    Carlet, C.: The complexity of Boolean functions from cryptographic viewpoint. Dagstuhl Seminar. Complexity of Boolean Functions (2006), http://drops.dagstuhl.de/portals/06111/
  8. 8.
    Carlet, C.: On the higher order nonlinearities of algebraic immune functions. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 584–601. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  9. 9.
    Carlet, C.: Recursive Lower Bounds on the Nonlinearity Profile of Boolean Functions and Their Applications. IEEE Trans. Inform. Theory 54(3), 1262–1272 (2008)CrossRefMathSciNetGoogle Scholar
  10. 10.
    Carlet, C.: A method of construction of balanced functions with optimum algebraic immunity. In: The Proceedings of the International Workshop on Coding and Cryptography, The Wuyi Mountain, Fujiang, China, June 11-15, 2007. Series of Coding and Cryptology, vol. 4, World Scientific Publishing Co., Singapore (2008)Google Scholar
  11. 11.
    Carlet, C., Dalai, D., Gupta, K., Maitra, S.: Algebraic Immunity for Cryptographically Significant Boolean Functions: Analysis and Construction. IEEE Trans. Inform. Theory 52(7), 3105–3121 (2006)CrossRefMathSciNetGoogle Scholar
  12. 12.
    Carlet, C., Ding, C.: Nonlinearities of S-boxes. Finite Fields and its Applications 13(1), 121–135 (2007)MATHCrossRefMathSciNetGoogle Scholar
  13. 13.
    Carlet, C., Feng, K.: New balanced Boolean functions satisfying all the main cryptographic criteria. IACR cryptology e-print archive 2008/244Google Scholar
  14. 14.
    Carlet, C., Mesnager, S.: Improving the upper bounds on the covering radii of binary Reed-Muller codes. IEEE Trans. on Inform. Theory 53, 162–173 (2007)CrossRefMathSciNetGoogle Scholar
  15. 15.
    Carlitz, L., Uchiyama, S.: Bounds for exponential sums. Duke Math. Journal 1, 37–41 (1957)CrossRefMathSciNetGoogle Scholar
  16. 16.
    Chabaud, F., Vaudenay, S.: Links between Differential and Linear Cryptanalysis. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 356–365. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  17. 17.
    Charpin, P., Helleseth, T., Zinoviev, V.: Propagation characteristics of xx − 1 and Kloosterman sums. Finite Fields and their Applications 13(2), 366–381 (2007)CrossRefMathSciNetGoogle Scholar
  18. 18.
    Cheon, J.H., Lee, D.H.: Resistance of S-Boxes against Algebraic Attacks. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 83–94. Springer, Heidelberg (2004)Google Scholar
  19. 19.
    Cohen, G., Honkala, I., Litsyn, S., Lobstein, A.: Covering codes. North-Holland, Amsterdam (1997)MATHGoogle Scholar
  20. 20.
    Courtois, N.: Higher order correlation attacks, XL algorithm and cryptanalysis of Toyocrypt. In: Lee, P.J., Lim, C.H. (eds.) ICISC 2002. LNCS, vol. 2587, pp. 182–199. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  21. 21.
    Courtois, N., Debraize, B., Garrido, E.: On exact algebraic [non-]immunity of S-boxes based on power functions. IACR e-print archive 2005/203Google Scholar
  22. 22.
    Courtois, N., Meier, W.: Algebraic attacks on stream ciphers with linear feedback. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 345–359. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  23. 23.
    Courtois, N., Pieprzyk, J.: Cryptanalysis of block ciphers with overdefined systems of equations. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 267–287. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  24. 24.
    Daemen, J., Rijmen, V.: AES proposal: Rijndael (1999), http://csrc.nist.gov/encryption/aes/rijndael/Rijndael.pdf
  25. 25.
    Dalai, D.K., Maitra, S., Sarkar, S.: Basic Theory in Construction of Boolean Functions with Maximum Possible Annihilator Immunity. Designs, Codes Cryptogr. 40(1), 41–58 (2006), http://eprint.iacr.org/ MATHCrossRefMathSciNetGoogle Scholar
  26. 26.
    Dalai, D.K., Gupta, K.C., Maitra, S.: Cryptographically Significant Boolean functions: Construction and Analysis in terms of Algebraic Immunity. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 98–111. Springer, Heidelberg (2005)Google Scholar
  27. 27.
    Didier, F.: A new upper bound on the block error probability after decoding over the erasure channel. IEEE Trans. Inform. Theory 52, 4496–4503 (2006)CrossRefMathSciNetGoogle Scholar
  28. 28.
    Dumer, I., Kabatiansky, G., Tavernier, C.: List decoding of Reed-Muller codes up to the Johnson bound with almost linear complexity. In: Proceedings of ISIT 2006, Seattle, USA (2006)Google Scholar
  29. 29.
