The c-Differential-Linear Connectivity Table of Vectorial Boolean Functions

Abstract

Vectorial Boolean functions and codes are closely related and interconnected. On the one hand, various requirements of binary linear codes are needed for their theoretical interests but, more importantly, for their practical applications (such as few-weight codes or minimal codes for secret sharing, locally recoverable codes for storage, etc.). On the other hand, various criteria and tables have been introduced to analyse the security of S-boxes that are related to vectorial Boolean functions, such as the Differential Distribution Table (DDT), the Boomerang Connectivity Table (BCT), and the Differential-Linear Connectivity Table (DLCT). In previous years, two new tables have been proposed for which the literature was pretty abundant: the c-DDT to extend the DDT and the c-BCT to extend the BCT. In the same vein, we propose extended concepts to study further the security of vectorial Boolean functions, especially the c-Walsh transform, the c-autocorrelation, and the c-differential-linear uniformity and its accompanying table, the c-Differential-Linear Connectivity Table (c-DLCT). We study the properties of these novel functions at their optimal level concerning these concepts and describe the c-DLCT of the crucial inverse vectorial (Boolean) function case. Finally, we draw new ideas for future research toward linear code designs.

1. Introduction

Vectorial Boolean functions are intensively used to produce S-boxes in block ciphers such as DES [1], Rinjdael or AES [2], Blowfish [3], GOST [4], and Serpent [5]. Various criteria have been proposed to test the resistance of S-boxes and the corresponding vectorial Boolean functions to known cryptanalytical attacks, such as the differential attack [6], the linear attack [7], and some of their variants.

Let $F:{\mathbb{F}}_{2^n}\to {\mathbb{F}}_{2^m}$ be a $(n,m)$-vectorial Boolean function. The derivative of F in the direction of $a\in {\mathbb{F}}_{2^n}$ is the function $D_a\left(F\right)\left(x\right)=F\left(x\right)+F(x+a).$ The derivative is used to analyse the resistance of a vectorial Boolean function to the differential attack [6] and serves to build the Differential Distribution Table (DDT). The derivative is also used in the Boomerang Connectivity Table (BCT) [8] and in the Differential-Linear Connectivity Table (DLCT) [9,10]. The entry at $(a,b)\in {\mathbb{F}}_{2^n}\times {\mathbb{F}}_{2^m}$ of the DDT is defined by

$${\mathrm{D}\mathrm{D}\mathrm{T}}_F(a,b)=\#\left\{x\in {\mathbb{F}}_{2^n}:F\left(x\right)+F(x+a)=b\right\}.$$

To measure the resistance of a vectorial Boolean function, Nyberg [11] introduced the differential uniformity as

$${\delta }_F=max\left\{{\mathrm{D}\mathrm{D}\mathrm{T}}_F(a,b)|(a,b)\in {\mathbb{F}}_{2^n}\times {\mathbb{F}}_{2^m},\mathrm{and}a\ne 0\right\}.$$

The most resistant vectorial Boolean functions have small differential uniformities. The reader can consult the [12] for a complete background on vectorial Boolean functions with a deep analysis of their cryptographic aspects.

At FSE 2002, Borisov et al. [13] proposed a variant of the differential attack to study ciphers’ resistance based on using modular multiplication as a primitive operation. This motivated Ellingsen et al. [14] to introduce the concept of c-differentials to study the resistance of a vectorial Boolean function to multiplicative variants of the differential attack. For a vectorial Boolean function $F:{\mathbb{F}}_{2^n}\to {\mathbb{F}}_{2^m}$ and $c\in {\mathbb{F}}_{2^m}$, the c-derivative F with respect to $a\in {\mathbb{F}}_{2^n}$ is the $(n,m)$-vectorial Boolean function ${}_{c}D_{a}F$ defined by ${}_{c}D_{a}F\left(x\right)=F(x+a)+cF\left(x\right)$ for all $x\in {\mathbb{F}}_{2^n}$. The c-derivative is used to study the resistance of ciphers based on popular vectorial Boolean functions such as the inverse function [15], the Gold function [16], and various other functions [17,18,19,20,21]. As for the DDT, a c-differential table was proposed in [14], where the entry at $(a,b)\in {\mathbb{F}}_{2^n}\times {\mathbb{F}}_{2^m}$ is defined by

$${}_c\mathrm{DDT}_F(a,b)=\#\left\{x\in {\mathbb{F}}_{2^n}|F(x+a)+cF\left(x\right)=b\right\}.$$

Also, a c-differential uniformity was proposed in [14] by

$${}_c\delta _F=max\left\{{}_c\mathrm{DDT}_F(a,b)|(a,b)\in {\mathbb{F}}_{2^n}\times {\mathbb{F}}_{2^m},\mathrm{and}a\ne 0\mathrm{if}c=1\right\}.$$

The construction of functions, particularly permutations, with low c-differential uniformity is an interesting problem, and recent work has focused heavily on this direction. Likewise, regarding the original notion of differential uniformity leading to optimal functions Perfect Nonlinear (PN) and Almost Perfect Nonlinear (APN) over finite fields in odd and even characteristics, respectively, optimal functions having the lowest possible values of a c-differential uniformity have also been introduced. One can refer to [19,22,23,24,25,26,27] and the references therein. Some of those functions with low c-differential uniformity have been investigated. There are relatively few known (non-trivial, nonlinear) optimal classes of PcN and APcN functions over finite fields with an even characteristic (see, e.g., [18,28,29,30,31] and the references therein).

Another popular cryptanalysis attack on S-boxes derived from Boolean functions is the boomerang attack, proposed by Wagner [32] in 1999. In connection with the boomerang attack, Cid et al. [8] proposed the Boomerang Connectivity Table (BCT) for a vectorial Boolean function where the entry at $(a,b)\in {\mathbb{F}}_{2^n}\times {\mathbb{F}}_{2^m}$ is defined by

$${\mathrm{B}\mathrm{C}\mathrm{T}}_F(a,b)=\#\{x\in {\mathbb{F}}_{2^n}:F^{-1}(F\left(x\right)+b)+F^{-1}(F(x+a)+b)=a\}.$$

Based on the BCT, Boura and Canteaut [33] introduced the boomerang uniformity of a vectorial Boolean function to measure its resistance against boomerang attack. The boomerang uniformity of F is defined by

$${\beta }_F=\underset{a\in {\mathbb{F}}_{2^n}^{\ast },b\in {\mathbb{F}}_{2^m}^{\ast }}{max}{\mathrm{B}\mathrm{C}\mathrm{T}}_F(a,b).$$

