Nonlinear Boolean Functions in Cryptography

Updated 24 November 2025

Nonlinear Boolean functions are non-affine maps from F2^n characterized by high spectral nonlinearity and balanced outputs, crucial for resisting linear attacks.
The classification leverages affine cosets and rotation symmetric structures to reduce the search space and guide efficient function construction.
Algorithmic methods such as the Walsh–Hadamard transform and evolutionary algorithms optimize the search for highly nonlinear functions for cryptographic applications.

A nonlinear Boolean function is a map from the binary vector space $\mathbb{F}_2^n$ to $\mathbb{F}_2$ that is not affine; such functions play a fundamental role in cryptography, coding theory, and computational complexity. The degree and spectral nonlinearity of a Boolean function are critical for resistance to linear and correlation attacks in symmetric-key systems, while efficient construction and classification remain central research topics, especially for functions with large variable counts.

1. Formal Definitions and Spectral Nonlinearity

Let $f:\mathbb{F}_2^n\to \mathbb{F}_2$ be a Boolean function. The function is affine if it can be written as $f(x)=a_0+\sum_{i=1}^n a_i x_i$ for constants $a_i\in\mathbb{F}_2$ . Nonlinearity quantifies the minimum Hamming distance from $f$ to any affine function: $NL(f) = \min_{\alpha\text{ affine}} \sum_{x\in\mathbb{F}_2^n} [f(x) \ne \alpha(x)].$ Spectrally, nonlinearity is measured by the Walsh–Hadamard transform: $W_f(\omega) = \sum_{x\in\mathbb{F}_2^n}(-1)^{f(x)\oplus(\omega\cdot x)},$ with $\oplus$ denoting addition mod 2 and $\omega\cdot x$ the inner product. Then

$NL(f) = 2^{n-1} - \frac{1}{2}\max_{\omega\in\mathbb{F}_2^n}|W_f(\omega)|.$

The function is balanced if it takes on each of $0$ and $1$ for exactly half of its input vectors, i.e., $\sum_x f(x) = 2^{n-1}$ (Gašperov et al., 2023).

Bent functions, characterized by $|W_f(\omega)|=2^{n/2}$ for all $\omega$ (and hence having $NL(f) = 2^{n-1} - 2^{n/2-1}$ ), exist only for even $n$ and are unbalanced. For odd $n$ , the optimum nonlinearity is strictly less, bounded above by $2^{n-1}-2^{(n-1)/2}$ and realized only by specialized constructions (Carlet et al., 15 Feb 2024, Carlet et al., 24 Apr 2025).

2. Classification, Structure, and Symmetry

Nonlinear Boolean functions are systematically classified in relation to affine functions via algebraic and combinatorial techniques.

There are exactly $2^{2^n}$ $n$ -variable Boolean functions and $2^{n+1}$ affine functions. Classification schemes partition the set into $2^{n+1}$ disjoint classes, each containing one affine function and $2^{2^n-(n+1)}-1$ nonlinear members (Rout et al., 2013).
Algebraically, these classes have $(n+1)$ invariant output positions and a $(2^n-(n+1))$ -dimensional vector space acting by bitwise XOR, yielding subgroup/coset structure.
Rotation symmetric (RS) nonlinear functions, satisfying $f(x_0,\dots,x_{n-1})=f(x_{n-1},x_0,\dots,x_{n-2})$ , significantly reduce the search space and underpin many high-nonlinearity candidates (Yang et al., 2012, Carlet et al., 15 Feb 2024, Carlet et al., 24 Apr 2025).

Quartic RS functions generated by $x_0x_e x_{2e}x_{3e}$ attain nonlinearity exactly equal to their weight, as shown by recurrence and Walsh-spectrum analysis. This equality is conjectured to extend to higher-degree ( $\ell\geq4$ ) RS monomials, with computational methods confirming the property for several cases (Yang et al., 2012).

3. Construction and Search for High Nonlinearity

The search for balanced, highly nonlinear Boolean functions—critical for cryptographic primitives such as S-boxes and stream ciphers—combines algebraic constructions, combinatorial optimization, and metaheuristics:

Local Search via Walsh Spectrum: The most computationally efficient contemporary approach involves treating the full Walsh spectrum as a "phenotype," and selecting among neighbors using a lexicographic histogram of spectral magnitudes. In practice, using spectrum-based selection halves the computation time for finding record nonlinearities compared to scalar fitnesses, outperforming previous landscape-guided searches for $n$ up to $9$ (Gašperov et al., 2023). Local search neighborhoods are typically defined by balancedness-preserving bit swaps, and spectrum updates are performed in linear time.
Evolutionary and Memetic Algorithms: Genetic programming and evolutionary algorithms using truth-table, symbolic-tree, or RS encodings can find highly nonlinear functions up to known theoretical bounds for $n$ up to $9$ (e.g., NL = 241 for $n=9$ in the RS class via memetic local search) (Carlet et al., 15 Feb 2024, Carlet et al., 24 Apr 2025). For larger $n$ , symmetry-constrained search (e.g., RS restriction) and hybridization with local search offer the only practical approaches, as the unconstrained problem becomes infeasible due to the double-exponential growth in search space.

