Information Sciences 180 (2010) 256265

Contents lists available at ScienceDirect

Information Sciences
journal homepage: www.elsevier.com/locate/ins

On the global avalanche characteristics between two Boolean functions

and the higher order nonlinearity q
Yu Zhou a,*, Min Xie b, Guozhen Xiao a
a
b

National Key Laboratory of Integrated Service Networks, Xidian University, Xian 710071, PR China
Key Laboratory of Computer Network and Information Security, Xidian University, Xian 710071, PR China

a r t i c l e

i n f o

Article history:
Received 18 February 2009
Received in revised form 17 September
2009
Accepted 19 September 2009

Keywords:
Stream cipher
Boolean functions
Global avalanche characteristics
Walsh spectrum
Higher order nonlinearity

a b s t r a c t
The criterion for the global avalanche characteristics (GAC) of cryptographic functions is an
important property. To measure the correlation between two arbitrary Boolean functions,
we propose two new criteria called the sum-of-squares indicator and the absolute indicator
of the cross-correlation between two Boolean functions. The two indicators generalize the
GAC criterion. Based on the properties of the cross-correlation function, we deduce the
rough lower and the rough upper bounds on the two indicators by hamming weights of
two Boolean functions, and generalize some properties between the Walsh spectrum and
the cross-correlation function. Furthermore, we give the tight upper and the tight lower
bounds on the two indicators. Finally, we show some relationships between the upper
bounds on the two indicators and the higher order nonlinearity.
2009 Elsevier Inc. All rights reserved.

1. Introduction
Strict avalanche criteria (SAC) [1,15] and propagation characteristic (PC) [11] are important properties to study the dynamic behavior of a cryptographic Boolean function when the input to the function is modied. However, the SAC and PC
capture only the local properties of Boolean functions. In order to improve the global analysis of cryptographically strong
functions, Zhang and Zheng introduced another criterion, which measures GAC [16] of just one Boolean function.
In case of two arbitrary Boolean functions, we say that they are close to each other in a precise statistical sense if they are
highly correlated. On the other hand a correlation of zero between the two Boolean functions means that the two functions
are statistically far apart. Shannon [13] outlined the basic design principles of secret key cryptosystems: confusion and diffusion. Confusion means that the constituent Boolean functions of a secret key system should have small correlation to each
other, which results in the constituent Boolean functions being very different from each other. Diffusion on the other hand
means that the constituent Boolean functions should have certain uniformity properties, leading to an overall uniformity of
the cryptosystem.
Most work about Boolean functions design has been motivated by all kinds of attacks. While this is useful for current
practice, a fundamental understanding is required in the long run. In order to understand the relationship between Shannons informal concepts of confusion and diffusion and cryptographic properties of Boolean functions, we attempt such an

q
This work was supported by the 863 Project (No. 2007AA01Z472 and 2008AA01Z411), the National Natural Science Foundation of China (Grant Nos.
60773003, 60503010 and 60603010), Subject of National Defence Key Lab of Communication Private (No. 9140C1107020905) and Gansu Natural Science
Foundation (Grants No. 096RJZA124).
* Corresponding author.
E-mail address: zhouyu.zhy@tom.com (Y. Zhou).

0020-0255/$ - see front matter 2009 Elsevier Inc. All rights reserved.
doi:10.1016/j.ins.2009.09.012

Y. Zhou et al. / Information Sciences 180 (2010) 256265

257

investigation. The auto-correlation function is a basic tool in the study of one Boolean function. In this paper we study the
more general notion of correlation between two arbitrary Boolean functions, which is the so-called cross-correlation in [12].
We treat here the cross-correlation function as a fundamental tool and propose two new indicators of the cross-correlation
function.
Furthermore, the higher order nonlinearity is an important property of Boolean functions, of which much work has been
done in [47,9,10,14]. We know that computing the rth order nonlinearity of a given Boolean function with algebraic degree
strictly greater than r is a hard task for r > 1. In this paper, we will study the relationship between the higher order nonlinearity and the two new indicators.
Based on these consideration, we propose two denitions of the sum-of-squares indicator and the absolute indicator of the
cross-correlation between two Boolean functions in Section 2. We give the rough (or, tight) upper and the rough (or, tight)
lower bounds on the two indicators, and generalize more general properties of the cross-correlation between two arbitrary
Boolean functions in Section 3. Finally we show some relationships between the upper bounds on the two indicators and the
higher order nonlinearity in Section 4.
2. Preliminaries
Let us denote the set of n variables Boolean functions by Bn . We denote by  the additions in F 2 , F n2 and Bn . Any f x 2 Bn
can be expressed as a polynomial, called its algebraic normal form (ANF):

