On some cryptographic properties of Boolean functions and their second-order derivatives

In this paper some cryptographic properties of Boolean functions, including weight, balancedness and nonlinearity, are studied, particularly focusing on splitting functions and cubic Boolean functions. Moreover, we present some quantities derived from the behaviour of second-order derivatives which allow us to determine whether a quadratic or cubic function is APN.


Introduction
Boolean functions are widely studied and applied in coding theory, cryptography and other fields.The properties of (vectorial) Boolean functions play a critical role in cryptography, particularly in the design of symmetric key algorithms in block cipher and nonlinear filters and combiners in stream ciphers.To find a function with good properties for a cryptosystem to possess robust resistance against most of the known attacks, a lot of effort is required.Cryptographic Boolean functions should satisfy various criteria simultaneously, for instance balancedness, high nonlinearity and good autocorrelation properties, to particularly resist linear cryptanalysis and differential cryptanalysis [12].This paper discusses some cryptographic properties of Boolean functions and is organised as follows.Section 2 reports some known results which form a basis for what is being studied in this paper.In Section 3, we show how the weight of any Boolean function can be related to the weights of some other functions at a lower dimension, we prove some results on weight and balancedness of "splitting" functions and a special class of cubic Boolean functions.In Section 4, we give an inequality relation which relate the nonlinearity of any Boolean function to the nonlinearity of some other functions at a lower dimension and nonlinearity of some splitting functions is proved.Finally, in Section 5, a parameter of a Boolean function based on its second-order derivatives is introduced and has been used for characterization of quadratic and cubic APN functions.