To extend the BCT and the boomerang uniformity of a vectorial Boolean function, Stǎnicǎ [34] introduced the concept of the c-Boomerang Connectivity Table (c-BCT). For $c\in {\mathbb{F}}_{2^m}^{\ast }$, the c-BCT is defined at the entry $(a,b)\in {\mathbb{F}}_{2^n}\times {\mathbb{F}}_{2^m}$ by

$${}_c\mathrm{BCT}_F(a,b)=\#\{x\in {\mathbb{F}}_{2^n}:F^{-1}(cF\left(x\right)+b)+F^{-1}\left(c^{-1}F(x+a)+b\right)=a\}.$$

The corresponding c-boomerang uniformity is defined by

$${}_c\beta _F=\underset{a\in {\mathbb{F}}_{2^n}^{\ast },b\in {\mathbb{F}}_{2^m}^{\ast }}{max}{}_c\mathrm{BCT}_F(a,b).$$

More generalizations of the differential and boomerang uniformities can be found in [35].

In 2019, Bar-On et al. [10] (see also [9]) introduced the Differential-Linear Connectivity Table (DLCT) of a vectorial Boolean function where the entry at $(a,b)\in {\mathbb{F}}_{2^n}\times {\mathbb{F}}_{2^m}$ is defined by

$${\mathit{DLCT}}_F(a,b)=\#\left\{x\in {\mathbb{F}}_{2^n}|b·(F(x+a)+F\left(x\right))=0\right\}-2^{n-1},$$

where $x·y$ is the inner product of x and y on ${\mathbb{F}}_{2^m}$. To measure the resistance of an S-box connected to a vectorial Boolean function, the differential-linear uniformity of F can be used, as defined by Li et al. in [36],

$${\gamma }_F=\underset{a\in {\mathbb{F}}_{2^n}^{\ast },b\in {\mathbb{F}}_{2^m}^{\ast }}{max}\left|{\mathit{DLCT}}_F(a,b)\right|.$$

Various links exist between the DLCT and the Autocorrelation Table (ACT) of a vectorial Boolean function F. The ACT is defined at $(a,b)\in {\mathbb{F}}_{2^n}\times {\mathbb{F}}_{2^m}$ by

$${\mathrm{A}\mathrm{C}\mathrm{T}}_F(a,b)=\sum _{x\in {\mathbb{F}}_{2^n}}{(-1)}^{b·\left(F\right(x)+F(x+a\left)\right)}.$$

The corresponding absolute indicator is defined as

$${\Delta }_F=\underset{\begin{array}{c}u\in {\mathbb{F}}_{2^n},u\ne 0,\\ b\in {\mathbb{F}}_{2^m}^{\ast }\end{array}}{max}\left|{\mathrm{A}\mathrm{C}\mathrm{T}}_F(a,b)\right|.$$

In [37], Canteaut et al. showed that the DLCT and the ACT of a vectorial Boolean function satisfy ${\gamma }_F=\frac{1}{2}{\Delta }_F$ and ${\mathit{DLCT}}_F(a,b)=\frac{1}{2}{\mathrm{A}\mathrm{C}\mathrm{T}}_F(a,b)$ for all $(a,b)\in {\mathbb{F}}_{2^n}\times {\mathbb{F}}_{2^m}$.

One can observe that the derivative $D_a\left(F\right)\left(x\right)=F\left(x\right)+F(x+a)$ of a Boolean function F is used in various tables, such as the DDT, the BCT, and the DLCT. Motivated by the crucial role of the derivative in the former tables and the attacks related to them, we propose three new concepts towards the c-derivative ${}_{c}D_a\left(F\right)\left(x\right)=F(x+a)+cF\left(x\right)$:

• •
  The c-Walsh transform of a vectorial Boolean function F: For $c\in {\mathbb{F}}_{2^m}^{\ast }$, it is defined for $a\in {\mathbb{F}}_{2^n}$ and $b\in {\mathbb{F}}_{2^m}$ by

  $${}_{c}W_F(a,b)=\sum _{x\in {\mathbb{F}}_{2^n}}{(-1)}^{a·x+b·cF\left(x\right)}.$$
• •
  The c-autocorrelation of a vectorial Boolean function: Let $c\in {\mathbb{F}}_{2^m}$, $c\ne 0$. The c-autocorrelation of F at $(a,b)\in {\mathbb{F}}_{2^n}\times {\mathbb{F}}_{2^m}$ is the integer

  $${}_c\mathrm{AC}_F(a,b)=\sum _{x\in {\mathbb{F}}_{2^n}}{(-1)}^{b·\left(F\right(x+a)+cF(x\left)\right)}.$$
  The absolute indicator is

  $${}_c\Delta _F=\underset{\begin{array}{c}u\in {\mathbb{F}}_{2^n},u\ne 0\mathrm{if}c=1,\\ b\in {\mathbb{F}}_{2^m}^{\ast }\end{array}}{max}\left|{}_c\mathrm{AC}_F(a,b)\right|,$$

  and the autocorrelation spectrum is

  $${}_c\mathsf{\Lambda }_F=\left\{{}_{c}AC_F(a,b),a\in {\mathbb{F}}_{2^n}^{\ast },b\in {\mathbb{F}}_{2^m}^{\ast }\right\}.$$
• •
  The c-Differential-Linear Connectivity Table (c-DLCT) where we use the c-derivative: Let $c\in {\mathbb{F}}_{2^m}^{\ast }$. The c-DLCT of F is a $2^n\times 2^m$ table where the entry at $(a,b)\in {\mathbb{F}}_{2^n}\times {\mathbb{F}}_{2^m}$ is defined by

  $${}_c\mathit{DLCT}_F(a,b)=\#\left\{x\in {\mathbb{F}}_{2^n}|b·(F(x+a)+cF\left(x\right))=0\right\}-2^{n-1}.$$
  We also define the c-differential-linear uniformity of F as

  $${}_{\mathrm{c}}\gamma _F=\underset{\begin{array}{c}u\in {\mathbb{F}}_{2^n},u\ne 0\mathrm{if}c=1,\\ b\in {\mathbb{F}}_{2^m}^{\ast }\end{array}}{max}\left|{}_{\mathrm{c}}\mathit{DLCT}_F(a,b)\right|,$$

  and, also, we define the c-DLCT spectrum of F by

  $${}_{\mathrm{c}}\mathsf{\Gamma }_F=\left\{{}_c\mathit{DLCT}_F(a,b),a\in {\mathbb{F}}_{2^n},b\in {\mathbb{F}}_{2^m}\right\}.$$

We show that there are numerous relationships between the three new concepts. Typically, we show that ${}_{\mathrm{c}}\mathit{DLCT}_F(a,b)=\frac{1}{2}{}_{c}AC_F(a,b)$ for all $(a,b)\in {\mathbb{F}}_{2^n}\times {\mathbb{F}}_{2^m}$ and ${}_c\gamma _F=\frac{1}{2}{}_c\Delta _F$.

