Vectorial Boolean Functions with Very Low Differential-Linear Uniformity Using Maiorana-McFarland Type Construction

Abstract

The differential-linear connectivity table (DLCT) of a vectorial Boolean function was recently introduced by Bar-On et al. at EUROCRYPT’19. In this paper we construct a new class of balanced vectorial Boolean functions with very low differential-linear uniformity and provide a combinatorial count of hardware gates which is required to implement such circuits. Here, all the coordinate functions are constructed by modifying the Maiorana-McFarland bent functions. Further, we derive some properties of DLCT and differential-linear uniformity of modified inverse functions.

1 Introduction

To design symmetric ciphers, mainly block ciphers, vectorial Boolean functions play an important role. Cryptanalysis of block ciphers are mainly divided into two directions, one is called differential cryptanalysis which is proposed by Biham and Shamir [3], and another is linear cryptanalysis which is proposed by Matsui [20]. Differential cryptanalysis deals with the probability of the differences between the input vectors and corresponding output vectors. On the other hand, linear cryptanalysis deals with the linear relation between input and outputs vectors. Many block ciphers are attacked by using the differential and linear cryptanalysis, most notable Data Encryption Standard (DES) [31]. To resist the known attacks on each model of block cipher (and hopefully, to resist future attacks), the vectorial Boolean functions used in ciphers should satisfy various design criteria simultaneously. The design criteria on vectorial Boolean functions is depended on the properties of its component functions.

The differential-linear cryptanalysis was first introduced by Langford and Hellman [17]. Many block ciphers [2, 12, 13, 18] are attacked by using this cryptanalytic technique. Recently, Bar-On et al. [1] proposed a new connectivity table, differential-linear connectivity table (DLCT), of vectorial Boolean functions which is focused on the dependency between two sub-ciphers \(E_0\) and \(E_1\). The authors also derived a relation between the DLCT and difference distribution table (DDT) of vectorial Boolean functions. Later, Li et al. [19] investigated the properties of DLCT in more details including the inverse, almost bent (AB), almost perfect nonlinear (APN), Gold and Bracken-Leander power functions and derived the lower bound of differential-linear uniformity. Authors also derived the results on the behavior of DLCT and differential-linear uniformity under different equivalence relations of (n, m)-functions. At the same time, Anne et al. [4] also derived the similar results on DLCT independently. The paper [5] is a merged version of [19] and [4]. It is known that the differential-linear uniformity of a vectorial Boolean function depends on the autocorrelation values of its all component functions. So, the construction of a vectorial Boolean function with very low differential-linear uniformity is same as the construction of a vectorial Boolean function with very low absolute autocorrelation values of its all component functions. Dobbertin [11] first constructed a balanced Boolean function with high nonlinearity by modifying all-zero values on an affine subspace of dimension \(\frac{n}{2}\) of a special class of Boolean functions. In this direction, Tang et al. [29], Kavut et al. [15] and Tang et al. [28] also constructed the balanced Boolean functions by modifying the simplest partial spread and Maiorana-McFarland bent functions with low autocorrelation and the absolute indicator strictly lesser than \(2^{\frac{n}{2}}\). In this paper our primary focus to construct the balanced vectorial Boolean functions having very low differential-linear uniformity. The technique used in this paper to construct such (n, m)-functions in Construction 1 is given as below, where \(n=2k\ge 4\).

1. 1.

   Let \(\phi _i,~1\le i\le m\), be the permutations over \({\mathbb F}_2^k\) such that for any \((l_1,l_2,\ldots ,\) \(l_m)\in {\mathbb F}_2^{m*}\) the linear combination \(l_1\phi _1 \,+\, l_2\phi _2 \,+\, \cdots \,+\, l_m\phi _m\) is also a permutation over \({\mathbb F}_2^k\) and \(l_1\phi _1(\mathbf{0})+ l_2\phi _2(\mathbf{0}) + \cdots + l_m\phi _m(\mathbf{0})=\mathbf{0}\).

2. 2.

   Let \(u_i\) and \(v_i,~1\le i\le m\), be Boolean functions over \({\mathbb F}_2^k\) such that for any \((l_1,l_2,\ldots ,l_m)\in {\mathbb F}_2^{m*}\) \(\mathrm {wt}(l_1u_1 + l_2u_2 + \cdots + l_mu_m)+\mathrm {wt}(l_1v_1 + l_2v_2 + \cdots + l_mv_m)=2^{k-1}\) and \(l_1u_1(\mathbf{0}) + l_2u_2(\mathbf{0}) + \cdots + l_mu_m(\mathbf{0})=l_1v_1(\mathbf{0})+ l_2v_2(\mathbf{0})+ \cdots + l_mv_m(\mathbf{0})=0\).

3. 3.

   Define an (n, m)-function \(G=(g_1,g_2,\ldots ,g_m)\) such that \(g_i(x,y)=\phi _i(x)\cdot y\) for all \(x,y\in {\mathbb F}_2^k\) and \(i= 1,2,\ldots ,m\).

4. 4.

   We construct a balanced (n, m)-function \(F=(f_1,f_2,\ldots ,f_m)\) by modifying all the coordinate functions of G as follows:

   $$\begin{aligned} f_i(x,y)=\left\{ \begin{array}{llll} u_i(y),&{}\mathrm {if~}(x,y)\in \{\mathbf{0}\}\times {\mathbb F}_2^k\\ \phi _i(x)\cdot y, &{}\mathrm {if~}(x,y)\in {\mathbb F}_2^{k*}\times {\mathbb F}_2^{k*}\\ v_i(x), &{}\mathrm {if~}(x,y)\in {\mathbb F}_2^{k*}\times \{\mathbf{0}\} \end{array} \right. , \end{aligned}$$

   for all \(x,y\in {\mathbb F}_2^k\) and \(i= 1,2,\ldots ,m\).

Moreover, we identify such \(u_i\) and \(v_i,~1\le i\le m\), for \(n=4t\ge 20\) and \(m=t-1\), and construct a balanced \((4t,t-1)\)-function having differential-linear uniformity strictly less than \(2^{2t-1}\). Further, we derive some results on the properties of DLCT.

Contribution and Organization. Our approach depends on the constructions of coordinate functions of a balanced vectorial Boolean function such that the autocorrelation of all component functions are very low. For that we construct the coordinate functions with very low autocorrelation by modifying the Maiorana-McFarland bent functions. The paper is organized as follows. In Sect. 2, some basic definitions and notations are given. In Sect. 3, some observations on DLCT of vectorial Boolean functions are discussed. In Sect. 4, we derive the differential-linear uniformity of known balanced vectorial Boolean functions. In Sect. 5, we construct a new class of balanced vectorial Boolean functions by modifying the Maiorana-McFarland functions. In Sect. 6, we construct a balanced \((4t,t-1)\)-function (\(t\ge 5\)) such that the differential-linear uniformity is strictly less than \(2^{2t-1}\) and nonlinearity is lower bounded by \(2^{4t-1}-2^{2t-1}-2^{t+1}\). Further, we calculate the total number of gates which is required to implement such circuits in worst case.

Before proceeding further let us present some background material.

2 Preliminaries

Let \(\mathbb F_2\), \(\mathbb F_2^n\) and \(\mathbb F_{2^n}\) be the prime field of characteristic 2, an n-dimensional vector space over \(\mathbb F_2\) and a finite field of degree of extension n over \(\mathbb F_2\), respectively. The cardinality of a set A is denoted as \(\# A\). Given two integers n and m, a mapping from the vector space \({\mathbb F}_2^n\) to the vector space \({\mathbb F}_2^m\) is often called an (n, m)-function or a vectorial Boolean function if the values n and m are omitted. An (n, m)-function can be viewed as a function S from the finite field \({\mathbb F}_{2^n}\) to the finite field \({\mathbb F}_{2^m}\). Particularly, S is called a Boolean function when \(m=1\), and set of all n-variable Boolean functions is denoted as \(\mathcal B_n\). Let S be an (n, m)-function, the Boolean functions \(s_1,s_2,\ldots ,s_m\) in n variables defined by \(S(x) =(s_1(x),s_2(x),\ldots , s_m(x))\) are called the coordinate functions of S. Further, the Boolean functions, which are the linear combinations, with non all-zero coefficients of the coordinate functions of S, are called component functions of S. The component functions of S can be expressed as \(\lambda \cdot S\) where \(\lambda \in {\mathbb F}_2^{m*}\), all nonzero m-bit vectors. It is known that the vector space \({\mathbb F}_2^n\) is isomorphic to the finite field \({\mathbb F}_{2^n}\) through the choice of some basis of \({\mathbb F}_{2^n}\) over \({\mathbb F}_2\). Indeed, if \(\{\lambda _1, \lambda _2,\ldots ,\lambda _n\}\) is a basis of \({\mathbb F}_{2^n}\) over \({\mathbb F}_2\), then every vector \(x=(x_1,\ldots ,x_n)\) of \({\mathbb F}_2^n\) can be identified with the element \(x_1\lambda _1+x_2\lambda _2+\cdots +x_n\lambda _n\in {\mathbb F}_{2^n}\). The finite field \({\mathbb F}_{2^n}\) can then be viewed as an n-dimensional vector space over \({\mathbb F}_2\). If we identify every element of \({\mathbb F}_2^m\) with an element of finite field \({\mathbb F}_{2^m}\), then the nonzero component functions \(s_\lambda \) of S can be expressed as \(\mathrm {Tr}_1^m(\lambda S)\), where \(\lambda \in {\mathbb F}_{2^m}^*\) and \(\mathrm {Tr}_1^m(x)=\sum _{i=0}^{m-1} x^{2^i}\). For any \((\alpha ,\lambda )\in {\mathbb F}_2^n \times {\mathbb F}_2^{m*}\), the Walsh–Hadamard transform of S at \((\alpha ,\lambda )\) is defined as

$$\begin{aligned} W_{\lambda \cdot S}(\alpha )=\sum _{x\in {\mathbb F}_2^n}(-1)^{\lambda \cdot S(x)+\alpha \cdot x}. \end{aligned}$$