f x1 ; . . . ; xn a0   ai xi 
16i6n

16i<j6n

ai;j xi xj      a1;...;n x1 x2 . . . xn ;

where the coefcients a0 ; ai ; ai;j ; . . . ; a1;...;n 2 F 2 . The algebraic degree, degf , is the number of variables in the highest order
term with non-zero coefcient. A Boolean function is afne if there exists no term of degree > 1 in the ANF and the set of
all afne functions is denoted by An . An afne function with constant term equal to zero is called a linear function. We denote
by ua , a 2 F n2 , the linear function x#ua ax a1 x1  a2 x2      an xn . The hamming weight of f x 2 Bn , wtf , is the size of
its support fx 2 F n2 jf x 1g. A function f x 2 Bn is balanced if wtf 2n1 holds.
The Walsh spectrum of f x 2 Bn is dened as

Ff  ua

1f xax :

x2F n2

ReedMuller codes, introduced by Muller and Reed in 1954, being one of the best understood families of codes, can be dened in terms of Boolean functions. The binary rth order ReedMuller code RMr; n) is the set of all binary vectors of length
2n associated with multivariate binary polynomials f x1 ; x2 ; . . . ; xn of algebraic degree at most r in [9].
The hamming distance dH f ; g between two n-variable Boolean functions f x and gx equals the size of the set
fx 2 F n2 jf x gxg. We have

dH f ; g 2n1 

1X
1f xgx :
2 x2F n
2

We shall denote by nlr f the minimum hamming distance between a given Boolean function f x 2 Bn and all Boolean functions gx 2 Bn of degrees at most r. Then

nlr f 2

n1




X


1
f
xgx
:

max  1

g2RMr;n
2

x2F n2

Denition 1. The cross-correlation function between two Boolean functions f x; gx 2 Bn is an integer-valued function
Mf ;g : F n2 ! 2n ; 2n  dened by

Mf ;g a

1Df ;g a ;

x2F n2

where a 2 F n2 , Df ;g a f x  gx  a is called the derivative of f x and gx in the direction of a 2 F n2 .

When f x gx in Denition 1, the cross-correlation function is the auto-correlation function:

Mf a

1f xf xa :

x2F n2

Two n-variable Boolean functions f x; gx 2 Bn are called to be perfectly uncorrelated if Mf ;g a 0 for all a 2 F n2 , and are
called to be uncorrelated of degree k if Mf ;g a 0 for all a 2 F n2 such that 0 6 wta 6 k.
In terms of Shannons theory, if the component functions of a secret key system are pairwise perfectly uncorrelated, then
the statistical distance between any two Boolean functions is the maximum possible. So the system has the best confusion.
But this is too restrictive in practice. Thus we need ensure that the cross-correlation between two arbitrary Boolean func-

258

Y. Zhou et al. / Information Sciences 180 (2010) 256265

tions is uniformly small. Especially, in most secret key cryptosystems, such as Linear Feedback Shift Register (LFSR), running
key generator, and pseudorandom sequence generator, the main components are Boolean functions. When Boolean functions are used to generate key stream sequences, one sequence can take the place of the other sequence in a statistical sense
if the two sequences generated by two Boolean functions f x and gx are very close. Furthermore, from the perspective of
an attacker, he (or, she) can attack the unknown sequence by the known sequence. So the correlation is an important aspect
of designing different sequences.
To measure correlation between f x and gx, we propose the following two indicators:
Denition 2. Let f x; gx 2 Bn , the sum-of-squares indicator of the cross-correlation between f x and gx is dened by

rf ;g

M2f ;g a;