Moreover, we focus on the inverse function defined on ${\mathbb{F}}_{2^n}$ by $F\left(x\right)=\frac{1}{x}$ if $x\ne 0$, and $F\left(0\right)=0$. We study its c-DLCT and give an explicit value for the entries, including when $c=1$.

We mention that there is an interesting connection between c differential uniformity and combinatorial designs, which has been highlighted in [38] by showing that the graph of a perfect c-nonlinear function (an optimal function concerning the c differential uniformity) is a set of differences in a quasigroup. Difference sets give rise to symmetric designs, which are known to build optimal self-complementary codes. Some types of designs also have concrete applications such as secret sharing and visual cryptography.

Finally, we emphasise that one of our practical applications in brother research lines is to use the derived (optimal) functions (see, e.g., [12]) to derive minimal binary linear codes (see, e.g., [39]) that are needed for their theatrical interests but, more importantly, for their practical applicants such as few-weight codes or minimal codes for secret sharing and securing two-party computation.

The rest of this paper is organized as follows. Section 2 presents some known results that will be used in this paper. In Section 3, we define the c-Walsh and the c-autocorrelation of a vectorial Boolean function and study some of their properties. In Section 4, we present the concept of the c-DLCT and study its properties. We investigate the c-DLCT of the inverse function in Section 5. Finally, Section 6 concludes the paper and presents new ideas for future research toward linear code designs along the same lines as designing (minimal) codes from Almost Perfect Nonlinear (APN) and recent achievements [40] on minimal codes from low differential uniformity.

2. Preliminaries

In this section, we present some results and definitions that will be used in the next sections, including the c-derivative and the c-differential uniformity of a vectorial Boolean function.

For $b\in {\mathbb{F}}_{2^n}$, we define the orthogonal space $b^{\perp }$ of b as follows.

Definition 1.

For $b\in {\mathbb{F}}_{2^n}$, the orthogonal space $b^{\perp }$ of b is defined by

$$b^{\perp }=\left\{x\in {\mathbb{F}}_{2^n}|b·x=0\right\},$$

where $b·x$ is the inner product of b and x on ${\mathbb{F}}_{2^n}$.

The following result gives an explicit value for $\#b^{\perp }$.

Proposition 1.

For $b\in {\mathbb{F}}_{2^n}$, the orthogonal space $b^{\perp }$ of b satisfies

$$\#b^{\perp }=\left\{\begin{array}{ll}{2}^n& \mathrm{if}b=0,\\ 2^{n-1}& \mathrm{if}b\ne 0.\end{array}\right.$$

Proof. 

It is obvious that $\#0^{\perp }=2^n$. Suppose that $b\ne 0$. Then, the binary expansion of b is in the following form.

$$b=(b_{n-1},b_{n-2},\dots ,b_j,\dots ,b_0).$$

Suppose that $b_j=1$ for some j with $0\le j\le n-1$. Let $x\in {\mathbb{F}}_{2^n}$ such that $x\notin b^{\perp }$, that is $b·x=1$, with the binary expansion

$$x=(x_{n-1},x_{n-2},\dots ,x_j,\dots ,x_0).$$

Let $y\in {\mathbb{F}}_{2^n}$ with the binary expansion

$$y=(y_{n-1},y_{n-2},\dots ,x_j+1(mod2),\dots ,x_0).$$

Then,

$$b·y=b·x+b_j\equiv 1+1\equiv 0(mod2).$$

Hence, $y\in b^{\perp }$. It follows that for $b\ne 0$, each element x of ${\mathbb{F}}_{2^n}$ satisfying $b·x=1$ is in correspondence with one element y of ${\mathbb{F}}_{2^n}$ satisfying $b·y=0$. As a consequence, we have $\#b^{\perp }=2^{n-1}$. □

For $n\ge 1$, let ${\mathbb{F}}_{2^n}$ be the finite field with $2^n$ elements. The trace of an element $x\in {\mathbb{F}}_{2^n}$ is given by

$$\mathrm{Tr}\left(x\right)=x+x^2+\cdots +x^{2^{n-1}},$$

and satisfies $\mathrm{Tr}\left(x\right)\in \{0,1\}$. The trace function satisfies $\mathrm{Tr}\left(x^2\right)=\mathrm{Tr}\left(x\right)$ for all $x\in {\mathbb{F}}_{2^n}$.

The following lemma is well known and is useful for our work.

Lemma 1.

Let n and k be positive integers and $e=gcd(k,n)$. Then,

$$gcd\left(2^k+1,2^n-1\right)=\left\{\begin{array}{ll}1& \mathit{if}\frac{n}{e}\mathit{is}\mathit{odd},\\ 2^e+1& \mathit{if}\frac{n}{e}\mathit{is}\mathit{even}.\end{array}\right.$$

Some specific equations on ${\mathbb{F}}_{2^n}$ may be involved. The following result deals with the quadratic equation.

Lemma 2.

(Proposition 1 of [41]) Let $a,b,c\in {\mathbb{F}}_{2^n}$. The equation $a{x}^2+bx+c=0$ has

• (i)One root if and only if $b=0$.
• (ii)Two roots if and only if $b\ne 0$ and $\mathit{Tr}\left(\frac{ac}{b^2}\right)=0$.
• (iii)No root if and only if $b\ne 0$ and $\mathit{Tr}\left(\frac{ac}{b^2}\right)=1$.

The following lemma concerns another equation on ${\mathbb{F}}_{2^n}$.

Lemma 3.

Let k and n be positive integers such that $k<n$. Let $d=gcd(k,n)$, $m=\frac{n}{d}>1$, and ${\beta }_{m-1}={\mathrm{Tr}}_d^n\left(B\right)$. Then, the trinomial $f\left(X\right)=X^{2^k}+X+B$ has no root if ${\beta }_{m-1}\ne 0$ and has $2^d$ roots $x+\delta \tau$ in ${\mathbb{F}}_{2^n}$ if ${\beta }_{m-1}=0$, where $\delta \in {\mathbb{F}}_{2^d}$, $\tau \in {\mathbb{F}}_{2^n}$ is any element satisfying ${\tau }^{2^k-1}=1$, and

$$x=\frac{1}{{\mathrm{Tr}}_d^n\left(c\right)}\sum _{i=0}^{m-1}\left(\sum _{j=0}^i{c}^{2^{kj}}\right)B^{2^{ki}},$$

with any $c\in {\mathbb{F}}_{2^n}^{\ast }$ satisfying ${\mathrm{Tr}}_d^n\left(c\right)\in {\mathbb{F}}_{2^d}^{\ast }$.