If S is defined on a finite field, the Walsh–Hadamard transform of S at \((\alpha ,\lambda )\in {\mathbb F}_{2^n}\times {\mathbb F}_{2^m}^*\) is defined as

$$\begin{aligned} W_{\mathrm {Tr}_1^m(\lambda S)}(\alpha )=\sum _{x\in {\mathbb F}_{2^n}}(-1)^{\mathrm {Tr}_1^m(\lambda S(x))+\mathrm {Tr}_1^n(\alpha x)}. \end{aligned}$$

The nonlinearity nl(S) of an (n, m)-function S is the minimum Hamming distance between all the component functions of S and all affine functions in n variables. According to the definition of Walsh–Hadamard transform, we have

$$\begin{aligned} nl(S)= & {} 2^{n-1}-\frac{1}{2} \max _{(\alpha ,\lambda )\in {\mathbb F}_2^n\times {\mathbb F}_2^{m*}} |W_{\lambda \cdot S}(\alpha )|\\= & {} 2^{n-1}-\frac{1}{2} \max _{(\alpha ,\lambda )\in {\mathbb F}_{2^n}\times {\mathbb F}_{2^m}^*} |W_{\mathrm {Tr}_1^m(\lambda S)}(\alpha )|. \end{aligned}$$

The nonlinearity nl(S) is upper-bounded by \(2^{n-1}-2^{\frac{n-1}{2}}\) when \(m=n\). This upper bound is tight for odd \(m=n\). For even \(m=n\), the best known value of the nonlinearity of (n, m)-functions is \(2^{n-1}-2^{\frac{n}{2}}\).

Definition 1

([1]). For a vectorial Boolean function \(S:{\mathbb F}_2^n\rightarrow {\mathbb F}_2^m\), the DLCT of S is an \(2^n\times 2^m\) table, whose rows correspond to input differences to S and whose columns correspond to bit masks of outputs of S. The value in the cell \((\varDelta , \lambda )\), where \(\varDelta \in {\mathbb F}_2^n\) is a difference and \(\lambda \in {\mathbb F}_2^m\) is a mask, is

$$\mathrm {DLCT}_S(\varDelta ,\lambda )=\#\{x: \lambda \cdot S(x)=\lambda \cdot S(x+\varDelta )\}-2^{n-1}.$$

It can be seen that \(\mathrm {DLCT}_S(\varDelta ,\lambda )=2^{n-1}\) if \(\varDelta =0\) or \(\lambda =0\). As mentioned in [1], if the DLCT of an Sbox (vectorial Boolean function) used in block ciphers contains many very high/very low values, excluding the cases \(\varDelta =0\) or \(\lambda =0\), then this Sbox can be used by an adversary to carry out the differential-linear (DL) attacks. So one can define the differential-linear uniformity of S.

Definition 2

For a vectorial Boolean function \(S:{\mathbb F}_2^n\rightarrow {\mathbb F}_2^m\), the differential-linear uniformity of S is defined as

$$\mathrm {DL}(S)=\max _{(\varDelta , \lambda )\in {\mathbb F}_2^{n*}\times {\mathbb F}_2^{m*}}|\mathrm {DLCT}_S(\varDelta ,\lambda )|.$$

The autocorrelation of a Boolean function \(f\in \mathcal B_n\) at point \(\varDelta \in {\mathbb F}_2^n\), \(\mathrm {C}_f(\varDelta )\), is defined as

$$\begin{aligned} \mathrm {C}_f(\varDelta )=\sum _{x\in {\mathbb F}_2^n} (-1)^{f(x)+f(x+\varDelta )}. \end{aligned}$$

It is known [19, Proposition 2.3] that \(\mathrm {DLCT}_S(\varDelta ,\lambda )=\frac{1}{2} \mathrm {C}_{\lambda \cdot S}(\varDelta )\) and then the differential-linear uniformity of S can be expressed as

$$\begin{aligned} \mathrm {DL}(S)=\max _{(\varDelta , \lambda )\in {\mathbb F}_2^{n*}\times {\mathbb F}_2^{m*}}\frac{1}{2} \bigg |\mathrm {C}_{\lambda \cdot S}(\varDelta )\bigg |. \end{aligned}$$

(1)

Additionally, for any (n, n)-function S over \({\mathbb F}_{2^n}\), its differential-linear uniformity can be computed as

$$\begin{aligned} \mathrm {DL}(S)=\max _{(\varDelta , \lambda )\in {\mathbb F}_{2^n}^*\times {\mathbb F}_{2^n}^*}\frac{1}{2} \bigg |\mathrm {C}_{\mathrm{Tr}_1^n(\lambda S)}(\varDelta )\bigg |. \end{aligned}$$

(2)

For any (n, m)-function S, let us define \(\delta _S(\varDelta ,\delta )=\{x\in \mathbb F_2^n:~S(x)+S(x+\varDelta )=\delta \}\), where \(\varDelta \in \mathbb F_2^n\) and \(\delta \in \mathbb F_2^m\). The differential distribution table (DDT) of S is an \(2^n\times 2^m\) matrix such that the coefficient at \((\varDelta ,\delta )\) is defined by

$$\begin{aligned} \mathrm {DDT}_S(\varDelta ,\delta )=\#\delta _S(\varDelta ,\delta ). \end{aligned}$$

It is known that the maximum number of possible distinct \(\delta \)’s is \(\min \{2^{n-1},2^m\}\), and if \(n=m,~\varDelta \ne 0\) and S is permutation, then \(\delta \ne 0\). Suppose

$$\begin{aligned} \delta (S)=\max \{\mathrm {DDT}_S(\varDelta ,\delta ):~\varDelta \in \mathbb F_2^{n*},~\delta \in \mathbb F_2^m\}. \end{aligned}$$

Then, \(\delta (S)\equiv 0 \pmod 2\) and the function S is called differentially \(\delta (S)\)-uniform. For \(n=m\), \(\delta (S)\ge 2\), and if a function S satisfy the equality, then S is called an almost perfect nonlinear (APN) function [6, Definition 9.8]. Bar-On et al. [1] derived the relation between DLCT and DDT as follow.

$$\begin{aligned} \mathrm {DLCT}_S(\varDelta ,\lambda )=\frac{1}{2}\sum _{v\in \mathbb F_2^m} (-1)^{v\cdot \lambda } \mathrm {DDT}_S(\varDelta ,v). \end{aligned}$$

3 Properties of DLCT

Li et al. [19] and Anne et al. [4, 5] recently derived many properties of DLCT along with the bounds of DL of vectorial Boolean functions. They first derived the connection between the DLCT and autocorrelation of vectorial Boolean functions, and then presented generic bounds on the maximum absolute value occurring in the DLCT of vectorial Boolean functions. The properties are mainly related to the connection between DLCT and Walsh–Hadamard transform [19, Proposition 3.1] and DLCT and DDT [19, Proposition 3.3] of vectorial Boolean functions. We further derive some properties of DLCT and provide a necessary and sufficient condition so that \(|\mathrm {DLCT}_S(\varDelta ,\lambda )|=2^{n-1}\), \(\varDelta \in \mathbb F_2^{n*}\) and \(\lambda \in \mathbb F_2^{m*}\).

Let us denote \(E_a^0=\{x\in \mathbb F_2^n:~a\cdot x=0\}\), \(a\in \mathbb F_2^n\). We know that for any nonzero \(a\in \mathbb F_2^n\), \(E_a^0\) is a linear subspace of \(\mathbb F_2^n\) of dimension \(n-1\). For any (n, m)-function S, it is clear that \(\mathbb F_2^n=\cup _{\delta \in \mathbb F_2^m} \delta _S(\varDelta ,\delta )\) and \(\delta _S(\varDelta ,\delta )\cap \delta _S(\varDelta ,\delta ')=\emptyset \), if \(\delta \ne \delta '\), for all \(\varDelta \in \mathbb F_2^n\).

Proposition 1

For any (n, m)-function S, \(\mathrm {DLCT}_S(\varDelta ,\lambda )=\sum _{\delta \in E_{\lambda }^0}\) \(\mathrm {DDT}_S(\varDelta ,\delta ) -2^{n-1}\), where \(\varDelta \in \mathbb F_2^n\) and \(\lambda \in \mathbb F_2^m\).

Proof

For any \(\varDelta \in \mathbb F_2^n\) and \(\lambda \in \mathbb F_2^m\),

$$\begin{aligned} \begin{aligned} \mathrm {DLCT}_S(\varDelta ,\lambda )+2^{n-1}&=\#\{x\in \mathbb F_2^n:~\lambda (S(x)+S(x+\varDelta ))=0\}\\&=\#\bigcup _{\delta \in \mathbb F_2^m}\{\delta _S(\varDelta ,\delta ):~\lambda \cdot \delta =0\} =\sum _{\delta \in E_{\lambda }^0} \mathrm {DDT}_S(\varDelta ,\delta ). \end{aligned} \end{aligned}$$

Let us define, \(Im(D_{\varDelta }S)=\{y\in \mathbb F_2^m:~y=S(x)+S(x+\varDelta ),~x\in \mathbb F_2^n\}\), \(\varDelta \in \mathbb F_2^n\). Here, \(\#Im(D_{\varDelta }S)\le \min \{2^{n-1},2^m\}=2^{\min \{n-1,m\}}\), and for an APN function S, \(\#Im(D_{\varDelta }S)=2^{n-1}\), for all \(\varDelta \in \mathbb F_2^{n*}\).