a2F n2

the absolute indicator of the cross-correlation between f x and gx is dened by

Mf ;g max
jMf ;g aj:
n
a2F 2

Since the idea of the two indicators come from the GAC [16], the sum-of-squares indicator and the absolute indicator of
the cross-correlation function are called the global avalanche characteristics between two Boolean functions.
From Denition 2, we know that the two new criteria are generalizations of those in [3] and [16].
The smaller Mf ;g and rf ;g , the better the uncorrelation.
The two indicators introduce a number of problems to be resolved. These include:
1. What are the upper and the lower bounds on the two indicators?
2. Are there some relationships between the two indicators and other cryptographic indicators, such as nonlinearity, SAC,
PC and correlation immunity?
3. How to measure precise properties between the GAC of two different Boolean functions and any other criteria?

3. The lower and the upper bounds on 4f ;g and rf ;g

In order to nd the lower and the upper bounds on Mf ;g and rf ;g , we rstly give some properties of the cross-correlation
function. Then we deduce the rough (or, tight) lower and the rough (or, tight) upper bounds on Mf ;g and rf ;g .
Lemma 1. Let f x; gx 2 Bn , then

Mf ;g a 2n  2wtf 2n  2wtg:

a2F n2

Proof. By the denition of Mf ;g a, we have

Mf ;g a

a2F n2

XX
a2F n2

1f xgxa

x2F n2

1f x

x2F n2

1gxa 2n  2wtf 2n  2wtg:

a2F n2

In the following, we give a property of Mf ;g .



Theorem 1. Let f x; gx 2 Bn , then Mf ;g a 2n  2wtf  2wtg 4jC 0a j, where C 0a x 2 F n2 : f x 1; gx  a 1 ;
a 2 F n2 .
Proof. By the denition of Mf ;g a, we have

Mf ;g a

X
x2F n2

1f xgxa

1  2f x1gxa 2n  2wtg  2

x2F n2

f x1gxa 2n  2wtg

x2F n2

 2fjfx 2 F n2 : f x 1; gx  a 0gj  jfx 2 F n2 : f x 1; gx  a 1gjg 2n  2wtf  2wtg 4jC 0a j:

Theorem 1 implies that, Mf ;g a for some a 2

F n2

is maximal if and only if jC a j is maximal.

From Theorem 1, we give some results of perfectly uncorrelated functions and jC 0a j.

Corollary 1. Let f x; gx 2 Bn . Then
(1) f x and gx are perfectly uncorrelated if and only if, for any a 2 F n2 ; jC 0a j 12 wtf wtg  2n2 ;
P
0
(2)
a2F n jC a j wtf wtg.
2

259

Y. Zhou et al. / Information Sciences 180 (2010) 256265

Proof. By the denition of perfect uncorrelation, Lemma 1 and Theorem 1, we get the result (1). And (2) is easy to be proved
by Theorem 1. h
Based on Theorem 1 and Corollary 1, we give a rough upper bound and a rough lower bond on
weights of f x and gx.

rf ;g only using hamming

Theorem 2. Let f x; gx 2 Bn ; wtf k1 ; wtg k2 . Then

2
2
  
(1) min rf ;g P 23n 2n2 k1 k2  22n2 16k1 k2 k1 k2 2n4 k1 k2 16k1 k2 ;
k2
k
2
2
3n
n2
:
(2) max rf ;g 6 2 2 k1 k2  22n2 16k1 k2 k1 k2 2n4 k1 k2 16k1 k2 32 1
2
2

Proof. Since

2
32
X X
X
2
4
jC a j
f xgx  a5
f x1 gx1  a f x2 gx2  a    f x2n gx2n  a
0 2

a2F n2

a2F n2

x2F n2

XX

a2F n2

X X

f 2 xg 2 x  a 2
f xi f xj  gxi  agxj  a

a2F n2 x2F n2

a2F n2 x2F n2

2
4f 2 x

x2F n2

g 2 x  a5 2

a2F n2

k1 k2 2

a2F n2 gxi

06

 agxj  a 6

f xi f xj  4

x2F n2
i<j

3
gxi  agxj  a5

a2F n2

gxi  agxj  a:

xi ;xj 2Suppf a2F n2

i<j

Note that

i<j

k2
2

if xi ; xj 2 Suppf and i < j. Thus we have

gxi  agxj  a 6

xi ;xj 2Suppf a2F n2

i<j

k1



k2
2


:

On the other hand, by Theorem 1 and Corollary 1(2) we have

rf ;g

M2f ;g a

a2F n2

X n
2
2  2k1  2k2 4jC 0a j
a2F n2

23n 4  k1  2n 4  k2  2n  4  k1  22n  4  k2  22n 16  k1 k2  2n  16k1 k2

X 0 2
2
2
23n 2n2 k1 k2  22n2 16k1 k2 k1 k2 2n4 k1 k2 16
jC a j :

X
a2F n2

jC 0a j 16

jC 0a j2

a2F n2

a2F n2

Combining Eq. (1) and the above result, we have the proof.

In the following, we give the relationship among hamming weights of f x and gx, the number of variables n and the
uncorrelation degree t.
Theorem 3. Let f x; gx 2 Bn , wtf k1 ; wtg k2 , f x and gx are uncorrelated of degree t.
 
P
n
1 k2
6 2k 4k
(1) If k1 k2 > 2n1 , then ti0
n ;
1 2k2 2
i
 
P
n
1 k2
P 2k 4k
(2) If k1 k2 < 2n1 , then ti0
n :
1 2k2 2
i
n1
0
(3) If k1 k2 2 , then 0 6 Mf ;g 6 4jC a j for a 2 F n2 .

Proof. Since f x and gx are uncorrelated of degree t, for any a 2 F n2 with 0 6 wta 6 t, we have Mf ;g a 0. That is, the
 
P
n
. By Theorem 1, jC 0a j 14 2wtf 2wtg  2n for any a 2 F n2 such that
number of a with Mf ;g a 0 is at least ti0
i
0 6 wta 6 t. By Corollary 1, we have

wtf wtg

X
a2F n2

jC 0a j

X
a2F n2

06wta6t

jC 0a j

X
a2F n2

wtaPt1

jC 0a j P

X
a2F n2

06wta6t

jC 0a j:

260

Y. Zhou et al. / Information Sciences 180 (2010) 256265

 
n Pt
n
2 2
. Thus (1) and (2) are proved. (3) If k1 k2 2n1 , then Mf ;g a 4jC 0a j for any a 2 F n2 . So this
That is, k1 k2 P 2k1 2k
i0
4
i
result is proved. h
Theorem 3 implies a restrictive relationship among wtf , wtg and the uncorrelation degree t of these two Boolean functions f x and gx. In the design of Boolean functions we should take into account the restrictive relationship among k1 , k2
and t.
Note that Mf ;g maxa2F n2 jMf ;g aj. By the denition of Mf ;g a, we can easily obtain a tight lower and a tight upper bounds
on Mf ;g as follows.
Theorem 4. Let f x; gx 2 Bn . Then
(1) 0 6 Mf ;g 6 2n ;
(2) Mf ;g 0 if and only if f x  gx  a is balanced for any a 2 F n2 ;
(3) Mf ;g 2n if and only if f x gx  a  aa 2 F 2 for some a 2 F n2 .
In order to give the lower and the upper bounds on
Lemma 2. Let f x; gx 2 Bn , then

F 2 f  ua F 2 g  ua 2n

a2F n2

rf ;g , we need the following important results.

M2f ;g e:

e2F n2

Proof. Note that, for any x 2 F n2 ,

Ff  ux Fg  ux

Mf ;g u1xu :

u2F n2

We have

2
F f  ux F g  ux 4
2

32

Mf ;g u1

u2F n2

M2f ;g e

a;e2F n2

xu 5

32
Mf ;g a1

xa 54

a2F n2

3
Mf ;g e1

xe 5

e2F n2

Mf ;g aMf ;g e1aex :

a;e2F n2

ae

ae

Thus

F 2 f  ux F 2 g  ux

x2F n2

X X

M2f ;g e

x2F n2 e2F n2

X X

Mf ;g aMf ;g e

a;e2F n2

ae

1aex 2n

x2F n2

ae

Mf ;g aMf ;g e1aex

x2F n2 a;e2F n2

M2f ;g e;