In [14], Ellingsen et al. proposed the concept of c-differentials. The following definitions are valid for binary finite fields.

Definition 2.

Let $F:{\mathbb{F}}_{2^n}\to {\mathbb{F}}_{2^m}$ be an $(n,m)$-vectorial Boolean function and $c\in {\mathbb{F}}_{2^m}$. The c-derivative F with respect to $a\in {\mathbb{F}}_{2^n}$ is the $(n,m)$-vectorial function ${}_{c}D_{a}F$ satisfying ${}_{t}p_{\mathrm{x}}$

$${}_{c}D_{\mathrm{a}}F\left(x\right)=F(x+a)+cF\left(x\right)$$

for all $x\in {\mathbb{F}}_{2^n}$.

Definition 3.

Let $F:{\mathbb{F}}_{2^n}\to {\mathbb{F}}_{2^m}$ be a $(n,m)$-vectorial Boolean function, and $c\in {\mathbb{F}}_{2^m}$. The c-differential table of F is an $2^n\times 2^m$ table whose components are defined for $a\in {\mathbb{F}}_{2^n}$ and $b\in {\mathbb{F}}_{2^m}$ by

$${}_c\Delta _F(a,b)=\#\{x\in {\mathbb{F}}_{2^n}|F(x+a)+cF\left(x\right)=b\}.$$

Definition 4.

Let $F:{\mathbb{F}}_{2^n}\to {\mathbb{F}}_{2^m}$ be a $(n,m)$-vectorial Boolean function, and $c\in {\mathbb{F}}_{2^m}$. The c-differential uniformity of F is

$${}_c\Delta _F=\left\{\begin{array}{ll}\underset{a\in {\mathbb{F}}_{2^n},b\in {\mathbb{F}}_{2^m}}{\max }{}_c\Delta _F(a,b)& \mathit{if}c\ne 1,\\ \hfill \underset{a\in {\mathbb{F}}_{2^n}\setminus \left\{0\right\},b\in {\mathbb{F}}_{2^m}}{\max }{}_c\Delta _F(a,b)& \mathit{if}c=1.\end{array}\right.$$

3. The $\mathit{c}$-Walsh and $\mathit{c}$-Autocorrelation of a Vectorial Boolean Function

The Walsh transform of a Boolean function $f:{\mathbb{F}}_{2^n}\to {\mathbb{F}}_2$ is defined at $u\in {\mathbb{F}}_{2^n}$ by

$$W_f\left(u\right)=\sum _{x\in {\mathbb{F}}_{2^n}}{(-1)}^{u·x+f\left(x\right)},$$

where $u·x$ is the inner product of u and x. The Walsh transform serves to compute the linearity of f as

$$\mathrm{L}\left(f\right)=\underset{u\in {\mathbb{F}}_{2^n}}{max}\left|W_f\left(u\right)\right|.$$

For a vectorial Boolean function $F:{\mathbb{F}}_{2^n}\to {\mathbb{F}}_{2^m}$, the Walsh transform of F is defined for $u\in {\mathbb{F}}_{2^n}$ and $v\in {\mathbb{F}}_{2^m}$ by

$$W_F(u,v)=\sum _{x\in {\mathbb{F}}_{2^n}}{(-1)}^{u·x+v·F\left(x\right)},$$

and is used to compute the linearity of F by

$$\mathrm{L}\left(F\right)=\underset{u\in {\mathbb{F}}_{2^n},v\in {\mathbb{F}}_{2^n}\setminus \left\{0\right\}}{max}\left|W_F(u,v)\right|.$$

We extend the Walsh transform of a vectorial Boolean function to the c-Walsh transform as follows.

Definition 5.

Let F be an $(n,m)$-vectorial Boolean function, and $c\in {\mathbb{F}}_{2^m}^{\ast }$. The c-Walsh transform of F is defined for $u\in {\mathbb{F}}_{2^n}$ and $v\in {\mathbb{F}}_{2^m}$ by

$${}_{c}W_F(u,v)=\sum _{x\in {\mathbb{F}}_{2^n}}{(-1)}^{u·x+v·cF\left(x\right)}.$$

The autocorrelation function is used to study various properties of the Boolean functions (see [42]).

Definition 6.

Let f be Boolean function defined on ${\mathbb{F}}_{2^n}$. The autocorrelation of f at $u\in {\mathbb{F}}_{2^n}$ is the integer

$${\mathit{AC}}_f\left(u\right)=\sum _{x\in {\mathbb{F}}_{2^n}}{(-1)}^{f\left(x\right)+f(x+u)},$$

and its absolute indicator is ${\Delta }_f={max}_{u\in {\mathbb{F}}_{2^n},u\ne 0}\left|{\mathit{AC}}_f\left(u\right)\right|$.

We notice that $u=0$ is excluded in the definition of the absolute indicator since ${\mathit{AC}}_f\left(0\right)={\sum }_{x\in {\mathbb{F}}_{2^n}}{(-1)}^{f\left(x\right)+f\left(x\right)}=2^n$. The generalization of the autocorrelation to vectorial Boolean functions can be then defined as follows.

Definition 7.

Let F be an $(n,m)$-vectorial Boolean function defined on ${\mathbb{F}}_{2^n}$. The autocorrelation of F at $(u,v)\in {\mathbb{F}}_{2^n}\times {\mathbb{F}}_{2^m}$ is the integer

$${\mathit{AC}}_F(u,v)=\sum _{x\in {\mathbb{F}}_{2^n}}{(-1)}^{v·\left(F\right(x)+F(x+u\left)\right)}.$$

The absolute indicator is

$${\Delta }_F=\underset{\begin{array}{c}u\in {\mathbb{F}}_{2^n},u\ne 0,\\ v\in {\mathbb{F}}_{2^m},v\ne 0\end{array}}{max}\left|{\mathit{AC}}_F(u,v)\right|,$$

and the autocorrelation spectrum is

$${\mathsf{\Lambda }}_F=\left\{{\mathit{AC}}_F(u,v),u\in {\mathbb{F}}_{2^n},u\ne 0,v\in {\mathbb{F}}_{2^m},v\ne 0\right\}.$$

The trivial values are not considered in the definition of the absolute indicator since ${\mathrm{AC}}_F(0,v)={\mathrm{AC}}_F(u,0)=2^n$.