Corollary 1

Let S be an (n, m)-function. For any \(\varDelta \in \mathbb F_2^{n*}\) and \(\lambda \in \mathbb F_2^{m*}\), \(\mathrm {DLCT}_S(\varDelta ,\lambda )=2^{n-1}\) if and only if \(Im(D_{\varDelta }S)\subset E_{\lambda }^0\). Moreover, \(\mathrm {DLCT}_S(\varDelta ,\lambda )=-2^{n-1}\) if and only if \(Im(D_{\varDelta }S)\subset \mathbb F_2^m\setminus E_{\lambda }^0\).

Proof

Suppose, there exists \(\varDelta \in \mathbb F_2^{n*}\) and \(\lambda \in \mathbb F_2^{m*}\) such that \(\mathrm {DLCT}_S(\varDelta ,\lambda )=2^{n-1}\). From Proposition 1, we get \(Im(D_{\varDelta }S)\subset E_{\lambda }^0\). If there exists \(\delta \in Im(D_{\varDelta }S)\) but \(\delta \not \in E_{\lambda }^0\), then \(\sum _{\delta \in E_{\lambda }^0} \mathrm {DDT}_S(\varDelta ,\delta )\le 2^n-2\), and so, \(\mathrm {DLCT}_S(\varDelta ,\lambda )\le 2^{n-1}-2\). Similarly, we can prove the other claim.

From the above result, it is clear that \(\mathrm {DL}(S)=2^{n-1}\) if and only if there exist a \(\varDelta \in \mathbb F_2^{n*}\) and \(\lambda \in \mathbb F_2^{m*}\) such that \(Im(D_{\varDelta }S)\subset E_{\lambda }^0\) or \(Im(D_{\varDelta }S)\subset \mathbb F_2^m\setminus E_{\lambda }^0\).

For example let, \(n=m=4\), \(\varDelta =0100, \lambda =0001\) and \(S(x_1,x_2,x_3,x_4)=(x_1x_2,x_2x_3,x_3x_4,x_1x_4)\). We identify an element \((x_1,x_2,x_3,x_4)\in \mathbb F_2^4\) by \(x_1x_2x_3x_4\). Then \(D_{0100}S(x)=(x_1,x_3,0,0)\), and so, \(Im(D_{0100}S)=\{0000,1000,0100,1100\}\subset E_{0001}^0\). Thus, \(\mathrm {DLCT}_S(0100,0001)=\sum _{\delta \in E_{0001}^0} \mathrm {DDT}_S(0100,\delta )-8=8\).

From Corollary 1, we get the next result for APN permutations (i.e., \(n=m\) and \(\#Im(D_{\varDelta }S)=2^{n-1}\), for all \(\varDelta \in \mathbb F_2^{n*}\)). Li et al. [19] proved that \(\mathrm {DL}(S)\) of S over \(\mathbb F_2^n\) is lower bounded by \(2^{n-1}\sqrt{\frac{1}{2^n-1}}\). We derive the upper bounds of differential-linear uniformity of APN permutations.

Corollary 2

Let S be an APN permutation over \(\mathbb F_2^n\). For any \(\varDelta ,\lambda \in \mathbb F_2^{n*}\),

$$\begin{aligned} \mathrm {DLCT}_S(\varDelta ,\lambda )\le 2^{n-1}-2. \end{aligned}$$

Moreover, \(\mathrm {DLCT}_S(\varDelta ,\lambda )+ 2^{n-1}=0\) if and only if \(Im(D_{\varDelta }S)=\mathbb F_2^n\setminus E_{\lambda }^0\).

Proof

Since \(\mathbf{0}\in E_{\lambda }^0\) but \(\mathbf{0}\not \in Im(D_{\varDelta }S)\) for any \(\varDelta \in \mathbb F_2^{n*}\), and \(\# E_{\lambda }^0=\# Im(D_{\varDelta }S)=2^{n-1}\). From Proposition 1 and Corollary 1, we get the claims.

Form the above corollary it is clear that \(\mathrm {DL}(S)=2^{n-1}\) of an APN permutation S over \(\mathbb F_2^n\) if and only if there exist a \(\varDelta ,\lambda \in \mathbb F_2^{n*}\) such that \(Im(D_{\varDelta }S)=\mathbb F_2^n\setminus E_{\lambda }^0\). The following problem was proposed by Li et al. [19].

Problem 1

[19, Problem 1]. For an odd integer n, are there (n, n)-functions S other than the Kasami–Welch APN functions that have \(\mathrm {DL}(S)=2^{\frac{n-1}{2}}\)?

We observe that it can be possible to find an (n, n)-function other than Kasami–Welch APN that have \(\mathrm {DL}(S)=2^{\frac{n-1}{2}}\). For that \(\# E_{\lambda }^0\cap Im(D_{\varDelta }S)\) lies between two particular numbers, for all \(\varDelta ,\lambda \in \mathbb F_2^{n*}\). We are working on it and try to identify such APN function computationally.

Theorem 1

Let n be an odd integer. For an APN (n, n)-function S, \(\mathrm {DL}(S)=2^{\frac{n-1}{2}}\) if and only if for any \(\varDelta , \lambda \in \mathbb F_2^{n*}\)

$$\begin{aligned} 2^{n-2}-2^{\frac{n-1}{2}-1} \le \# E_{\lambda }^0\cap Im(D_{\varDelta }S) \le 2^{n-2}+2^{\frac{n-1}{2}-1}. \end{aligned}$$

Proof

Suppose for an APN (n, n)-function S, \(\mathrm {DL}(S)=2^{\frac{n-1}{2}}\). Thus, for any \(\varDelta , \lambda \in \mathbb F_2^{n*}\)

$$\begin{aligned} \begin{aligned}&-2^{\frac{n-1}{2}} \le \mathrm {DLCT}_S(\varDelta ,\lambda ) \le 2^{\frac{n-1}{2}}\\ \Leftrightarrow \;\;&2^{n-1}-2^{\frac{n-1}{2}} \le \mathrm {DLCT}_S(\varDelta ,\lambda )+2^{n-1} \le 2^{n-1}+2^{\frac{n-1}{2}}\\ \Leftrightarrow \;\;&2^{n-1}-2^{\frac{n-1}{2}} \le \sum _{\delta \in E_{\lambda }^0} \mathrm {DDT}_S(\varDelta ,\delta ) \le 2^{n-1} +2^{\frac{n-1}{2}}\\ \Leftrightarrow \;\;&2^{n-2}-2^{\frac{n-1}{2}-1} \le \# E_{\lambda }^0\cap Im(D_{\varDelta }S) \le 2^{n-2}+2^{\frac{n-1}{2}-1}. \end{aligned} \end{aligned}$$

4 On the Differential-Linear Uniformity of Known Balanced Vectorial Boolean Functions

Till date, there are many classes of balanced vectorial Boolean functions with good cryptographic properties have been proposed. These functions are mainly based on the modifications of the inverse function over finite fields and the Maiorana-McFarland bent function over vector spaces. Li et al. [19, Thorem 4.2] and Anne et al. [5, Theorem 4] proved that the differential-linear uniformity of any quadratic (n, n)-function is \(2^{n-1}\) and calculated the possible values of DLCT for the function \(x^{2^i+1}\) [19, Corollary 4.3]. In this section we discuss some results on the differential-linear uniformity of known balanced vectorial Boolean functions.

4.1 The Differential-Linear Uniformity of the Inverse Function and Its Modifications

The inverse function \(I(x)=x^{2^n-2}\) is bijective on \({\mathbb F}_{2^n}\). The inverse function is differentially 4-uniform when n is even and is APN when n is odd [22]. Li et al. [19] derived the differential-linear uniformity of I, and proved that if \(n=2k\), then \(\mathrm {DL}(I)=2^k\). This class of functions has best known nonlinearity \(2^{n-1}-2^{n/2}\) when n is even and has maximum algebraic degree \(n-1\). It is used as the Sbox of the Advanced Encryption Standard with \(n=8\). Since the inverse function is a differentially 4-uniform bijection when n is even and has best known nonlinearity and maximum algebraic degree, many works on the constructions of new differentially 4-uniform bijections by modifying the inverse function have been done, see for instance [24,25,26,27, 30, 32]. There are some differentially 4-uniform functions, which are bijective but not derived from the inverse function [9, 14]. Indeed, those works obtained differentially 4-uniform bijections by permuting the values of the inverse function with even dimensions in two methods. In [27], Qu et al. considered differentially 4-uniform bijections in the form of \(I_1(x)=x^{2^n-2}+f(x)\), where f are well-choose Boolean functions such that \(f(x^{2^n-2})+f(x^{2^n-2}+1)=0\). In [30], Tang et al. provided differentially 4-uniform bijections in the form of \(I_2(x)=(x+g(x))^{2^n-2}\), where g are well-choose Boolean functions such that \(g(x)+g(x+1)=0\).