Preliminaries
In this section we report some definitions and results which we use in our work.For more details, the reader is referred to [2,3,7,9,11,13].
We denote the field of two elements, 0 and 1, by F. Any vector in the vector space F n is denoted as v (not as v or v).The size of a set A is denoted as |A|.
A Boolean function (Bf ) is any function f from F n to F and a vectorial Boolean function (vBf ) is any function F from F n to F m , n, m ∈ N.However, in the present paper we only consider vBf's from F n to F n .We use algebraic normal form (ANF for short), to represent the Bf's, which is the n-variable polynomial representation over F given by f (x 1 , ..., x n ) = I⊆P a I i∈I x i where P = {1, ..., n} and a I ∈ F. The algebraic degree or simply degree of f (denoted by deg(f )) is max a I =0 |I|.The set of all Bf's is denoted by B n .
For a Bf f , we say that f is linear if deg(f ) ≤ 1 and f (0) = 0, affine if deg(f ) ≤ 1, quadratic if deg(f ) = 2 and cubic if deg(f ) = 3.The set of all affine functions is denoted by A n .Given a vBf F = (f 1 , ..., f n ), the functions f 1 , ..., f n are called coordinate functions and the functions λ•F , where λ ∈ F n \{0} and "•" is a dot product, are called component functions and we write F λ = λ•F .The degree of a vBf F is given by deg(F ) = max λ∈F n \{0} deg(F λ ).We say that F is quadratic if deg(F ) = 2 and cubic if deg(F ) = 3.If all components of a vBf F are quadratic, we call F a pure quadratic.
For m < n, if f is in B n and depends only on m variables, then we denote by f ↾F m its restriction to these m variables.Clearly, We define the Walsh transform of f , the function W f from F n to Z, as We define F(f ) as Observe that f is balanced if and only if The nonlinearity of a Bf f can also be given by this happens only for n even).The lowest possible value for L(f ) is 2 n 2 and this bound is achieved for bent functions (and only them).Let a, b ∈ F n .The first-order derivative of f ∈ B n at a is defined by and its second-order derivative at a and b is Theorem 2. Let F be a vBf.Then F is a permutation if and only if all components are balanced.Two Bf's f, g : F n → F are said to be affine equivalent if there exists an affinity ϕ : F n → F n such that f = g • ϕ.This relation is denoted by ∼ A and we write f ∼ A g. Observe that ∼ A is an equivalence relation.The following result is well-known.Proposition 3. Let f, g ∈ B n be such that f ∼ A g .Then w(f ) = w(g) and so f is balanced ⇐⇒ g is balanced.
Remark 4. Since, by Proposition 3, w(f ) = w(g) if f ∼ A g, then it also implies that Next we present the theorem on classification of quadratic Boolean functions, whose proof can be found in [11] page 438.
The proof of the next theorem and lemma (respectively) can be found in [10] on page 134.
Theorem 7. Let f be a quadratic Bf denoted as in Theorem 6.Then we have W f (a) ∈ {0, ±2 n−k }, for a ∈ F n , and Lemma 8. Two quadratic Bf 's g and h on F n are affine equivalent if and only if w(g) = w(h) and N (g) = N (h).
is a constant} the set of all linear structures and we call it the linear space of a Bf f .A Bf f is partially-bent if there exists a linear subspace W of F n such that the restriction of f to W is affine and the restriction of f to any complementary subspace U of W , W ⊕ U = F n , is bent [5].In fact the linear subspace W of F n is formed by the set of all linear structures of f , that is, W = V (f ) and observe that the dimension of U must be even.A partially-bent f can be represented as a direct sum of the restricted functions such as f (y + z) = f (y) + f (z), for all y ∈ U and z ∈ V (f ).
Remark 9. From Theorem 6, it can be deduced that any quadratic function f is partiallybent and dim V (f ) is even if n is even and odd if n is odd.Moreover, we must have dim V (f ) = 0 if and only if f is bent.
The following result is well-known.
3 On the weight of Boolean functions In this section we classify the weight of some class of cubic functions and others.Some conditions for these functions to be balanced are determined.
Definition 11.A Bf f on n variables is a splitting function if for some positive integer s < n, g ∈ B s and h ∈ B n−s .
Remark 12.If g(x 1 , ..., x s ), with s < n, is in B n then w(g) = 2 n−s w(g ↾F s ) and F(g) = 2 n−s F(g ↾F s ).Furthermore, g is balanced if and only if g ↾F s is balanced and also F(g) = 0 if and only if F(g ↾F s ) = 0.
Next we consider the weight and balancedness of splitting Bf's.
Lemma 13.Let f ∈ B n be such that f ∼ A g(x 1 , ..., x s ) + h(x s+1 , ..., x n ), with s < n Then Proof.Since, by Remark 4, F(f ) is invariant under affine equivalence, then we have It is immediate from Remark 12 and Lemma 13 that the following corollary holds.
Corollary 14.For t ∈ N and Proof.We have We now present some results on balanced splitting functions.
Then f is balanced if and only if either g or h is balanced.
x mi+j . Then Observe that the function f in Proposition 17 is balanced if and only if m = 1, that is, f is balanced if and only if it is a linear function.
Remark 18.All quadratic Bf 's are splitting functions (deduced from Theorem 6) and those which are unbalanced are of the form given in Proposition 17 and their complements, with m = 2.So applying Proposition 17, This result on weight of quadratic is well-known.
Now we study the weight and balancedness of Bf's in some given form.We show how the weight of a Bf on n variables can be related to the weights of some other functions at a lower dimension.
Any Bf can be expressed in the form We say that f is the convolutional product of g and h.Observe that the convolutional product is a special case of the form defined by for some positive integer m and Bf's g and h on n variables.In fact, for any Bf f , there exists a positive integer m such that f can be expressed in the form (3.3).Next we show that if the weights of g and h are known, then the weight of f is obtained.
) f is balanced if both g and h are balanced, (d) f is unbalanced if one in {g, h} is balanced and the other is not.
(a) Let X = (x, y) ∈ F m × F n .Then we have = (2 m − 1) (b) Recall that f is balanced if and only if we have (c) Suppose g and h are both balanced.Then F(g ↾F n ) = F(h ↾F n ) = 0. Applying Equation (3.4), it implies that F(f ) = 0, and so f is balanced.
(d) Without loss of generality, suppose that g is balanced while h not.Then F(g ↾F n ) = 0 and F(h ↾F n ) = 0 which, by Equation (3.4), implies that F(f ) = 0, and so f is unbalanced.
Observe that if g and h are such that g = h • ϕ + 1, for some affinity ϕ, then f is balanced since w Finally, we consider the weight of cubic Bf's.Generally, it is difficult to determine the weight for Bf's of degree greater than 2 (see [8]).Next we present a result which completely describes the weight of a special class of cubic functions.This result allows us to construct an algorithm that computes the weight of any cubic function.
Since we have the knowledge of weights of affine and quadratic functions (see Remark 18) and by applying Remark 20, we can state our classification theorem for the weight of the special class of cubic functions.We omit the proof of Theorem 21 because it is a direct case-by-case computation.
, if h and g are quadratic unbalanced.Moreover, if both h and g are balanced Thanks to Theorem 21, the following corollary which gives a description of all balanced cubic functions of the class f = x n+1 g(x 1 , ..., Corollary 22.With the same notation as in Theorem 21, a cubic Bf f is balanced if and only if one of the following holds: (a) both g and h are balanced, (b) g ∼ A q and h ∼ A q, (c) g ∼ A q and h ∼ A q.
Applying Lemma 8 and Theorem 21, Corollary 22 can be simplified as in the following.
Proof.By Equation (3.4), we have either both g and h are balanced or w(g ↾F n ) = w(h ↾F n + 1) with both g and h unbalanced quadratics ⇐⇒ either both g and h are balanced or g = h • ϕ + 1, for some affinity ϕ (by Lemma 8).Now we consider cubic Bf's which cannot be expressed in the form described in Theorem 21.If a Bf f is expressed in the form (3.1), that is, f = x 1 g(x 2 , ..., x n ) + h(x 2 , ..., x n ) then w(f ) = w((g + h) ↾F n−1 ) + w(h ↾F n−1 ).Since our interest is in cubic functions, it can be assumed that g is quadratic and h can be affine, quadratic or cubic.If h is affine or quadratic, then weight of f can be easily computed by Theorem 21.It becomes difficult to find the weight of f if h is cubic since in this case it implies that g + h is also cubic and finding w(h ↾F n−1 ) and w((g + h) ↾F n−1 ) is not easy.However, we can recursively repeat the process of decomposition of f so that its weight is the sum of weights of some affine or quadratic functions on a vector space of dimension < n over F. For instance, further decomposing g + h and h into the form g + h = x 2 g 1 (x 3 , ..., x n ) + h 1 (x 3 , ..., x n ) and h = x 2 g ′ 1 (x 3 , ..., x n ) + h ′ 1 (x 3 , ..., x n ), the weight of f becomes w(f ) = w(( . We use this idea to build an algorithm which computes the weight of any cubic Bf's and its efficiency and simplicity relies on Theorem 21 and the known results about the weights of affine and quadratic functions.