Inspired by Definition 6, we introduce the notion of c-autocorrelation of a Boolean function.

Definition 8.

Let f be the Boolean function defined on ${\mathbb{F}}_{2^n}$, and $c\in {\mathbb{F}}_{2^m}$, $c\ne 0$. The c-autocorrelation of f at $u\in {\mathbb{F}}_{2^n}$ is the integer

$${}_c\mathit{AC}_{\mathrm{f}}\left(u\right)=\sum _{x\in {\mathbb{F}}_{2^n}}{(-1)}^{f(x+u)+cf\left(x\right)},$$

and the c-absolute indicator is ${}_c\Delta _{\mathrm{f}}={max}_{u\in {\mathbb{F}}_{2^n}}\left|{\mathit{AC}}_f\left(u\right)\right|$.

Similarly, to generalize Definition 7, we define the c-autocorrelation of a vectorial Boolean function.

Definition 9.

Let F be an $(n,m)$-vectorial Boolean function defined on ${\mathbb{F}}_{2^n}$, and $c\in {\mathbb{F}}_{2^m}$, $c\ne 0$. The c-autocorrelation of F at $(u,v)\in {\mathbb{F}}_{2^n}\times {\mathbb{F}}_{2^m}$ is the integer

$${}_c\mathit{AC}_F(u,v)=\sum _{x\in {\mathbb{F}}_{2^n}}{(-1)}^{v·\left(F\right(x+u)+cF(x\left)\right)}.$$

The absolute indicator is

$${}_c\Delta _F=\underset{\begin{array}{c}u\in {\mathbb{F}}_{2^n},u\ne 0\mathrm{if}c=1,\\ v\in {\mathbb{F}}_{2^m},v\ne 0\end{array}}{max}\left|{}_c\mathit{AC}_F(u,v)\right|,$$

and the autocorrelation spectrum is

$${}_c\mathsf{\Lambda }_F=\left\{{}_c\mathit{AC}_F(u,v),u\in {\mathbb{F}}_{2^n},v\in {\mathbb{F}}_{2^m},\right\}.$$

To ease the study of the c-autocorrelation of a vectorial Boolean function F, we present its c-autocorrelation table defined at $(u,v)\in {\mathbb{F}}_{2^n}\times {\mathbb{F}}_{2^m}$ by

$${}_c\mathrm{ACT}_F(u,v)=\sum _{x\in {\mathbb{F}}_{2^n}}{(-1)}^{v·\left(F\right(x+u)+cF(x\left)\right)}.$$

The following result links the c-autocorrelation of a vectorial Boolean function and its c-Walsh transform.

Proposition 2.

Let F be an $(n,m)$ Boolean function. Then, for any $u\in F_{2^n}$ and any $v\in F_{2^n}$,

$$W_F(u,v){}_{c}W_F(u,v)=\sum _{z\in {\mathbb{F}}_{2^n}}{(-1)}^{u·z}{}_c\mathit{AC}_F(z,v).$$

Proof. 

We have

$$\begin{array}{cc}\hfill W_F(u,v){}_{c}W_F(u,v)& =\sum _{x\in {\mathbb{F}}_{2^n}}{(-1)}^{u·x+v·F\left(x\right)}\sum _{y\in {\mathbb{F}}_{2^n}}{(-1)}^{u·y+v·cF\left(y\right)}\hfill \\ & =\sum _{x,y\in {\mathbb{F}}_{2^n}}{(-1)}^{u·(x+y)+v·\left(F\right(x)+cF(y)}\hfill \\ & =\sum _{y,z\in {\mathbb{F}}_{2^n}}{(-1)}^{u·z+v·\left(F\right(y+z)+cF(y\left)\right)}\hfill \\ & =\sum _{z\in {\mathbb{F}}_{2^n}}{(-1)}^{u·z}\sum _{y\in {\mathbb{F}}_{2^n}}{(-1)}^{v·\left(F\right(y+z)+cF(y\left)\right)}\hfill \\ & =\sum _{z\in {\mathbb{F}}_{2^n}}{(-1)}^{u·z}{}_c\mathit{AC}_F(z,v).\hfill \end{array}$$

This finishes the proof. □

4. The $\mathit{c}$-Differential-Linear Connectivity Table of a Vectorial Boolean Function

In this section, we present a new concept, called the c-Differential-Linear Connectivity Table (c-DLCT), which generalizes the standard DLCT, independently defined in 2018 by Kim et al. [9] and Bar-On et al. [10].

We start by defining the standard Differential-Linear Connectivity Table (DLCT).

Definition 10.

Let F be an $(n,m)$-vectorial Boolean function. The DLCT of F is an $2^n\times 2^m$ table where the entry at $(u,v)\in {\mathbb{F}}_{2^n}\times {\mathbb{F}}_{2^m}$ is

$${\mathit{DLCT}}_F(u,v)=\#\left\{x\in {\mathbb{F}}_{2^n}|v·(F(x+u)+F\left(x\right))=0\right\}-2^{n-1}.$$

The DLCT is a tool that could analyse the relationships between differential and linear parts of a block cipher. One can observe that if $x\in {\mathbb{F}}_{2^n}$ is such that $v·\left(F\right(x+u)+F(x\left)\right)=0$, then $v·\left(F\right((x+u)+u)+F(x+u\left)\right)=0$. Consequently, ${\mathit{DLCT}}_F(u,v)$ is always even. Moreover, if $u=0$, or if $v=0$, then ${\mathit{DLCT}}_F(u,v)=2^{n-1}$. This induces the following definition for differential-linear connectivity uniformity.

Definition 11.