Method	Max $n$ reliably optimized	Peak nonlinearity at $n=9$	Symmetry-utilized
GP on truth-table	7	240	No
RS bitstring + LS	9	241	Yes
FP encoding + LS	9	241	Yes (RS variant)

Empirically, general EAs (GP, truth-table) are outperformed by RS-aware, local-search-enhanced approaches for $n\geq 9$ (Carlet et al., 24 Apr 2025).

4. Algorithmic and Polynomial Approaches to Nonlinearity Computation

Nonlinearity is classically computed via the Fast Walsh–Hadamard Transform (FWT) in $O(n2^n)$ integer operations and $O(2^n)$ memory. Recent research provides alternative, more algebraic views:

Multivariate Polynomial Methods: Simonetti's approach expresses the existence of an affine function at small Hamming distance as a solution to a multivariate system over $\mathbb{F}_2$ . Direct Gröbner basis algorithms are intractable for moderate $n$ , but incremental kernel representations and reductions to a single "nonlinearity polynomial" over $\mathbb{Q}$ or $\mathbb{F}_p$ achieve $O(n2^n)$ complexity matching the FWT (Bellini et al., 2016, Bellini, 2014). These methods facilitate symbolic analysis, work directly with algebraic normal forms, and support flexible degree constraints.
ANF-Based Sparse Methods: For sparse ANFs, the computation is further reduced to a binary integer programming problem over a small number of combined weights, efficiently solving large- $n$ instances when the number of monomials is moderate ( $p\lesssim40$ ) (Çalık, 2013).

These algorithmic advances enable nonlinearity computation for high-dimensional sparse functions, augmenting classical spectral and algebraic tools.

5. Multidimensional and Generalized Nonlinearity Metrics

While the classical nonlinearity measures distance to affine functions, modern cryptanalytic attacks (linear, multidimensional correlation, fast-algebraic) motivate a richer family of parameters:

$r$ -th Order Nonlinearity: The minimal distance to the set of degree- $r$ Boolean functions, with asymptotic behavior of random functions converging almost surely to $2^{n-1} - \sqrt{2^n \cdot \sum_{i=0}^r \binom{n}{i} \log 2}/2$ (Schmidt, 2013).
Multidimensional Nonlinearity Pairs: Parameters $(N_f(r), H_f(r))$ capture the number of unattainable values and the entropy over projections under arbitrary rank- $r$ linear maps (generalizing classical nonlinearity at $r=1$ ). For even $n$ and $r=1$ , bent functions are optimal in this sense; their vectorial generalization aligns with perfect-nonlinear S-boxes (Semaev, 2019). The full landscape for $r\geq2$ remains a subject of open research.

These generalized measures allow finer characterization of Boolean function resistance to advanced cryptanalytic methodologies and inform optimal function design for complex vectorial output cases.

6. Applications and Theoretical Significance

Nonlinear Boolean functions underpin the security of modern symmetric cryptology by ensuring S-boxes and combining functions are resistant to linear, differential, and fast-correlation attacks. High nonlinearity, often balanced with other properties such as algebraic immunity, is essential:

Record nonlinear balanced functions are used in S-boxes and stream ciphers.
Explicit constructions for efficiently implementable functions with provable nonlinearity and algebraic immunity leverage interval-based HWB kernels and structured permutations (modified Maiorana–McFarland and other combinatorial classes) (Carlet et al., 21 Aug 2024).
The systematic classification into affine-anchored cosets and symmetry subclasses provides a framework for exhaustive or probabilistic search, analysis of resilience, and structure-guided synthesis, influencing both theoretical paper and practical design.

The field continues to advance, both in algorithmic sophistication and in understanding the deep connections between algebraic, spectral, and combinatorial structure and cryptographic strength. Future research directions encompass new generalizations of nonlinearity, advanced metaheuristics with spectrum-driven objectives, and exploration of larger function classes via scalable algebraic and combinatorial schemes.