Let us consider the differential-linear uniformity of the revised inverse functions \(I_1\) and \(I_2\). To this end, we first give some preliminary results which are particularly useful to derive our results. For any integer \(n>0\), the Kloosterman sums over \({\mathbb F}_{2^n}\) are defined as

$$\mathcal {K}(a)=\sum _{x\in {\mathbb F}_{2^n}}(-1)^{\mathrm{Tr}_1^n(x^{2^n-2}+\alpha x)},$$

where \(\alpha \in {\mathbb F}_{2^n}\). In fact, the Kloosterman sums are generally defined on the multiplicative group \({\mathbb F}_{2^n}^*\). We extend them to 0 by assuming \((-1)^0=1\). The following lemmas are well-known.

Lemma 1

([16]). For any positive integer n, the set \(\{\mathcal {K}(a) : a\in {\mathbb F}_{2^n}\}\) equals the set of all those values which are divisible by 4 in the range \([-2^{{n/2}+1}+1,2^{{n/2}+1}+1]\).

Lemma 2

([8]). For any positive integer n and any \(\varDelta \in {\mathbb F}_{2^n}^*\), we have

$$\mathrm {C}_{\mathrm {Tr}_1^n(\lambda I)}(\varDelta )=\mathcal {K}\left( \frac{\lambda }{\varDelta }\right) +\bigg (2(-1)^{\mathrm{Tr}_1^n(\frac{\lambda }{\varDelta })}-2\bigg ).$$

We are ready now to present lower bounds on the differential-linear uniformity of the revised inverse functions \(I_1\) and \(I_2\).

Theorem 2

For any \(I_1\) and \(I_2\), we have \(\mathrm {DL}(I_1)\ge 2^{n/2}-2\) and \(\mathrm {DL}(I_2)\ge \frac{1}{2}\Big (1-\sum _{t=0}^{\lfloor n/2\rfloor }(-1)^{n-t}\frac{n}{n-t}{{n-t}\atopwithdelims (){t}}2^t\Big )\).

Proof

We first consider the differential-linear uniformity of the functions \(I_1\). Note that for any \(\varDelta \in {\mathbb F}_{2^n}^*\) we have

$$\begin{aligned} \mathrm {DLCT}_{I_1}(\varDelta ,1)= & {} \frac{1}{2} \mathrm {C}_{\mathrm{Tr}_1^n(I_1)}(\varDelta ) =\frac{1}{2}\sum _{x\in {\mathbb F}_{2^n}}(-1)^{\mathrm{Tr}_1^n\big (\frac{1}{x}+\frac{1}{x+\varDelta }+f(x)+f(x+\varDelta )\big )} \\= & {} \frac{1}{2}\sum _{x\in {\mathbb F}_{2^n}}(-1)^{\mathrm{Tr}_1^n\big (\frac{1}{x}+\frac{1}{x+\varDelta }\big )} =\frac{1}{2}\mathrm {C}_{\mathrm {Tr}_1^n(I)}(\varDelta ), \end{aligned}$$

where \(\mathrm{Tr}_1^n(f(z))=0~\text {for~any~}z\in {\mathbb F}_{2^n}\) on even n is used in the penultimate identity. Then by Lemmas 1 and 2 we immediately get that \(\mathrm {DL}(I_1)\ge 2^{n/2}-2\). We shall now discuss the differential-linear uniformity of the functions \(I_2\). Note that

$$\begin{aligned} \mathrm {DLCT}_{I_2}(1,1)= & {} \frac{1}{2} \mathrm {C}_{\mathrm{Tr}_1^n(I_2)}(1) =\frac{1}{2}\sum _{x\in {\mathbb F}_{2^n}}(-1)^{\mathrm{Tr}_1^n\big (\frac{1}{x+g(x)}+\frac{1}{x+1+g(x+1)}\big )} \\= & {} \frac{1}{2}\sum _{x\in {\mathbb F}_{2^n}}(-1)^{\mathrm{Tr}_1^n\big (\frac{1}{x+g(x)}+\frac{1}{x+g(x)+1}\big )} =\frac{1}{2}\sum _{y\in {\mathbb F}_{2^n}}(-1)^{\mathrm{Tr}_1^n\big (\frac{1}{y}+\frac{1}{y+1}\big )}\\= & {} \frac{1}{2}\mathrm {C}_{\mathrm {Tr}_1^n(I)}(1), \end{aligned}$$

where \(g(x)+g(x+1)=0\) is used in the third identity and \(x+g(x)\) are bijective on \({\mathbb F}_{2^n}\) is used in the penultimate identity. It is well-known that (see, e.g., [7]) \(\mathcal {K}(1)=1-\sum _{t=0}^{\lfloor n/2\rfloor }(-1)^{n-t}\frac{n}{n-t}{{n-t}\atopwithdelims (){t}}2^t\). Therefore, by Lemma 2 we have \(\mathrm {DL}(I_2)\ge \frac{1}{2}\big (1-\sum _{t=0}^{\lfloor n/2\rfloor }(-1)^{n-t}\frac{n}{n-t}{{n-t}\atopwithdelims (){t}}2^t\big )\). This completes the proof.

4.2 The Differential-Linear Uniformity of the Maiorana-McFarland Bent Function and Its Modifications

Let us recall the class of Maiorana-McFarland (M-M) bent function, which is defined as

$$\begin{aligned} h(x,y)=\phi (x)\cdot y+s(x), \end{aligned}$$

(3)

where \(x,y\in {\mathbb F}_2^{k}\), \(\phi \) is an arbitrary permutation on \({\mathbb F}_2^k\), and s is an arbitrary Boolean function on k variables. Such class of bent functions was discovered independently by Maiorana and McFarland (see [10, 21]), which includes a huge numbers of bent functions. The essential of every M-M bent function is a concatenation of \(2^k\) affine functions in k variables and the linear parts of these \(2^k\) affine functions are pairwise distinct. Then h can be written as a concatenation of \(2^k\) affine functions on k variables, i.e.,

$$\begin{aligned} h=h_{0}||h_{1}||\ldots ||h_{2^k-1}, \end{aligned}$$

where \(h_{i}(y)=h(x^i,y)\), for all \(y\in \mathbb F_2^k\), are affine functions, \(x^i\in \mathbb F_2^k, 0\le i\le 2^k-1\). The affine function \(h_i\) is called a block of length \(2^k\). It should be noted that every M-M bent function on 2k variables is unbalanced since it contains a block of length \(2^k\) with constant values 0 or 1. A basic idea to obtain balanced Boolean function from M-M bent functions is to replace this block by a balanced Boolean function g on k variables. Further, one can obtain balanced vectorial Boolean functions with differently well-chosen mappings \(\phi \) and differently well-chosen functions g on k variables, see for examples [33]. Thus, for obtaining the differential-linear uniformity of such kind of balanced vectorial Boolean functions, it is sufficient to discuss the balanced Boolean functions obtained by replacing the constant block. The all-zero vector of \(\mathbb F_2^k\) is denoted by \(\mathbf{0}\). We consider balanced Boolean functions in the form of

$$\begin{aligned} f(x,y)= \left\{ \begin{array}{llll} \phi (x)\cdot y, &{} \text {if}~ x\ne \mathbf{0}\\ g(y), &{} \text {if}~ x=\mathbf{0}\end{array} \right. , \end{aligned}$$

(4)

where \(x,y\in \mathbb F_2^{k}\), \(\phi \) is a permutation on \(\mathbb F_2^k\) such that \(\phi (\mathbf{0})=\mathbf{0}\), and g is a balanced Boolean function on \({\mathbb F}_2^k\).

Lemma 3

Let f be an \(n=2k\)-variable Boolean function generated by (4), then for any \((a,b)\in {\mathbb F}_2^k\times {\mathbb F}_2^k\) we have

$$\begin{aligned} {\mathrm C}_f(a,b)= \left\{ \begin{array}{llll} 2^n &{} \mathrm {if}~ a=b=\mathbf{0}\\ -2^k+{\mathrm C}_g(b),&{} \mathrm {if}~ a= \mathbf{0}, b\in {\mathbb F}_2^{k*}\\ 2(-1)^{\phi (a)\cdot b}W_g(\phi (a)),&{} \mathrm {if}~ a\in {\mathbb F}_2^{k*}, b\in {\mathbb F}_2^k\\ \end{array} \right. . \end{aligned}$$

Proof

It follows from the definition of autocorrelation function that

$$\begin{aligned} {\mathrm C}_f(a,b)= & {} \sum _{(a,b)\in {\mathbb F}_2^k\times {\mathbb F}_2^k}(-1)^{f(x,y)+ f(x+ a,y+ b)} \end{aligned}$$

(5)

for any \((a,b)\in {\mathbb F}_2^k\times {\mathbb F}_2^k\). Clearly, we have \({\mathrm C}_f(\mathbf{0},\mathbf{0})=2^n\). We now consider the values of \({\mathrm C}_f(a,b)\) for all \((a,b)\in {\mathbb F}_2^k\times {\mathbb F}_2^k\setminus \{(\mathbf{0},\mathbf{0})\}\). Basically, our discussion is built on the facts that \(\sum _{x\in {\mathbb F}_2^{k*}} (-1)^{c \cdot x}\) equals \(-1\) if \(c\in {\mathbb F}_2^{k*}\), and equals \(2^k-1\) otherwise. We consider the following two cases:

[Case 1.] Let \((a,b)\in \{\mathbf{0}\}\times {\mathbb F}_2^{k*}\). It can be easily seen that in this case Eq. (5) becomes

$$\begin{aligned} {\mathrm C}_f(a,b)= & {} \sum _{(x,y)\in \{\mathbf{0}\}\times {\mathbb F}_2^k}(-1)^{f(\mathbf{0},y)+ f(\mathbf{0},y+ b)}+\sum _{(x,y)\in {\mathbb F}_2^{k*}\times {\mathbb F}_2^k}(-1)^{f(x,y)+ f(x,y+ b)}\\= & {} \sum _{y\in {\mathbb F}_2^k}(-1)^{g(y)+ g(y+ b)}+\sum _{(x,y)\in {\mathbb F}_2^{k*}\times {\mathbb F}_2^k}(-1)^{\phi (x)\cdot y+ \phi (x)\cdot (y+ b)}\\= & {} {\mathrm C}_g(b)+\sum _{(x,y)\in {\mathbb F}_2^{k*}\times {\mathbb F}_2^k}(-1)^{\phi (x)\cdot b}\\= & {} {\mathrm C}_g(b)+2^k\sum _{x\in {\mathbb F}_2^{k*}}(-1)^{\phi (x)\cdot b}\\= & {} -2^k+{\mathrm C}_g(b). \end{aligned}$$

[Case 2.] Let \((a,b)\in {\mathbb F}_2^{k*}\times {\mathbb F}_2^k\). In this case Eq. (5) becomes [4]

$$\begin{aligned}&{\mathrm C}_f(a,b) =\sum _{\begin{array}{c} x\in \{\mathbf{0},a\} \\ y\in {\mathbb F}_2^k \end{array}}(-1)^{f(x,y)+ f(x+ a,y+ b)}+\sum _{\begin{array}{c} x\in {\mathbb F}_2^k\setminus \{\mathbf{0},a\} \\ y\in {\mathbb F}_2^k \end{array}}(-1)^{f(x,y)+ f(x+ a,y+ b)}\\= & {} \sum _{y\in {\mathbb F}_2^k}\Big ((-1)^{f(\mathbf{0},y)+ f(a,y+ b)}+(-1)^{f(a,y)+ f(\mathbf{0},y+ b)}\Big )+\sum _{\begin{array}{c} x\in {\mathbb F}_2^k\setminus \{\mathbf{0},a\} \\ y\in {\mathbb F}_2^k \end{array}}(-1)^{f(x,y)+ f(x+ a,y+ b)}\\= & {} 2\sum _{y\in {\mathbb F}_2^k}(-1)^{g(y)+ \phi (a)\cdot (y+ b)}+\sum _{\begin{array}{c} x\in {\mathbb F}_2^k\setminus \{\mathbf{0},a\} \\ y\in {\mathbb F}_2^k \end{array}}(-1)^{\phi (x)\cdot y+ \phi (x+ a)\cdot (y+ b)}\\= & {} 2(-1)^{\phi (a)\cdot b}W_g(\phi (a))+\sum _{x\in {\mathbb F}_2^k\setminus \{\mathbf{0},a\}}(-1)^{\phi (x+ a)\cdot b}\sum _{y\in {\mathbb F}_2^k}(-1)^{z\cdot y}\\= & {} 2(-1)^{\phi (a)\cdot b}W_g(\phi (a)), \end{aligned}$$

where \(z=\phi (a)+ \phi (x+ a)\) which is nonzero for any \(a\in {\mathbb F}_2^{k*}\) and \(x\in {\mathbb F}_2^k\setminus \{\mathbf{0},a\}\).

Theorem 3

Let f be an \(n=2k\)-variable Boolean function generated by (4) and there exists \(b\in \mathbb F_2^{k*}\) such that \(\mathrm C_g(b)=0\). If f is a component function of an (n, m)-function S, then we have \(\mathrm {DL}(S)\ge 2^{k-1}\).

5 A New Class of Balanced Vectorial Boolean Functions from Maiorana-McFarland Functions

We know that the cardinality of the support set of an 2k-variable bent function f of the form \(\phi (x)\cdot y\) is \(2^{2k-1}-2^{k-1}\), where \(\phi \) is a permutation over \(\mathbb F_2^k\). So if we change the \(2^{k-1}\) outputs values of f from 0 to 1, the modified function become balanced. Tang et al. [28, Construction 1] constructed the balanced Boolean functions having high nonlinearity and very low absolute indicator, the maximum absolute autocorrelation value, by modifying the M-M class of bent functions. We use the same method to construct the coordinate functions of a balanced (n, m)-function. In the next section we identify an \((4t,t-1)\)-function (\(t\ge 5\)) with differential-linear uniformity strictly less than \(2^{2t-1}\) using the Construction 1.

Construction 1

Let \(n=2k\) be an even integer not less than 4. We construct an (n, m)-function F whose coordinate functions \(f_i\)’s \((1\le i \le m)\) are defined as follows:

$$\begin{aligned} f_i(x,y)=\left\{ \begin{array}{llll} u_i(y),&{}\mathrm {if~}(x,y)\in \{\mathbf{0}\}\times {\mathbb F}_2^k\\ \phi _i(x)\cdot y, &{}\mathrm {if~}(x,y)\in {\mathbb F}_2^{k*}\times {\mathbb F}_2^{k*}\\ v_i(x), &{}\mathrm {if~}(x,y)\in {\mathbb F}_2^{k*}\times \{\mathbf{0}\} \end{array} \right. , \end{aligned}$$

where

1. (1)

   \(x,y\in {\mathbb F}_2^k\),

2. (2)

   \(\phi _i\)’s are mappings from \({\mathbb F}_2^k\) to itself satisfying for any \((l_1,l_2,\cdots ,l_m)\in {\mathbb F}_2^{m*}\) the linear combination \(l_1\phi _1+ l_2\phi _2+ \cdots + l_m\phi _m\) is a permutation on \({\mathbb F}_2^k\) such that \(l_1\phi _1(\mathbf{0})+ l_2\phi _2(\mathbf{0})+ \cdots + l_m\phi _m(\mathbf{0})=\mathbf{0}\), and

3. (3)

   \(u_i\)’s and \(v_i\)’s are Boolean functions over \({\mathbb F}_2^k\) satisfying for any \((l_1,l_2,\cdots ,l_m)\in {\mathbb F}_2^{m*}\) \(\mathrm {wt}(l_1u_1+ l_2u_2+ \cdots + l_mu_m)+\mathrm {wt}(l_1v_1+ l_2v_2+ \cdots + l_mv_m)=2^{k-1}\) and \(l_1u_1(\mathbf{0})+ l_2u_2(\mathbf{0})+ \cdots + l_mu_m(\mathbf{0})=l_1v_1(\mathbf{0})+ l_2v_2(\mathbf{0})+ \cdots + l_mv_m(\mathbf{0})=0\).

Theorem 4

For any \(n=2k\ge 4\), every (n, m)-function F generated by Construction 1 is balanced.

Proof

The cardinality of the support set of any nonzero component function of F is \(2^{n-1}\).

Theorem 5

Let \(n=2k\ge 4\) and F be an (n, m)-function generated by Construction 1. For any \(l=(l_1,l_2,\cdots ,l_m)\in {\mathbb F}_2^{m*}\), we have

$$\begin{aligned} W_{l{\cdot } F}(a,b)= & {} \left\{ \begin{array}{lll} 0, &{}\mathrm {if~}(a,b)=(\mathbf{0},\mathbf{0})\\ W_{l{\cdot } U}(b)+W_{l{\cdot } V}(\mathbf{0}), &{}\mathrm {if~}(a,b)\in \{\mathbf{0}\}\times {\mathbb F}_2^{k*}\\ W_{l{\cdot } U}(\mathbf{0})+W_{l{\cdot } V}(a), &{}\mathrm {if~}(a,b)\in {\mathbb F}_2^{k*}\times \{\mathbf{0}\}\\ (-1)^{(l{\cdot } \varPhi )^{-1}(b)\cdot a}2^k+W_{l{\cdot } U}(b)+W_{l{\cdot } V}(a), &{}\mathrm {if~}(a,b)\in {\mathbb F}_2^{k*}\times {\mathbb F}_2^{k*} \end{array} \right. , \end{aligned}$$

where \(U=(u_1,u_2,\ldots ,u_m)\), \(V=(v_1,v_2,\ldots ,v_m)\), \(\varPhi =(\phi _1,\phi _2,\dots ,\phi _m)\) in which \(u_i\)’s and \(v_i\)’s are k-variable Boolean functions and \(\phi _i\)’s are permutations over \(\mathbb F_2^k\) used in Construction 1.