Algorithm 1
The following algorithm computes the weight of a cubic function f on n variables: sum up all the weights found to obtain w(f ).

Nonlinearity of Boolean functions
We begin with the nonlinearity of a function whose terms have the degree but their variables are pairwise disjoint.
Proposition 24.Let f ∈ B n , with deg(f ) = m and m > 1, be such that x mt+j . Then where α, x ∈ F n .Observe that f + l α is balanced if l α has some variables which are not in f (see Proposition 10) and in this case, we have W f (α) = F(f + l α ) = 0. Thus we can assume that l α (x) = l a (X) = a • X, with a = (a 0 , ..., a k−1 ) and X = (y 0 , ..., y k−1 ) in (F m ) k , so that all variables in l a are also in f .By Corollary 14, we have Remark 25.We deduce from Proposition 24 that f is bent if and only if m = 2 and k = n/2, for n even, otherwise 2 n−mk−1 2 k (2 m−1 − 1) k would be equal to 2 Proof.Since nonlinearity is invariant under affine equivalence, we can simply write f = m j=1 x j g(x m+1 , ..., x m+n ) + 1 + m j=1 x j h(x m+1 , ..., x m+n ).Let X = (y, x) ∈ F m × F n , with y = (x 1 , ..., x m ) and x = (x m+1 , ..., x m+n ), and 1 = (1, 1, ..., 1).Then To reach the last step we used the fact that and also that λ = 0 if a = 0.
For any two integers c and d, it is well-known that |c + d| ≤ |c| + |d|.Clearly, we have Since then we deduce that, for any α = (a, b), we have Remark 27.Note that if m = 1, by Theorem 26, the nonlinearity of It is immediate from Theorem 7 and Remark 27 that the following corollary holds.
Corollary 28.Let f be as described in Theorem 21.Then if g is quadratic and h affine, Corollary 28 suggests a way of constructing Bf's with high non-linearity.

A Characterization of APN Functions
In this section we define a parameter which is used for characterization of quadratic and cubic APN function.This parameter can also be used to describe some properties for quadratic and cubic partially-bent functions.

Some known results on APN functions
Some definitions and known results on APN functions, which can be found in [1,2,5,6,7], are reported.
For a vBf F , the kth power moment of Walsh transform is defined as Next we state a result in which APN functions are characterized by the fourth power moment of Walsh transform.
Theorem 30.Let F be a vBf from F n to itself.Then Moreover, F is APN if and only if equality holds.
The following result can be easily deduced from Theorem 30.
Moreover, F is APN if and only if equality holds.