e2F n2

since a e, we have

1aex 0:

x2F n2

Thus,

F 2 f  ua F 2 g  ua 2n

a2F n2

M2f ;g e:

e2F n2

From Lemma 2, we give the following expression of the sum-of-squares indicator between f x and gx.
Corollary 2. Let f x; gx 2 Bn . Then

rf ;g

1 X 2
F f  ua F 2 g  ua :
2n a2F n
2

Corollary 2 is an important property used to deduce the lower and the upper bounds on
Lemma 3 is also another important property.
Lemma 3. Let f x; gx 2 Bn , and V be a subspace of F n2 with dimV k. Then, for any b 2 F n2 ,

X
a2V

Ff  ua Fg  uab 2k

e2V

1be FDf ;g e  ub :

rf ;g . Meanwhile, the following

261

Y. Zhou et al. / Information Sciences 180 (2010) 256265

Proof. By the denition of the Walsh spectrum, we have

Ff  ua Fg  uab

a2V

0
@

a2V

10
1

f xxa A@

x2F n2

1

1
1

gyyab A

y2F n2

f xgyyb

x;y2F n2

X X
a2V

X
1xya ;

1f xxagyyab

x;y2F n2

a2V

where

X
1axy 0
a2V

if and only if x  y 2 V ? . So we have

1f xgyyb

x;y2F n2

X
X
X X
1xya 2k
1f xgyyb 2k
1f xgexexb
x;y2F n2

a2V

x2F n2 e2V ?
yxe

xy2V ?

2
3
X X
X
f
xgexxb
4 1
51eb 2k
2
1be FDf ;g e  ub : 
k

e2V ?

x2F n2

e2V ?

When f x gx in Lemma 3, we have Corollary 3 by the same method as follows.

Corollary 3 [2]. Let f x 2 Bn , and V be a subspace of F n2 with dimV k. Then, for any b 2 F n2 ,

F 2 f  uab 2k

a2V

e2V

1be FDf e:

Thus, Lemma 3 generalizes the result in 2; Lemma V2.

In [12], Sarkar and Maitra get the following characterization of perfect uncorrelatedness in terms of the Walsh spectrums
of f x and gx.
Lemma 4 [12]. Let f x; gx 2 Bn . Then f x and gx are perfectly uncorrelated if and only if Ff  ua Fg  ua 0 for any

a 2 F n2 .

Let 0 0; 0; . . . ; 0 2 F n2 . Based on Corollary 2, Lemmas 3 and 4, we give the tight lower and the tight upper bounds on rf ;g .
Theorem 5. Let f x; gx 2 Bn . Then
(1) Mf ;g 02 6 rf ;g 6 23n ;
(2) rf ;g 23n if and only if f x and gx are afne Boolean functions;
(3) rf ;g Mf ;g 02 if and only if f x and gx are Bent functions or f x and gx are perfectly uncorrelated.
Proof
(1) By Corollary 2, we have

rf ;g

2
3 2
3
X 2
1 X 2
1 4X 2
2
5
4
n
F f  ua F g  ua 6 n
F f  ua 
F g  ua 5 23n :
2 a2F n
2 a2F n
a2F n
2

On the other hand, when b 0 and V F n2 in Lemma 3, we have

Ff  ua Fg  ua 2n Mf ;g 0:

a2F n2

From Eq. (2) and CauchySchwarzs inequality, we have

rf ;g

2
32
3
2
32
X
X 2
1 X 2
1 4X
1
2 54
2
n
F f  ua F g  ua 2n
Ff  ua Fg  ua
1 5 P 2n 4
Ff  ua Fg  ua  15
2 a2F n
2
2
a2F n
a2F n
a2F n
2

1 
22n

2 Mf ;g 0

2

Thus, Mf ;g 02 6 rf ;g 6 23n .

