# Background and Definition

Vectorial Boolean Functions play an essential role in the design of cryptographic algorithms, and as such should be resistant to various types of cryptanalytic attacks. The notion of nonlinearity is introduced by Nyberg [1] in order to measure the resistance of vectorial Boolean functions to Matsui's linear attack [2]. This attack attempts to approximate the function used in an encryption algorithm by a linear function (which, in turn, is easy to analyze), and is, therefore, applicable when the actual functions used in the encryption algorithm is "close" to linear in some sense. A natural measure of distance between two functions, 𝐹 and 𝐺, is the Hamming distance, i.e. the metric

${\displaystyle d_{H}(F,G)=|\{x:F(x)\neq G(x)\}|.}$

Formally, the nonlinearity 𝑛𝑙(𝐹) of an (𝑛,𝑚)-function 𝐹 is the minimum distance between any component function of 𝐹 and any affine Boolean function. In other words,

${\displaystyle nl(F)=\min\{d_{H}(u\cdot F,f_{a}):0\neq u\in \mathbb {F} _{2}^{m},f_{a}:\mathbb {F} _{2}^{n}\rightarrow \mathbb {F} {\text{ affine }}\}.}$

# Properties

Nonlinearity remains invariant under CCZ-equivalence (and, therefore, under extended affine and affine equivalence as well). If 𝐹 is (𝑛,𝑛)-permutation, then 𝐹 and 𝐹-1 have the same nonlinearity.

The nonlinearity of an (𝑛,𝑚)-function 𝐹 can be expressed in terms of its Walsh transform via the identity

${\displaystyle nl(F)=2^{n-1}-{\frac {1}{2}}\max\{|W_{F}(u,v)|:u\in \mathbb {F} _{2}^{n},0\neq v\in \mathbb {F} _{2}^{m}\}.}$

There is a relation [3] between the maximal possible nonlinearity of vectorial Boolean functions and the possible parameters of certain linear codes. If 𝐶 is a linear [2𝑛,𝐾,𝐷] containing the Reed-Muller code 𝑅𝑀(1,𝑛) as a subcode, let (𝑏1, 𝑏2,…,𝑏𝐾) be a basis of 𝐶 completing a basis (𝑏1, 𝑏2,…,𝑏𝑛+1) of 𝑅𝑀(1,𝑛). Then the 𝑛-variable Boolean functions corresponding to the vectors 𝑏𝑛+2,…, 𝑏𝐾 are the coordinate functions of an (𝑛,𝐾-𝑛-1) functions with nonlinearity 𝐷. Conversely, given an (𝑛,𝑚)-function 𝐹 of nonlinearity 𝐷>0, the linear code obtained as the union of all cosets ${\displaystyle \{v\cdot F+RM(1,n):v\in \mathbb {F} _{2}^{m}\}}$ has parameters [2𝑛,𝑛+𝑚+1,𝐷].

# Bounds on the Nonlinearity of Vectorial Boolean Functions

The covering radius bound for Boolean functions can naturally be extended to vectorial Boolean functions, stating

${\displaystyle nl(F)\leq 2^{n-1}-2^{n/2-1}}$

for any (𝑛,𝑚)-function 𝐹. Bent Functions are defined as those meeting this bound with equality.

The Sidelnikov-Chabaud-Vaudenay (SCV) bound [4] [5] bounds the nonlinearity of any (𝑛,𝑚)-function, with 𝑚≥𝑛-1, by

${\displaystyle nl(F)\leq 2^{n-1}-{\frac {1}{2}}{\sqrt {3\cdot 2^{n}-2-2{\frac {(2^{n}-1)(2^{n-1}-1)}{2^{m}-1}}}}.}$

The SCV bound coincides with the covering radius bound for 𝑚=𝑛-1, and is strictly sharper than the covering radius bound for 𝑚≥𝑛. For 𝑚>𝑛, the square root in the bound cannot be an integer, and thus the SCV bound can be, and is, tight only for 𝑚=𝑛. In this case (for 𝑚=𝑛), the bound becomes

${\displaystyle nl(F)\leq 2^{n-1}-2^{(n-1)/2}.}$

This motivates the definition of Almost Bent Functions as those (𝑛,𝑛)-functions that meet the SCV bound with equality.

1. Nyberg K. On the construction of highly nonlinear permutations. Workshop on the Theory and Application of Cryptographic Techniques 1992 May 24 (pp. 92-98). Springer, Berlin, Heidelberg.
2. Matsui M. Linear cryptanalysis method for DES cipher. Workshop on the Theory and Application of Cryptographic Techniques 1993 May 23 (pp. 386-397). Springer, Berlin, Heidelberg.
3. Carlet C, Charpin P, Zinoviev V. Codes, bent functions and permutations suitable for DES-like cryptosystems. Designs, Codes and Cryptography. 1998 Nov 1;15(2):125-56.
4. Sidel'nikov VM. On mutual correlation of sequences. InDoklady Akademii Nauk 1971 (Vol. 196, No. 3, pp. 531-534). Russian Academy of Sciences.
5. Chabaud F, Vaudenay S. Links between differential and linear cryptanalysis. Workshop on the Theory and Application of Cryptographic Techniques 1994 May 9 (pp. 356-365). Springer, Berlin, Heidelberg.