Proof

For any \(l\in \mathbb F_2^{m*}\), \(l\cdot F(x,y)=l_1f_1(x,y)+\cdots +l_mf_m(x,y)\), for all \(x,y\in \mathbb F_2^k\). We know that \(\sum _{x\in {\mathbb F}_2^{k*}} (-1)^{u \cdot x}\) equals \(-1\) if \(u\in {\mathbb F}_2^{k*}\) and equals \(2^k-1\) otherwise. For any \((a,b)\in {\mathbb F}_2^k\times {\mathbb F}_2^k\), we have

$$\begin{aligned} W_{l\cdot F}(a,b)= & {} \sum _{(x,y)\in {\mathbb F}_2^k\times {\mathbb F}_2^k}(-1)^{{l\cdot F}(x,y)+ a\cdot x + b\cdot y}\\= & {} \sum _{(x,y)\in \{\mathbf{0}\}\times {\mathbb F}_2^k}(-1)^{{l\cdot F}(x,y)+ a\cdot x + b\cdot y} +\sum _{(x,y)\in {\mathbb F}_2^{k*}\times {\mathbb F}_2^{k*}}(-1)^{{l\cdot F}(x,y)+ a\cdot x + b\cdot y}\\&+\sum _{(x,y)\in {\mathbb F}_2^{k*}\times \{\mathbf{0}\}}(-1)^{{l\cdot F}(x,y)+ a\cdot x + b\cdot y}\\= & {} W_{l\cdot U}(b) +\sum _{(x,y)\in {\mathbb F}_2^{k*}\times {\mathbb F}_2^{k*}}(-1)^{{(l\cdot \varPhi )}(x)\cdot y+ a\cdot x + b\cdot y} +\sum _{x\in {\mathbb F}_2^{k*}}(-1)^{{l\cdot V}(x)+ a\cdot x}\\= & {} W_{l\cdot U}(b)+\sum _{x\in {\mathbb F}_2^{k*}}(-1)^{a\cdot x}\sum _{y\in {\mathbb F}_2^{k*}}(-1)^{({(l\cdot \varPhi )}(x)+ b)\cdot y}+W_{l\cdot V}(a)-1\\= & {} \left\{ \begin{array}{lll} 0, &{}\mathrm {if~}(a,b)=(\mathbf{0},\mathbf{0})\\ W_{l\cdot U}(b)+W_{l\cdot V}(\mathbf{0}), &{}\mathrm {if~}(a,b)\in \{\mathbf{0}\}\times {\mathbb F}_2^{k*}\\ W_{l\cdot U}(\mathbf{0})+W_{l\cdot V}(a), &{}\mathrm {if~}(a,b)\in {\mathbb F}_2^{k*}\times \{\mathbf{0}\}\\ 2^k(-1)^{{(l\cdot \varPhi )}^{-1}(b)\cdot a}+W_{l\cdot U}(b)+W_{l\cdot V}(a), &{}\mathrm {if~}(a,b)\in {\mathbb F}_2^{k*}\times {\mathbb F}_2^{k*} \end{array} \right. . \end{aligned}$$

Theorem 6

Let the notation be the same as in Theorem 5. Let \(n=2k\ge 4\) and F be an (n, m)-function generated by Construction 1. For any \(l=(l_1,l_2,\cdots ,l_m)\in {\mathbb F}_2^{m*}\), we have

$$\begin{aligned} \mathrm C_{l{\cdot } F}(a,b)= & {} \left\{ \begin{array}{lll} 2^n, &{}\mathrm {if~}(a,b)=(\mathbf{0},\mathbf{0})\\ \mathrm C_{l{\cdot } U}(b)+2W_{(l{\cdot } V)'}(b)-2^k, &{}\mathrm {if~}(a,b)\in \{\mathbf{0}\}\times {\mathbb F}_2^{k*}\\ \mathrm C_{l{\cdot } V}(a)+2W_{l{\cdot } U}({(l\cdot \varPhi )}(a))-2^k, &{}\mathrm {if~}(a,b)\in {\mathbb F}_2^{k*}\times \{\mathbf{0}\}\\ 2(-1)^{(l{\cdot } \varPhi )(a)\cdot b}W_{l{\cdot } U}\big ({(l\cdot \varPhi )}(a)\big )+W_{(l{\cdot } V)''}(b)+8t, &{}\mathrm {if~}(a,b)\in {\mathbb F}_2^{k*}\times {\mathbb F}_2^{k*} \end{array} \right. , \end{aligned}$$

where \((l{\cdot } V)'(x)=(l{\cdot } V)\big ({(l\cdot \varPhi )}^{-1}(x)\big )\), \((l{\cdot } V)''(x)=(l{\cdot } V)\big ({(l\cdot \varPhi )}^{-1}(x)+a\big )\), and t equals 1 if \(l{\cdot } V(a)=l{\cdot } U(b)=1\) and equals 0 otherwise.

Proof

For any \(l\in \mathbb F_2^{m*}\), the autocorrelation of \(l\cdot F\) at \((a,b)\in \mathbb F_2^k\times \mathbb F_2^k\) is

$$\begin{aligned} \mathrm C_{l\cdot F}(a,b)= & {} \sum _{(x,y)\in {\mathbb F}_2^k\times {\mathbb F}_2^k}(-1)^{{l\cdot F}(x,y)+ {l\cdot F}(x+a,y+b)}. \end{aligned}$$

Clearly, we have \(\mathrm C_{l\cdot F}(\mathbf{0},\mathbf{0})=2^n\). We consider the following three cases.

[Case 1.] Let \(a=\mathbf{0}\) and \(b\in {\mathbb F}_2^{k*}\). Then \(\mathrm C_{l\cdot F}(\mathbf{0},b)\) is equal to

$$\begin{aligned}&\sum _{(x,y)\in \{\mathbf{0}\}\times {\mathbb F}_2^k}(-1)^{{l\cdot F}(\mathbf{0},y)+ {l\cdot F}(\mathbf{0},y+b)}+\sum _{(x,y)\in {\mathbb F}_2^{k*}\times {\mathbb F}_2^k}(-1)^{{l\cdot F}(x,y)+ {l\cdot F}(x,y+b)}\\&\;\;\;\;=\,\sum _{y\in {\mathbb F}_2^k}(-1)^{{l\cdot U}(y)+ {l\cdot U}(y+b)}+\sum _{(x,y)\in {\mathbb F}_2^{k*}\times {\mathbb F}_2^k\setminus \{\mathbf{0},b\}}(-1)^{{(l\cdot \varPhi )}(x)\cdot y + {(l\cdot \varPhi )}(x)\cdot (y+b)}\\&\;\;\;\; \;\; +\,\sum _{(x,y)\in {\mathbb F}_2^{k*}\times \{\mathbf{0}\}}(-1)^{{l\cdot F}(x,\mathbf{0})+ {l\cdot F}(x,b)}+\sum _{(x,y)\in {\mathbb F}_2^{k*}\times \{b\}}(-1)^{{l\cdot F}(x,b)+ {l\cdot F}(x,\mathbf{0})}\\&\;\;\;\;=\,\mathrm C_{l\cdot U}(b)+\sum _{(x,y)\in {\mathbb F}_2^{k*}\times {\mathbb F}_2^k\setminus \{\mathbf{0},b\}}(-1)^{{(l\cdot \varPhi )}(x)\cdot b}+2\sum _{x\in {\mathbb F}_2^{k*}}(-1)^{{l\cdot V}(x)+ {(l\cdot \varPhi )}(x)\cdot b}\\&\;\;\;\; =\,\mathrm C_{l\cdot U}(b)+\big (2^k-2\big )\sum _{x\in {\mathbb F}_2^{k*}}(-1)^{{(l\cdot \varPhi )}(x)\cdot b}+2\sum _{x\in {\mathbb F}_2^{k*}}(-1)^{{l\cdot V}\big ({(l\cdot \varPhi )}^{-1}(x)\big )+ b\cdot x}\\&\;\;\;\;=\,\mathrm C_{l\cdot U}(b)+2W_{{(l\cdot V)}'}(b)-2^k, \end{aligned}$$

where \({(l\cdot V)}'(x)={l\cdot V}\big ({(l\cdot \varPhi )}^{-1}(x)\big )\) for all \(x\in {\mathbb F}_2^k\).

[Case 2.] Let \(a\in {\mathbb F}_2^{k*}\) and \(b=\mathbf{0}\). Then \(\mathrm C_{l\cdot F}(a,\mathbf{0})\) is equal to [4]

$$\begin{aligned}&\sum _{(x,y)\in \{\mathbf{0},a\}\times {\mathbb F}_2^k}(-1)^{{l\cdot F}(x,y)+{l\cdot F}(x+a,y)}+\sum _{(x,y)\in {\mathbb F}_2^k\setminus \{\mathbf{0},a\}\times {\mathbb F}_2^k}(-1)^{{l\cdot F}(x,y)+ {l\cdot F}(x+a,y)}\\&\;\; =\Bigg [\sum _{(x,y)\in \{\mathbf{0},a\}\times {\mathbb F}_2^{k*}}(-1)^{{l\cdot F}(x,y)+ {l\cdot F}(x+a,y)}+\sum _{x\in \{\mathbf{0},a\}}(-1)^{{l\cdot F}(x,\mathbf{0})+ {l\cdot F}(x+a,\mathbf{0})}\Bigg ]+\\&\;\; \;\; \;\;\Bigg [\sum _{(x,y)\in {\mathbb F}_2^k\setminus \{\mathbf{0},a\}\times {\mathbb F}_2^{k*}}(-1)^{{l\cdot F}(x,y)+{l\cdot F}(x+a,y)}+\sum _{x\in {\mathbb F}_2^k\setminus \{\mathbf{0},a\}}(-1)^{{l\cdot F}(x,\mathbf{0})+ {l\cdot F}(x+a,\mathbf{0})}\Bigg ]\\&\;\; =\Bigg [2\sum _{y\in {\mathbb F}_2^k}(-1)^{{l\cdot U}(y)+{(l\cdot \varPhi )}(a)\cdot y}-2+\sum _{x\in \{\mathbf{0},a\}}(-1)^{{l\cdot V}(x)+ {l\cdot V}(x+a)}\Bigg ]+\\&\;\; \;\;\;\; \Bigg [\sum _{(x,y)\in {\mathbb F}_2^k\setminus \{\mathbf{0},a\}\times {\mathbb F}_2^k}(-1)^{\big ({(l\cdot \varPhi )}(x)+ {(l\cdot \varPhi )}(x+ a)\big )\cdot y}-(2^k-2)\\&\;\;\;\;\;\;+\sum _{x\in {\mathbb F}_2^k\setminus \{\mathbf{0},a\}}(-1)^{{l\cdot V}(x)+{l\cdot V}(x+a)} \Bigg ]\\&\;\; =\mathrm C_{l\cdot V}(a)+2W_{l\cdot U}({(l\cdot \varPhi )}(a))-2^k. \end{aligned}$$