    Fourquet, R.: Une FFT adaptée au décodage par liste dans les codes de Reed-Muller d’ordres 1 et 2. Master-thesis of the University of Paris VIII, Thales communication, Bois Colombes (2006)Google Scholar
  30. 30.
    Fourquet, R.: Private communication (2007)Google Scholar
  31. 31.
    Fourquet, R., Tavernier, C.: An improved list decoding algorithm for the second order Reed-Muller codes and its applications. Des. Codes Cryptogr (to appear, 2008)Google Scholar
  32. 32.
    Fourquet, R., Tavernier, C.: Private communication (2008)Google Scholar
  33. 33.
    Golic, J.: Fast low order approximation of cryptographic functions. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 268–282. Springer, Heidelberg (1996)Google Scholar
  34. 34.
    Iwata, T., Kurosawa, K.: Probabilistic higher order differential attack and higher order bent functions. In: Lam, K.-Y., Okamoto, E., Xing, C. (eds.) ASIACRYPT 1999. LNCS, vol. 1716, pp. 62–74. Springer, Heidelberg (1999)Google Scholar
  35. 35.
    Kabatiansky, G., Tavernier, C.: List decoding of second order Reed-Muller codes. In: Proc. 8th Int. Symp. Comm. Theory and Applications, Ambleside, UK (July 2005)Google Scholar
  36. 36.
    Kaliski, B., Robshaw, M.: Linear cryptanalysis using multiple approximations. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 26–38. Springer, Heidelberg (1994)Google Scholar
  37. 37.
    Kasami, T., Tokura, N.: On the weight structure of Reed-Muller codes. IEEE Trans. Inform. Theory IT-16 (6), 752–825 (1970)CrossRefMathSciNetGoogle Scholar
  38. 38.
    Kasami, T., Tokura, N., Azumi, S.: On the weight enumeration of weights less than 2.5d of Reed-Muller codes. Information and Control 30, 380–395 (1976)MATHCrossRefMathSciNetGoogle Scholar
  39. 39.
    Kasami, T., Tokura, N., Azumi, S.: On the weight enumeration of weights less than 2.5d of Reed-Muller codes. Report of faculty of Eng. Sci, Osaka Univ., JapanGoogle Scholar
  40. 40.
    Knudsen, L.R., Robshaw, M.J.B.: Non-linear approximations in linear cryptanalysis. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 224–236. Springer, Heidelberg (1996)Google Scholar
  41. 41.
    Lachaud, G., Wolfmann, J.: The Weights of the Orthogonals of the Extended Quadratic Binary Goppa Codes. IEEE Trans. Inform. Theory 36, 686–692 (1990)MATHCrossRefMathSciNetGoogle Scholar
  42. 42.
    Lobanov, M.: Tight bound between nonlinearity and algebraic immunity. Paper 2005/441 http://eprint.iacr.org/
  43. 43.
    MacWilliams, F.J., Sloane, N.J.A.: The theory of error-correcting codes. North-Holland, Amsterdam (1977)MATHGoogle Scholar
  44. 44.
    Maurer, U.M.: New approaches to the design of self-synchronizing stream ciphers. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 458–471. Springer, Heidelberg (1991)Google Scholar
  45. 45.
    Meier, W., Pasalic, E., Carlet, C.: Algebraic attacks and decomposition of Boolean functions. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 474–491. Springer, Heidelberg (2004)Google Scholar
  46. 46.
    Mesnager, S.: Improving the lower bound on the higher order nonlinearity of Boolean functions with prescribed algebraic immunity. IEEE Trans. Inform. Theory 54(8) (August 2008); Preliminary version available at Cryptology ePrint Archive, no. 2007/117Google Scholar
  47. 47.
    Millan, W.: Low order approximation of cipher functions. In: Dawson, E.P., Golić, J.D. (eds.) Cryptography: Policy and Algorithms 1995. LNCS, vol. 1029, pp. 144–155. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  48. 48.
    Shanbhag, A., Kumar, V., Helleseth, T.: An upper bound for the extended Kloosterman sums over Galois rings. Finite Fields and their Applications 4, 218–238 (1998)MATHCrossRefMathSciNetGoogle Scholar
  49. 49.
    Shannon, C.E.: Communication theory of secrecy systems. Bell system technical journal 28, 656–715 (1949)MathSciNetGoogle Scholar
  50. 50.
    Shimoyama, T., Kaneko, T.: Quadratic Relation of S-box and Its Application to the Linear Attack of Full Round DES. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 200–211. Springer, Heidelberg (1998)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Claude Carlet
    • 1
  1. 1.Department of Mathematics (MAATICAH)University of Paris 8Saint-Denis CedexFrance

Personalised recommendations