Let F be an $(n,m)$-vectorial Boolean function. The differential-linear connectivity uniformity of F is

$${\gamma }_F=\underset{u\in {\mathbb{F}}_{2^n}^{\ast },v\in {\mathbb{F}}_{2^m}^{\ast }}{max}\left|{\mathit{DLCT}}_F(u,v)\right|.$$

The DLCT of a vectorial Boolean function is related to the autocorrelation function by the following relation.

$$\begin{array}{cc}\hfill {\mathrm{A}\mathrm{C}}_F(u,v)& =\#\{x\in {\mathbb{F}}_{2^n}|v·(F\left(x\right)+F(x+u))=0\left)\right\}\hfill \\ & -\#\{x\in {\mathbb{F}}_{2^n}|v·(F\left(x\right)+F(x+u))=1\}\hfill \\ & =2\#\{x\in {\mathbb{F}}_{2^n}|v·(F\left(x\right)+F(x+u))=0\}-2^n\hfill \\ & =2{\mathit{DLCT}}_F(u,v).\hfill \end{array}$$

The DLCT is a tool to study the relationships between the linear and the differential properties of a block cipher. For $(u,v)\in {\mathbb{F}}_{2^n}\times {\mathbb{F}}_{2^m}$, it counts the number of elements $x\in {\mathbb{F}}_{2^n}$ such that $v·\left(F\right(x+u)+F(x\left)\right)=0$. Let $a\in {\mathbb{F}}_{2^m}$, $a\ne 0$, and $b\in {\mathbb{F}}_{2^m}$, $b\ne 0$, be two fixed non-zero elements. It is possible to study the relationships between the linear and the differential properties of a block cipher by studying the number of solutions of the equation $v·\left(aF\right(x+u)+bF(x\left)\right)=0$ or equivalently $v·\left(F\right(x+u)+cF(x\left)\right)=0$, where $c=\frac{a}{b}$. This leads us to define a function’s c-Differential-Linear Connectivity Table (c-DLCT).

Definition 12.

Let F be an $(n,m)$-vectorial Boolean function, and $c\in {\mathbb{F}}_{2^m}$, $c\ne 0$. The c-DLCT of F is an $2^n\times 2^m$ table where the entry at $(u,v)\in {\mathbb{F}}_{2^n}\times {\mathbb{F}}_{2^m}$ is

$${}_c\mathit{DLCT}_F(u,v)=\#\left\{x\in {\mathbb{F}}_{2^n}|v·(F(x+u)+cF\left(x\right))=0\right\}-2^{n-1}.$$

Moreover, the c-differential-linear connectivity uniformity of F is

$${}_c\gamma _F=\underset{\begin{array}{c}u\in {\mathbb{F}}_{2^n},u\ne 0\mathrm{if}c=1,\\ v\in {\mathbb{F}}_{2^m},v\ne 0\end{array}}{max}\left|{}_c\mathit{DLCT}_F(u,v)\right|,$$

and the c-DLCT spectrum of F is defined for $(u,v)\in {\mathbb{F}}_{2^n}\times {\mathbb{F}}_{2^m}$ by

$${}_c\mathsf{\Gamma }_F=\left\{{}_c\mathit{DLCT}_F(u,v),u\in {\mathbb{F}}_{2^n},v\in {\mathbb{F}}_{2^m}\right\}.$$

From Definitions 9 and 12, we obtain the following connection between the ${}_c\mathrm{ACT}$ and the ${}_c\mathit{DLCT}$ of a vectorial Boolean function.

Proposition 3.

Let F be $(n,m)$-vectorial Boolean function. Then, for all $u\in {\mathbb{F}}_{2^n}$ and $v\in {\mathbb{F}}_{2^m}$,

$${}_c\mathit{DLCT}_F(u,v)=\frac{1}{2}{}_c\mathrm{AC}_F(u,v),\mathrm{and}{}_c\gamma _F=\frac{1}{2}{}_c\Delta _F.$$

Proof. 

We have

$$\begin{array}{cc}\hfill {}_c\mathrm{AC}_F(u,v)& =\#\{x\in {\mathbb{F}}_{2^n}|v·(F(x+u)+cF\left(x\right))=0\left)\right\}\hfill \\ & -\#\{x\in {\mathbb{F}}_{2^n}|v·(F(x+u)+cF\left(x\right))=1\}\hfill \\ & =2\#\{x\in {\mathbb{F}}_{2^n}|v·(F(x+u)+cF\left(x\right))=0\}-2^n\hfill \\ & =2{}_c\mathit{DLCT}_F(u,v).\hfill \end{array}$$

which gives ${}_c\mathit{DLCT}_F(u,v)=\frac{1}{2}{}_c\mathrm{AC}_F(u,v)$. On the other hand, we have

$${}_c\Delta _F=\underset{\begin{array}{c}u\in {\mathbb{F}}_{2^n},u\ne 0\mathrm{if}c=1,\\ v\in {\mathbb{F}}_{2^m},v\ne 0\end{array}}{max}\left|{}_c\mathrm{AC}_F(u,v)\right|=2\underset{\begin{array}{c}u\in {\mathbb{F}}_{2^n},u\ne 0\mathrm{if}c=1,\\ v\in {\mathbb{F}}_{2^m},v\ne 0\end{array}}{max}{}_c\mathit{DLCT}_F(u,v)=2{}_c\gamma _F,$$

and ${}_c\gamma _F=\frac{1}{2}{}_c\Delta _F$. This finishes the proof. □

As a consequence of the former proposition, the following result connects the c-DLCT and the c-derivative of a vectorial Boolean function via the Walsh transform.

Proposition 4.

Let F be an $(n,m)$-vectorial Boolean function, and $c\in {\mathbb{F}}_{2^m}$, $c\ne 0$. Then, for any $(u,v)\in {\mathbb{F}}_{2^n}\times {\mathbb{F}}_{2^m}$,

$${}_c\mathit{DLCT}_F(u,v)=\frac{1}{2}{W}_{\left({}_{c}D_{u}F\right)}(0,v).$$

Proof. 

Combining Definition 2 and the definition of the Walsh transform, we obtain

$$W_{\left({}_{c}D_{u}F\right)}(0,v)=\sum _{x\in {\mathbb{F}}_{2^n}}{(-1)}^{v·\left(F\right(x+u)+cF(x\left)\right)}={}_c\mathrm{AC}_F(u,v).$$

Then, using Proposition 3, we have

$$W_{{}_{c}D_{u}F}(0,v)={}_c\mathrm{AC}_F(u,v)=2{}_c\mathit{DLCT}_F(u,v),$$

and ${}_c\mathit{DLCT}_F(u,v)=\frac{1}{2}{W}_{\left({}_{c}D_{u}F\right)}(0,v)$. □

The following result shows a connection between the c-DLCT and the c-derivative of a vectorial Boolean function via the Walsh transform.

Proposition 5.