Mf ;g 0 :

262

Y. Zhou et al. / Information Sciences 180 (2010) 256265

(2) From the above proof of (1), we know

F 2 f  ua F 2 g  ua

a2F n2

rf ;g 23n if and only if

F 2 f  ua

a2F n2

F 2 g  ua :

a2F n2

That is,

F 2 f  ua F 2 g  ub 0

a;b2F n2
ab

if and only if F 2 f  ua F 2 g  ub 0 for any a b. There are three cases:

(a)
If there does not exist a0 2 F n2 such that F 2 f  ua0 0, then F 2 f  ua 0 for all a 2 F n2 , which leads to a contradiction with Parsevals equation.
(b)
If there exists only one a0 2 F n2 such that F 2 f  ua0 0, then F 2 g  ub 0 for any b a0 . In terms of Parsevals relation, we have F 2 f  ua0 22n . That is, f x a0 x  aa 2 F 2 . On the other hand, since
F 2 g  ub 0 for any b a0 , we have F 2 g  ua0 22n . That is, gx a0 x  bb 2 F 2 . Thus f x and gx are
afne Boolean functions.
(c)
If there exist only two a1 ; a2 2 F n2 (a1 a2 such that F 2 f  ua1 0 and F 2 f  ua2 0, then we have
F 2 g  ua 0 for any a a1 and F 2 g  ua 0 for any a a2 accordingly. It implies that F 2 g  ua 0 for
all a 2 F n2 , which is in contradiction with Parsevals equation. By the same way, we know that there does not
exist only k3 6 k 6 2n different elements ai 2 F n2 1 6 i 6 k such that F 2 f  uai 0.
Combining (a), (b) and (c), F 2 f  ua F 2 g  ub 0 for any a b if and only if f x and gx are afne Boolean functions.
(3) rf ;g Mf ;g 02 if and only if

2
4

32
2 54

Ff  ua Fg  ua

a2F n2

X
a2F n2

25

32
Ff  ua Fg  ua  15 ;

a2F n2

if and only if, by CauchySchwarzs inequality, for any a 2 F n2 ,

Ff  ua Fg  ua
k;
1
where k is a real number. There are two cases:
(a)
If k 0, then f x and gx are perfectly uncorrelated by Lemma 4.
(b)
If k 0, then Ff  ub Fg  ub k for any b 2 F n2 . So Ff  ua Fg  ua Ff  ub Fg  ub k for any
a 2 F n2 and b 2 F n2 . For simplicity, let

Ff  ua Fg  ub

t;
Ff  ub Fg  ua
that is, Ff  ua t  Ff  ub and Fg  ub t  Fg  ua . By Parsevals relation, we have

22n

a2F n2

F 2 f  ua t2

F 2 f  ub t 2 22n :

b2F n2
n

Thus t 1. So F 2 f  ua and F 2 g  ua are constants for any a 2 F n2 , and we have Ff  ua 22 and Fg  ua 22 . So
f x and gx are Bent functions. h
When f x gx, Mf ;g 0 Mf 0 2n , we generalize the lower and the upper bounds on the sum-of-square in [16]:
Corollary 4 [16]. Let f x 2 Bn . Then
(1) 22n 6 rf 6 23n ;
(2) rf 23n if and only if f x is an afne Boolean function;
(3) rf 22n if and only if f x is a Bent function.
Remark 1. Theorems 4 and 5 generalize the results of the GAC in [16]. The two indicators imply that, if f x and gx have a
lower sum-of-square value, then these two Boolean functions are very close to Bent functions; if f x and gx have a lower
absolute value, these two Boolean functions are very close to afne Boolean functions.
Finally, we give the relationship between the Walsh spectrum and the decompositions of f x and gx.
Denition 3. Let W be a subspace of F n2 with dimW k. The decomposition of f x with respect to W is the sequence
ffa ja 2 Vg, where V is a subspace such that F n2 is the direct sum of W and V and fa is the Boolean function of k variables, from
W to F 2 , dened by fa x f a  x for any x 2 W.

263

Y. Zhou et al. / Information Sciences 180 (2010) 256265

From Denition 3, for any a 2 V we have

Ffa

X
1f ax :
x2W

Theorem 6. Let W be a subspace of F n2 with dimension k, and fa ja 2 V and g a ja 2 V be the decompositions of f x and gx with
respect to W. Then

Ff  ua Fg  ua 2nk

a2W ?