The parameter M(f )
We define and study some properties of a parameter for a Boolean function based on its second-order derivatives and in the next subsection we use it for characterization of quadratic and cubic APN functions.
Proof.Let ϕ be the affinity of Proposition 34.Let f ∈ B n .Then, for all a ∈ F n , (i) Z a (f ) is a vector space and has nonzero dimension, (ii) U a (f ) is either a coset of Z a (f ) or the empty set. Proof.
To show that it is of nonzero dimension, observe that if a = 0 then Z a (f ) = F n and if a = 0, then we have D a D a f (x) = 0, implying that {0, a} ⊆ Z a (f ).So the dimension of Z a (f ) is at least 1.
(ii) Suppose that U a (f Thus, b 2 ∈ U a (f ).Conversely, for e ∈ U a (f ), we have Proposition 35.Let f ∈ B n be a Bf with deg(f ) ∈ {2, 3}.Then, for some even integer j, with 1 < j < n and any a ∈ F n , we have denotes the dual set and A c denotes the complement of a set A). Thus, Z a (f ) = W and Finally, suppose that deg(D a f ) = 2, that is, by Theorem 6, we know that Observe that in both cases, |Z a (f Proposition 36.For any quadratic and cubic partially-bent function f , we have where k = dim V (f ).
Proof.We know, from Proposition 35, that M a (f ) = 0 if and only if D a f is balanced and M a (f ) = 2 n if and only if D a f is a constant.We deduce, from the definition, that for any partially-bent function f , D a f is constant if and only if a ∈ V (f ) and D a f is balanced if and only if a / ∈ V (f ).Recall that all quadratic functions are partially-bent.Thus, for any quadratic function or cubic partially-bent function f , we have If a function f is bent, then k = 0 and so, by Proposition 36, M(f ) = 0. Thus, we state this in the following.
Corollary 37. Let f ∈ B n be a quadratic or cubic function.Then f is bent if and only if M(f ) = 0.
Observe that the result in Corollary 37 can also be deduced by Theorem 1 and Proposition 35.
Lemma 38.Let f ∈ B n , with n odd, be quadratic.Then dim V (f ) ≥ 1 and equality holds if and only if f is semi-bent.
Proof.From Theorem 6, observe that By Theorem 6 and Lemma 38, the following corollary holds.
Corollary 39.For n odd, a quadratic Bf f is semi-bent if and only if M(f ) = 2 n .

APN functions and their second-order derivatives
For a vBf F : F n → F n , define M(F ) = λ =0∈F n M(F λ ).It is clear from Subsection 5.2 that the quantity M(F ) is defined based on second-order derivatives of components of F .We establish a connection between the fourth power moment of the Walsh transform and the value M(F ), and consequently derive a characterization of quadratic and cubic APN functions based on the latter quantity.
By applying Lemma 38 and Corollary 46, we can deduce the only well-known result present in this subsection.
Theorem 47 ([4]).Let F : F n → F n , with n odd, be a pure quadratic function.Then F is APN if and only if it is AB.
For any partially-bent function f in even dimension, dim V (f ) must be even and dim V (f ) = 0 if and only if f is bent.So we deduce, from Corollary 46, that a quadratic function or cubic partially-bent APN function F : F n → F n must have 2(2 n − 1)/3 bent components if the linear spaces for all components have dimensions 0 or 2.Moreover, if there is a component with dimension 2ℓ, ℓ > 1, then the number of bent components has to be increased by (2 2ℓ − 1)/3 − 1 in order for equality of Relation (5.3) to hold.Since, in the case of n = 4, the dimension of linear space of any quadratic function is either 0 or 2, then we deduce the following.(5.4) So, by Theorem 30 and Equation (5.4), we deduce the following result which relates an APN function to its second order derivatives (this result can also be directly deduced from Theorem 31).
Theorem 49.Let F : F n → F n be a vBf.Then Moreover, F is APN if and only if equality holds.

Conclusion
In this paper, we proved some results about the weight, balancedness and nonlinearity of some splitting functions and a special class of cubic functions.We also proved some results on how the weight and nonlinearity of any Boolean function can be, respectively, related to the weights and nonlinearity of some other functions at a lower dimension.Furthermore, we introduced a parameter of a Boolean function, based on second-order derivatives, from which we derived a characterization of quadratic and cubic APN functions.

Proposition 48 .
A pure quadratic function Q : F 4 → F 4 is APN if and only if there are 10 bent components.By Equation (5.1) in Lemma 40, for any vBf F : F n → F n , we have L 4 (F ) = 2 n λ =0,c,b∈F n F(D b D c F λ ).