Let F be an $(n,m)$-vectorial Boolean function, and $c\in {\mathbb{F}}_{2^m}$, $c\ne 0$. Then, for any $(u,v)\in {\mathbb{F}}_{2^n}\times {\mathbb{F}}_{2^m}$,

$$W_F(u,v){}_{c}W_F(u,v)=2\sum _{\omega \in {\mathbb{F}}_{2^n}}{(-1)}^{u·\omega }{}_c\mathit{DLCT}_F(\omega ,v).$$

Proof. 

Combining Proposition 2 and Proposition 4, we obtain

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill W_F(u,v){}_{c}W_F(u,v)& =\sum _{z\in {\mathbb{F}}_{2^n}}{(-1)}^{u·z}{}_c\mathit{AC}_F(z,v)\hfill \\ & =2\sum _{\omega \in {\mathbb{F}}_{2^n}}{(-1)}^{u·\omega }{}_c\mathit{DLCT}_F(\omega ,v),\hfill \end{array}\end{array}$$

as claimed. □

The following result gives a link between ${}_{\mathrm{c}}\mathit{DLCT}_F$ and ${}_{\mathrm{c}}\Delta _F(a,b)$.

Proposition 6.

Let F be an $(n,m)$-vectorial Boolean function, and $c\in {\mathbb{F}}_{2^m}$, $c\ne 0$. Then, for any $(u,v)\in {\mathbb{F}}_{2^n}\times {\mathbb{F}}_{2^m}$,

$${}_c\mathit{DLCT}_F(u,v)=\frac{1}{2}\sum _{\omega \in {\mathbb{F}}_{2^n}}{(-1)}^{\omega ·v}{}_c\Delta _F(u,\omega ).$$

Proof. 

By Proposition 3, we have

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill 2{}_c\mathit{DLCT}_F(u,v)& ={}_c\mathrm{AC}_F(u,v)\hfill \\ & =\#\{x\in {\mathbb{F}}_{2^n}|v·(F(x+u)+cF\left(x\right))=0\left)\right\}\hfill \\ & -\#\{x\in {\mathbb{F}}_{2^n}|v·(F(x+u)+cF\left(x\right))=1\}\hfill \\ & =\sum _{\omega \in {\mathbb{F}}_{2^n},\omega ·v=0}\#\{x\in {\mathbb{F}}_{2^n}|F(x+u)+cF\left(x\right)=\omega \}\hfill \\ & -\sum _{\omega \in {\mathbb{F}}_{2^n},\omega ·v=1}\#\{x\in {\mathbb{F}}_{2^n}|F(x+u)+cF\left(x\right)=\omega \}\hfill \\ & =\sum _{\omega \in {\mathbb{F}}_{2^n}}{(-1)}^{\omega ·v}\#\{x\in {\mathbb{F}}_{2^n}|F(x+u)+cF\left(x\right)=\omega \}\hfill \\ & =\sum _{\omega \in {\mathbb{F}}_{2^n}}{(-1)}^{\omega ·v}{}_c\Delta _F(u,\omega ).\hfill \end{array}\end{array}$$

This leads to

$${}_c\mathit{DLCT}_F(u,v)=\frac{1}{2}\sum _{\omega \in {\mathbb{F}}_{2^n}}{(-1)}^{\omega ·v}{}_c\Delta _F(u,\omega ),$$

which finishes the proof. □

5. The $\mathit{c}$-DLCT of the Inverse Function

In this section, we give the explicit values of the entries of the c-DLCT, including the case $c=1$, and give some numerical results on ${\mathbb{F}}_{2^n}$ with $3\le n\le 8$.

5.1. The 1-DLCT of the Inverse Function

For $c=1$, the 1-DLCT satisfies the following result.

Theorem 1.

Let $F:{\mathbb{F}}_{2^n}\to {\mathbb{F}}_{2^n}$ be the inverse function defined by $F\left(0\right)=0$, and $F\left(x\right)=x^{2^{n-2}}$ for $x\ne 0$. For $a,b\in {\mathbb{F}}_{2^n}$, define the set

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill E_0(a,b)& =\left\{z\in b^{\perp }|z\ne 0,\mathrm{Tr}\left(\frac{1}{az}\right)=0\right\},\hfill \end{array}\end{array}$$

where $b^{\perp }$ is the orthogonal space of b. Then,

$${}_1\mathit{DLCT}_F(a,b)=\left\{\begin{array}{ll}{2}^{n-1}& \mathit{if}a=0,\mathrm{or}b=0,\\ 2\#E_0(a,b)+2-2^{n-1}& \mathit{if}\frac{1}{a}\in b^{\perp },\\ 2\#E_0(a,b)-2^{n-1}& \mathit{if}\frac{1}{a}\notin b^{\perp }.\end{array}\right.$$

Proof. 

We use the definition

$${}_1\mathit{DLCT}_F(a,b)=\#\left\{x\in {\mathbb{F}}_{2^n}|b·(F(x+a)+F\left(x\right))=0\right\}-2^{n-1}.$$

We consider the following cases.

Case 1. 

Suppose that $b=0$. Then, for all $x\in {\mathbb{F}}_{2^n}$, $b·\left(F\right(x+a)+F(x\left)\right)=0$. Hence,

$${}_1\mathit{DLCT}_F(a,0)=2^n-2^{n-1}=2^{n-1}.$$

Case 2. 

Suppose that $b\ne 0$ and $a=0$. Then, for all $x\in {\mathbb{F}}_{2^n}$, $b·\left(F\right(x+a)+F(x\left)\right)=b·0=0$. This leads to

$${}_1\mathit{DLCT}_F(0,b)=2^n-2^{n-1}=2^{n-1}.$$

Case 3. 

Suppose that $b\ne 0$ and $a\ne 0$. Consider the equation

$$b·\left(F\right(x+a)+F(x\left)\right)=0.$$ (1)

Case 3.1. 

If $x=0$, then

$$b·(F(x+a)+F\left(x\right))=b·F\left(a\right)=b·\frac{1}{a}.$$

Hence, $x=0$ is a solution of the Equation (1) if and only if $\frac{1}{a}\in b^{\perp }$.

Case 3.2. 

If $x=a$, then

$$b·(F(x+a)+F\left(x\right))=b·F\left(a\right)=b·\frac{1}{a}.$$

Hence, $x=a$ is a solution of the Equation (1) if and only if $\frac{1}{a}\in b^{\perp }$.

Case 3.3. 

Suppose that $x\ne 0$ and $x\ne a$. We have

$$F(a+x)+F\left(x\right)=\frac{1}{a+x}+\frac{1}{x}=\frac{a}{x^2+ax}.$$

If $b·\left(F\right(a+x)+F(x\left)\right)=0$, then $F(a+x)+F\left(x\right)=z$ for some $z\in b^{\perp }$, that is $\frac{a}{x^2+ax}=z,$ or equivalently

$$\begin{array}{c}\hfill z{x}^2+azx+a=0.\end{array}$$ (2)

Case 3.3.1. 