Ffa Fg a :

a2V

Proof. Note that

Mf ;g b

1

f xgxb

!
X X
f axgxab
:

1

x2F n2

a2V

x2W

According to Lemma 3, when b 0, we have

nk

Ff  ua Fg  ua 2

a2W ?

Mf ;g b 2

b2W
nk

"
X XX
b2W

#
1

f axgxab

a2V x2W

nk

"
#
XX X
f axgxab
1
a2V b2W

x2W

XX
X
XX
X
1f ax
1gxab 2nk
1f ax
1gya
a2V x2W

2nk

nk

Ffa Fg a :

a2V x2W

b2W

y2W
yxb

a2V

When f x gx in Theorem 6, we have

Corollary 5 [2]. Let W be a subspace of F n2 with dimension k and fa ja 2 V be the decomposition of f x with respect to W. Then

a2W

F 2 f  ua 2nk

F 2 fa :

a2V

Thus, Theorem 6 generalizes the result in 2; Theorem V1.

4. The relationship between the two indicators and the higher order nonlinearities
Sun and Wu gave the tight lower bounds of the second order nonlinearity of three classes of Boolean functions in the form
f x trxd with n variables in [14]. Ke et al. studied the balanced symmetric Boolean fucntions over the nite eld GFp in
[8], and improved the lower bound on the number of n-variable symmetric Boolean functions. In this section, we give two
compact links between the two indicators and the rth order nonlinearity of a given Boolean function or the r  1th order
nonlinearity of the derivative of a given Boolean function.
At rst, we deduce the relationship between the rth order nonlinearity and the cross-correlation function.
Lemma 5. Let f x; gx 2 Bn and degg 6 r. Then for any a 2 F n2 ,

1
nlr f 6 2n1  jMf ;g aj:
2
Proof. For any a 2 F n2 , since degg 6 r, we have







X
X




jMf ;g aj  1f xgxa  6 max  1f xhx :
h2RMr;n


x2F n2
x2F n2
So,

nlr f 2

n1






X
1
1
f xhx 
n1


 jMf ;g aj:
max  1
62
2 h2RMr;n x2F n
2

2

From Lemma 5, we can easily give the relationship between the two new criteria and the rth order nonlinearity:
Theorem 7. Let f x; gx 2 Bn and degg 6 r. Then

264

Y. Zhou et al. / Information Sciences 180 (2010) 256265

(1) Mf ;g 6 2n  2nlr f ;
2
(2) rf ;g 6 23n  22n2 nlr f 2n2 nlr f .
In the following, we give a relationship between the r  1th order nonlinearity of the derivative of f x and the two
indicators.
Theorem 8. Let f x; gx 2 Bn and degg 6 r. Then
q
P
22n  2 b2F n nlr1 Df x b;
2
P
6 23n  2n1 b2F n nlr1 Df x b.

(1) Mf ;g 6
(2)

rf ;g

Proof. According to the denition of Mf ;g a, we have

2
M2f ;g

a 4

32
f xgxa 5

1

x2F n2

XX

1f xf yf xagya

x;y2F n2

1f xf xbgxagxba

x;yxb2F n2

1Df x bDgxa b :

b2F n2 x2F n2

Note that degg 6 r, we have degDgxa b 6 r  1. Hence,

1

Df x bDgxa b

x2F n2






X
Df x bhx 

6 max  1
:
h2RMr1;n 

x2F n2

And

1Df x bDgxa b 2n  2dH Df x b; Dgxa b:

x2F n2

So,

nlr1 Df b 2

n1

1

2




X


1X
Df x bhx 
n1


1Df x bDgxa b :
max  1
62
h2RMr1;n 
2 x2F n

x2F n2
2

Thus, for any a 2 F n2

M2f ;g a 6

2n  2nlr1 Df x b 22n  2

b2F n2

nlr1 Df x b:

b2F n2

This implies that

rf ;g

2
M2f ;g

a2F n2

n 4 2n

a 6 2 2  2

X
b2F n2

3
nlr1 Df x b5 23n  2n1

nlr1 Df x b:

b2F n2

5. Conclusion
In this paper, we proposed two new criteria called the sum-of-squares indicator and the absolute indicator of the
cross-correlation function. These two indicators generalize the GAC criterion in [16]. We derived the rough lower and
the rough upper bounds on the two indicators using only hamming weights of the Boolean functions, and generalize
some known properties of the auto-correlation function. At the same time, we gave the tight upper and the tight lower
bounds on the two indicators by the properties of the cross-correlation function. We also derived some results on relations between the two indicators and the higher order nonlinearity. These results can help us design better Boolean
functions when these Boolean functions are used in LFSR, running key generator, and pseudorandom sequence generator
and so on. The future work will focus on how to construct these Boolean functions with good correlation using these
results. Furthermore we hope that these results will be considered helpful in further investigations of symmetric Boolean functions.

Acknowledgement
The authors are grateful to the reviewers and editors for their useful comments and corrections.

Y. Zhou et al. / Information Sciences 180 (2010) 256265

265

References
[1] C.M. Adams, S.E. Tavares, Generating and counting binary bent sequences, IEEE Transactions on Information Theory 36 (5) (1990) 11701173.
[2] A. Canteaut, C. Carlet, P. Charpin, C. Fontaine, On cryptographic properties of the cosets of R(1,m), IEEE Transactions on Information Theory 47 (4)
(2001) 14941513.
[3] A. Canteaut, C. Carlet, P. Charpin, C. Fontaine, Propagation characteristics and correlation-immunity of highly nonlinear Boolean functions, in: Advances
in Cryptology-Eurocrypt 2000, Lecture Notes in Computer Science, vol. 1807, Springer-Verlag, Berlin, Germany, 2000, pp. 507522.
[4] C. Carlet, Lower bounds on the higher order nonlinearities of Boolean functions and their applications to the inverse function information theory
workshop, ITW 08, IEEE 59 (2008) 333337.
[5] C. Carlet, On the higher order nonlinearities of Boolean functions and S-boxes, and their generalizations, SETA 2008, LNCS 5203 (2008) 345367.
[6] C. Carlet, S. Mesnager, Improving the upper bounds on the covering Radii of binary ReedMuller codes, IEEE Transactions on Information Theory 53 (1)
(2007) 162173.
[7] E. Elsheh, A. BenHamza, A. Youssef, On the nonlinearity prole of cryptographic Boolean functions, in: Canadian Conference on Electrical and Computer
Engineering, CCECE 2008, 47 (2008) 17671770.
[8] P.H. Ke, L.L. Huang, S.Y. Zhang, Improved lower bound on the number of balanced symmetric functions over GF(p), Information Sciences 179 (5) (2009)
682687.
[9] F.J. MacWillams, N.J.A. Sloane, The Theory of Error Correcting Codes, North Holland, Amsterdam, 1977.
[10] S. Mesnager, Improving the lower bound on the higher order nonlinearity of Boolean functions with prescribed algebraic immunity, IEEE Transactions
on Information Theory 54 (8) (2008) 36563662.
[11] B. Preneel, W. Leekwijck, L.V. Linden, et al, Propagation characteristics of Boolean functions, in: Advances in Cryptology-Eurocrypt90, LNCS, vol. 437,
Springer-Verlag, Berlin, Heidelberg, New York, 1991, pp. 155165.
[12] P. Sarkar, S. Maitra, Cross-correlation analysis of cryptographically useful Boolean functions and S-boxes, Theory Computer Systems 35 (2002) 3957.
[13] C. Shannon, Communication theory of secrecy systems, Bell System Technical Journal 28 (1949) 656715.
[14] G.H. Sun, C.K. Wu, The lower bounds on the second order nonlinearity of three classes of Boolean functions with high nonlinearity, Information
Sciences 179 (3) (2009) 267278.
[15] A.F. Webster, Plaintext/ciphertext bit dependencies in cryptographic system, Masters Thesis, Department of Electrical Engineering, Queens University,
Ontario, Canada(1985).
[16] X.M. Zhang, Y.L. Zheng, GAC the criterion for global avalanche characteristics of cryptographic functions, Journal for Universal Computer Science 1 (5)
(1995) 316333.