[Case 3.] Let \(a,b\in {\mathbb F}_2^{k*}\). Then \(\mathrm C_{l\cdot F}(a,b)\) is equal to [4]

$$\begin{aligned}&\sum _{(x,y)\in \{\mathbf{0},a\}\times {\mathbb F}_2^k}(-1)^{{l\cdot F}(x,y)+{l\cdot F}(x+a,y+b)}+\sum _{(x,y)\in {\mathbb F}_2^k\setminus \{\mathbf{0},a\}\times {\mathbb F}_2^k}(-1)^{{l\cdot F}(x,y)+{l\cdot F}(x+a,y+b)}\\&\;\; =\,\Bigg [2\sum _{y\in {\mathbb F}_2^k\setminus \{\mathbf{0},b\}}(-1)^{{l\cdot F}(\mathbf{0},y)+{l\cdot F}(a,y+b)}+2(-1)^{{l\cdot F}(\mathbf{0},\mathbf{0})+{l\cdot F}(a,b)}\\&\;\;\;\; \;\; +\,2(-1)^{{l\cdot F}(\mathbf{0},b)+{l\cdot F}(a,\mathbf{0})}\Bigg ]+\Bigg [\sum _{(x,y)\in {\mathbb F}_2^k\setminus \{\mathbf{0},a\}\times {\mathbb F}_2^k\setminus \{\mathbf{0},b\}}(-1)^{{l\cdot F}(x,y)+{l\cdot F}(x+a,y+b)}\\&\;\;\;\;\;\; +\,2\sum _{x\in {\mathbb F}_2^k\setminus \{\mathbf{0},a\}}(-1)^{{l\cdot F}(x,b)+{l\cdot F}(x+a,\mathbf{0})}\Bigg ]\\&\;\; =\,\bigg [2\sum _{y\in {\mathbb F}_2^k}(-1)^{{l\cdot U}(y)+{(l\cdot \varPhi )}(a)\cdot (y+b)}-2(-1)^{{l\cdot U}(b)}+2(-1)^{{l\cdot U}(b)+{l\cdot V}(a)}\bigg ]\\&\;\;\;\; +\,\bigg [\sum _{(x,y)\in {\mathbb F}_2^k\setminus \{\mathbf{0},a\}\times {\mathbb F}_2^k}(-1)^{{(l\cdot \varPhi )}(x)\cdot y+ {l\cdot \varPhi }(x+a)\cdot (y+b)} -2\sum _{x\in {\mathbb F}_2^k\setminus \{\mathbf{0},a\}}(-1)^{{(l\cdot \varPhi )}(x)\cdot b}\\&\;\; \;\; +\,2\sum _{x\in {\mathbb F}_2^k\setminus \{\mathbf{0},a\}}(-1)^{{l\cdot V}(x)+ {(l\cdot \varPhi )}(x+a)\cdot b}\bigg ]\\&\;\; =\,2(-1)^{{(l\cdot \varPhi )}(a)\cdot b}W_{l\cdot U}\big ({(l\cdot \varPhi )}(a)\big )-2(-1)^{{l\cdot U}(b)}+2(-1)^{{l\cdot U}(b)+{l\cdot V}(a)}+2\\&\;\;\;\;+W_{{(l\cdot V)}''}(b)-2(-1)^{{l\cdot V}(a)}\\&\;\; =2(-1)^{{(l\cdot \varPhi )}(a)\cdot b}W_{l\cdot U}\big ({(l\cdot \varPhi )}(a)\big )+W_{{(l\cdot V)}''}(b)+8t, \end{aligned}$$

where \({(l\cdot V)}''(x)={l\cdot V}\big ({(l\cdot \varPhi )}^{-1}(x)+a\big )\), and t equals 1 if \({l\cdot V}(a)={l\cdot U}(b)=1\) and equals 0 otherwise.

6 Balanced \((4t,t-1)\)-Functions with Very Low Differential-Linear Uniformity

A partial spread of \({\mathbb F}_2^k\) (\(k=2t\)) is a set of pairwise supplementary of t-dimensional subspaces of \({\mathbb F}_2^k\). For any \(1\le s\le 2^t+1\), a partial spread \(\mathcal E_s\) with \(|\mathcal E_s|=s\) of \({\mathbb F}_2^k\) can be written as \(\mathcal E_s=\{E_1,E_2,\ldots ,E_s\}\) where \(E_i\)’s are t-dimensional subspaces of \({\mathbb F}_2^k\) and \(E_i\cap E_j=\{\mathbf{0}\}\) for any \(1\le i \ne j \le s\). Spreads arise naturally in finite geometry: given a spread of \({\mathbb F}_{2^k}\), the vectors in \({\mathbb F}_{2^k}\) together with the translates of the elements of the spread form the points and lines of an affine plane, called a translation plane. Let us consider the additive group \(({\mathbb F}_{2^k},\ +)\) of the finite field \({\mathbb F}_{2^k}\) with \(k=2t\). A classical example of spread of \({\mathbb F}_{2^k}\) is the Desarguesian spread, defined as follows:

• in \({\mathbb F}_{2^k}\) (in univariate form): \(\{u{\mathbb F}_{2^t},\ u\in U\}\) where \(U=\{u\in {\mathbb F}_{2^k} : u^{2^t+1}=1\}\) is the cyclic group of \({\mathbb F}_{2^k}\) with order \(2^t+1\);

• in \({\mathbb F}_{2^k} \approx {\mathbb F}_{2^t}\times {\mathbb F}_{2^t}\) (in bivariate form, thanks to the choice of a basis of the two-dimensional vector space \({\mathbb F}_{2^k}\) over \({\mathbb F}_{2^t}\))\( : \{E_a : a\in {\mathbb F}_{2^t}\}\cup \{E_\infty \}\) where \(E_a= \{(x, ax) : x\in {\mathbb F}_{2^t}\}\) and \(E_\infty =\{(0, y) : y\in {\mathbb F}_{2^t}\}=\{0\}\times {\mathbb F}_{2^t}.\)

Definition 3

Let \(\mathcal E=\{E_1,E_2,\ldots ,E_{2^t+1}\}\) be a partial spread of \({\mathbb F}_2^k\) (\(k=2t\)). Let linear code \(\mathcal {C}\) be a binary one-weight code of length \(2^t-1\), dimension \(t-1\), and minimum weight \(2^{t-2}\), and

$$G=\begin{bmatrix} g_1\\ g_2\\ \vdots \\ g_{t-1} \end{bmatrix}$$

is a generator of \(\mathcal {C}\). For every \(1\le i\le 2^{t-2}\), we define a Boolean functions \(v_i\) over \({\mathbb F}_2^k\) whose support is \(\bigcup _{i\in \mathrm{supp}(g_i)}E_i\setminus \{\mathbf{0}\}\).

Theorem 7

For any \((l_1,l_2,\cdots ,l_{t-1})\in {\mathbb F}_2^{{t-1}*}\), the Boolean function \(v'=l_1v_1+ l_2v_2+ \cdots + l_{t-1}v_{t-1}\), where \(v_i\)’s are defined in Definition 3, has Hamming weight \(2^{k-2}-2^{t-2}\),

$$\begin{aligned} |W_{v'}(a)|\le & {} \left\{ \begin{array}{llllll} 2^{k-1}+2^{\frac{k}{2}-1},&{}\mathrm {if~}a=\mathbf{0}\\ 3\cdot 2^{\frac{k}{2}-1},&{}\mathrm {if~}a\in {\mathbb F}_2^{k*} \end{array} \right. \end{aligned}$$

and

$$\begin{aligned} \mathrm C_{v'}(\omega )\ge & {} \left\{ \begin{array}{llllll} 2^k,&{}\mathrm {if~}\omega =\mathbf{0}\\ 2^{k-2},&{}\mathrm {if~}\omega \in {\mathbb F}_2^{k*} \end{array} \right. . \end{aligned}$$

Proof

It can be easily seen that the support of \(v'\) is a subset of \(\{E_1,E_2,\ldots ,E_{2^t-1}\}\) with cardinality \(2^{t-2}\), since \(\mathcal {C}\) is a binary one-weight code of length \(2^t-1\), dimension \(t-1\), and minimum weight \(2^{t-2}\). Then our assertion directly follows from [28, Theorem 9] with \(s=2^{t-2}\).

Definition 4

Let the notation be the same as in Definition 3. We define \(t-1\) nonzero linear functions \(h_1,h_2,\cdots ,h_{t-1}\) over \(E_{2^t+1}\) such that for any \((l_1,l_2,\cdots ,\) \(l_{t-1})\in {\mathbb F}_2^{{t-1}*}\) the Boolean function \(l_1h_1+ l_2h_2+ \cdots + l_{t-1}h_{t-1}\) has Hamming weight \(2^{t-1}\). For every \(1\le i\le t-1\), we define a Boolean functions \(u_i\) over \({\mathbb F}_2^k\) whose support is \(\mathrm{supp}(v_i)\cup \mathrm{supp}(h_i)\).

Clearly, for any \((l_1,l_2,\cdots ,l_{t-1})\in {\mathbb F}_2^{{t-1}*}\) the Boolean function \(l_1u_1+ l_2u_2+ \cdots + l_{t-1}u_{t-1}\) has Hamming weight \(2^{k-2}+2^{t-2}\).

Theorem 8

For any \((l_1,l_2,\cdots ,l_{t-1})\in {\mathbb F}_2^{{t-1}*}\), the Boolean function \(u'=l_1u_1+ l_2u_2+ \cdots + l_{t-1}u_{t-1}\), where \(u_i\)’s are defined in Definition 4, has the following properties:

$$\begin{aligned} |W_{u'}(a)|\le & {} \left\{ \begin{array}{llllll} 2^{k-1}+3\cdot 2^{\frac{k}{2}-1},&{}\mathrm {if~}a=\mathbf{0}\\ 5\cdot 2^{\frac{k}{2}-1},&{}\mathrm {if~}a\in {\mathbb F}_2^{k*} \end{array} \right. \end{aligned}$$

and

$$\begin{aligned} \mathrm C_{u'}(\omega )\ge & {} \left\{ \begin{array}{llllll} 2^k,&{}\mathrm {if~}\omega =\mathbf{0}\\ 2^{k-2}-2^{\frac{k}{2}+2},&{}\mathrm {if~}\omega \in {\mathbb F}_2^{k*} \end{array} \right. , \end{aligned}$$

Proof

According to the definition of the Walsh–Hadamard transform, we can easily get that \(W_{v'}(a)-2\cdot 2^{t-1} \le W_{u'}(a)\le W_{v'}(a)+2\cdot 2^{t-1}\) for any \(a\in {\mathbb F}_2^k\). Then by Theorem 7 we have \(|W_{u'}(a)|\le 2^{k-1}+3\cdot 2^{\frac{k}{2}-1}\) if \(a=\mathbf{0}\) and \(|W_{u'}(a)|\le 5\cdot 2^{\frac{k}{2}-1}\) otherwise. By the definition of the autocorrelation function, we can obtain that \(\mathrm{C}_{v'}(a)-8\cdot 2^{t-1}\le \mathrm{C}_{u'}(a)\le \mathrm{C}_{v'}(a)+8\cdot 2^{t-1}\) for any \(\omega \in {\mathbb F}_2^{k*}\). So we have \(C_{u'}(\omega )\ge 2^{k-2}-2^{\frac{k}{2}+2}\) for any \(\omega \in {\mathbb F}_2^{k*}\) by Theorem 7. This completes the proof.

Combining Theorems 5, 6, 7 and 8, we have the following theorem.

Theorem 9

Let \(n=2k=4t\ge 20\), \(m=t-1\) in Construction 1, \(v_i\)’s and \(u_i\)’s are the k-variable Boolean functions defined in Definitions 3 and 4 respectively. For any \((l_1,l_2,\cdots ,l_{t-1})\in {\mathbb F}_2^{{t-1}*}\), \(l_1\phi _1+ l_2\phi _2+ \cdots + l_{t-1}\phi _{t-1}\) is a linear permutation over \({\mathbb F}_2^k\). Then every \((n,t-1)\)-function F generated by Construction 1 is balanced and for \(f'=l_1f_1+ l_2f_2+ \cdots + l_{t-1}f_{t-1}\) we have

1. (1)

   \(nl(f')\ge 2^{n-1}-2^{\frac{n}{2}-1}-2^{\frac{n}{4}+1}\), and

2. (2)

   \(\varDelta _{f'}\le 3\cdot 2^{\frac{n}{2}-2}+7\cdot 2^{\frac{n}{4}}<2^{\frac{n}{2}}\).

Moreover, we have

1. (3)

   \(nl(F)\ge 2^{n-1}-2^{\frac{n}{2}-1}-2^{\frac{n}{4}+1}\), and

2. (4)

   \(\mathrm {DL}(F)\le 3\cdot 2^{\frac{n}{2}-3}+7\cdot 2^{\frac{n}{4}-1}<2^{\frac{n}{2}-1}\).

Pasalic et al. [23, Corollary 5] proved that it is possible to construct a special class of (n, m)-functions with nonlinearity \(2^{n-1}-2^{\frac{n}{2}}\), where \(n\ge 4m\) and n is even. Further, they identify an (36, 8)-function having nonlinearity \(2^{35}-2^{18}\) using a particular linear code. The nonlinearity of (36, 8)-functions identified in Theorem 9 is lower bounded by \(2^{35}-2^{17}-1024\).

6.1 Implementation

The hardware complexity for the direct implementation of an (n, m)-function S is \(O(m2^n)\) as the hardware complexity for the direct implementation of each coordinate function of S is \(O(2^n)\). In the Construction 1, all coordinate functions are constructed by modifying the M-M bent functions. We know that these bent functions (let \(n=2k\)) can be written as a concatenation of \(2^{k}\) distinct affine functions in k variables. So, the hardware complexity for the implementation of these coordinate functions is \(O(k 2^{k})\), which is much smaller than the direct implementation.

Suppose S be any \((4t,t-1)\)-function defined as in Construction 1, where \(v_i\)’s and \(u_i\)’s are the 2t-variable Boolean functions defined as in Definitions 3 and 4, respectively. Let for any fixed \(x\in \mathbb F_2^{2t}\), \(S(x,y)=S_x(y)\), for all \(y\in \mathbb F_2^{2t}\), and \(S_x\) is called a block corresponding to x. Thus, \(S_\mathbf{0}(y)=(u_1(y),\ldots ,u_{t-1}(y))\), and if \(x\ne \mathbf{0}\), \(S_x(\mathbf{0})=(v_1(x),\ldots ,v_{t-1}(x))\), otherwise \(S_x(y)=(\phi _1(x)\cdot y,\ldots ,\phi _{t-1}(x)\cdot y)\). We need \(t-1\) decoders for the permutations \(\phi _i,~1\le i\le t-1\), and for hardware implementation of \(t-1\) decoders we need \((t-1)2^{2t}\) gates. It is clear that if \(x\ne \mathbf{0}\) and \(v_i(x)=0\) then the ith coordinate of \(S_x\) is a linear function in 2t variables, and so, the implementation of the ith coordinate of \(S_x\) we need \(2t-1\) gates in worst case. If \(x\ne \mathbf{0}\) and \(v_i(x)=1\), we need to add an extra nonlinear monomial \((y_1+ 1)\cdots (y_{2t}+ 1)\), which does not disturb the other output values in the same coordinate of \(S_x\) block, so, \(4t-1\) extra gates is required, and so, total number of gates required to implement the ith coordinate of \(S_x\) block is \(6t-2\) in worst case. The Hamming weight of \(u_i\) and \(v_i,~1\le i\le t-1\), are \(2^{2t-2}+2^{t-2}\) and \(2^{2t-2}-2^{t-2}\), respectively. Thus, they are not balanced, so, they are nonlinear functions. To implement the \(S_\mathbf{0}\) block, we need \((t-1)2^{2t}\) gates in worst case, and for other \(2^{2t}-1\) block, we need

$$\begin{aligned} \begin{aligned}&(t-1)\{(6t-2)(2^{2t-2}-2^{t-2})+(2t-1)(2^{2t}-1-2^{2t-2}+2^{t-2})\}\\&\;\; \;\; =(t-1)\{(2t-1)(2^{2t}-1)+(4t-1)(2^{2t-2}-2^{t-2})\} \end{aligned} \end{aligned}$$

gates in worst case. Thus, the implementation the function S defined as in Construction 1 requires \((t-1)\{(3t+1)2^{2t}-(2^{2t-2}+(4t-1)2^{t-2}+2t-1)\}\) gates in worst case.

Table 1. (4, 2)-function \(S'\).

Table 2. Modified (4, 2)-functions S defined as in Construction 1.

For example let, \(n=4\) and \(S'\) be an (4, 2)-function defined in Table 1. The coordinate functions of \(S'\) are simple Maiorana-McFarland bent functions in 4 variables, where the permutations are \(\phi _1(x_1,x_2)=(x_1,x_2)\) and \(\phi _2(x_1,x_2)=(x_2,x_1+x_2)\), \(x_i\in \mathbb F_2,~i=1,2\). Now we modify the function \(S'\) by suitable choices of \(u_i\)’s and \(v_i\)’s, \(1\le i\le 2\) and construct a balanced (4, 2)-function S. Suppose \(supp(u_1)=\{(1,1)\}\), \(supp(v_1)=\{(1,1)\}\), \(supp(u_2)=\{(1,1)\}\) and \(supp(v_2)=\{(0,1)\}\). Then modified function S is given as in Table 2 and for the hardware implementation of S we need \(3+3=6\) gates, without taking the decoders into account. In the Table 2, \(s_j'\) and \(s_j\) are the jth coordinate functions of \(S'\) and its modified (4, 2)-function S, \(j=1,2\), respectively. To implement the coordinate functions \(s_1\), we need 1 XOR and 2 AND gates, and for \(s_2\), 1 XOR and 2 AND gates, which are much smaller than the original calculation. For the other choices of \(u_i\)’s and \(v_i\)’s, we may need more gates to implement the function.

7 Conclusion

In the paper we first derive some properties of DLCT of an (n, m)-function and the differential-linear uniformity of known balanced vectorial Boolean functions. Further, we construct the balanced \((4t,t-1)\)-function using Construction 1 which have very low differential-linear uniformity. Towards implementation, we count the number of gates that are required to implement such circuits. Our functions can be implemented for large Sboxes with significantly improved cryptographic properties. Obtaining constructions for (n, m)-functions with different choices of n, m, having efficient hardware implementation and good cryptographic properties are of significant interest in this direction.