If $z=0$, then the Equation (2) reduces to $a=0$, which is not possible.

Case 3.3.2. 

Suppose that $z\ne 0$. If $\mathrm{Tr}\left(\frac{1}{az}\right)=1$, then, by Lemma 2, the Equation (2) has no solution, and if $\mathrm{Tr}\left(\frac{1}{az}\right)=0$, it has two solutions.

• Define the set

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill E_0(a,b)& =\left\{z\in b^{\perp }|z\ne 0,\mathrm{Tr}\left(\frac{1}{az}\right)=0\right\}.\hfill \end{array}\end{array}$$

The ${}_1\mathit{DLCT}$ in Case 3 is then

$${}_1\mathit{DLCT}_F(a,b)=\left\{\begin{array}{ll}2\#E_0(a,b)+2-2^{n-1}& \mathrm{if}\frac{1}{a}\in b^{\perp },\\ 2\#E_0(a,b)-2^{n-1}& \mathrm{if}\frac{1}{a}\notin b^{\perp },\end{array}\right.$$

which finishes the proof. □

5.2. The c-DLCT of the Inverse Function for $c\ne 1$

Theorem 2.

Let $F:{\mathbb{F}}_{2^n}\to {\mathbb{F}}_{2^n}$ be the inverse function defined by $F\left(0\right)=0$, and $F\left(x\right)=\frac{1}{x}$ for $x\ne 0$. Let $c\in {\mathbb{F}}_{2^n}$ with $c\ne 0$ and $c\ne 1$. For $a,b\in {\mathbb{F}}_{2^n}$, define the set

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill E_0(a,b,c)& =\left\{z\in b^{\perp }|z\ne 0,z\ne \frac{1+c}{a},\mathrm{Tr}\left(\frac{acz}{{(1+c+az)}^2}\right)=0\right\},\hfill \end{array}\end{array}$$

where $b^{\perp }$ is the orthogonal space of b. Then,

$${}_c\mathit{DLCT}_F(a,b)=\left\{\begin{array}{ll}{2}^{n-1}& \mathit{if}b=0,\\ 0& \mathit{if}a=0,b\ne 0,\\ 2\#E_0(a,b,c)+2-2^{n-1}& \mathit{if}\frac{1}{a}\in b^{\perp },\frac{c}{a}\notin b^{\perp },\\ 2\#E_0(a,b,c)+2-2^{n-1}& \mathit{if}\frac{1}{a}\notin b^{\perp },\frac{c}{a}\in b^{\perp },\\ 2\#E_0(a,b,c)+4-2^{n-1}& \mathit{if}\frac{1}{a}\in b^{\perp },\frac{c}{a}\in b^{\perp },\\ 2\#E_0(a,b,c)+2-2^{n-1}& \mathit{if}\frac{1}{a}\notin b^{\perp },\frac{c}{a}\notin b^{\perp }.\end{array}\right.$$

Proof. 

Suppose that $c\ne 0$ and $c\ne 1$. We use the definition

$${}_c\mathit{DLCT}_F(a,b)=\#\left\{x\in {\mathbb{F}}_{2^n}|b·(F(x+a)+cF\left(x\right))=0\right\}-2^{n-1}.$$

We consider the following cases.

Case 1. Suppose that $b=0$. Then, for all $x\in {\mathbb{F}}_{2^n}$, $b·\left(F\right(x+a)+cF(x\left)\right)=0$. Hence,

$${}_c\mathit{DLCT}_F(a,0)=2^n-2^{n-1}=2^{n-1}.$$

Case 2. Suppose that $b\ne 0$ and $a=0$. If $b·\left(F\right(x+a)+cF(x\left)\right)=0$, then $b·(1+c)F\left(x\right)=0$, and $(1+c)F\left(x\right)\in b^{\perp }$. Observe that $x=0$ is a possible solution. If $x\ne 0$, then there exists $z\in b^{\perp }\setminus \left\{0\right\}$ such that $(1+c)F\left(x\right)=z$, that is $\frac{1+c}{x}=z$, and $x=\frac{1+c}{z}$. This leads to

$${}_c\mathit{DLCT}_F(0,b)=\#b^{\perp }-2^{n-1}=0.$$

Case 3. 

Suppose that $a\ne 0$ and $b\ne 0$. Consider the equation

$$b·\left(F\right(x+a)+cF(x\left)\right)=0.$$ (3)

Case 3.1. 

If $x=0$, then

$$b·(F(x+a)+cF\left(x\right))=b·F\left(a\right)=b·\frac{1}{a}.$$

Hence, $x=0$ is a solution of the Equation (3) if and only if $\frac{1}{a}\in b^{\perp }$.

Case 3.2. 

If $x=a$, then

$$b·(F(x+a)+cF\left(x\right))=b·cF\left(a\right)=b·\frac{c}{a}.$$

Hence, $x=a$ is a solution of the Equation (3) if and only if $\frac{c}{a}\in b^{\perp }$.

Case 3.3. 

Suppose that $x\ne 0$ and $x\ne a$. We have

$$F(a+x)+cF\left(x\right)=\frac{1}{a+x}+\frac{c}{x}=\frac{(1+c)x+ac}{x^2+ax}.$$

If $b·\left(F\right(a+x)+cF(x\left)\right)=0$, then $F(a+x)+cF\left(x\right)=z$ for some $z\in b^{\perp }$, that is $\frac{(1+c)x+ac}{x^2+ax}=z,$ or equivalently

$$\begin{array}{c}\hfill z{x}^2+(1+c+az)x+ac=0.\end{array}$$ (4)

Case 3.3.1. 

If $z=0$, then the Equation (4) reduces to $(1+c)x+ac=0$, which has one solution $x=\frac{ac}{1+c}$.

Case 3.3.2. 

If $z_0=\frac{1+c}{a}\in b^{\perp }$, then for $z_0$, the Equation (4) reduces to $z_0{x}^2+ac=0$, which, by Lemma 2, has one solution.

Case 3.3.3. 

Suppose that $z\ne 0$ and $z\ne \frac{1+c}{a}$. If $\mathrm{Tr}\left(\frac{acz}{{(1+c+az)}^2}\right)=1$, then, by Lemma 2, the Equation (4) has no solution, and if $\mathrm{Tr}\left(\frac{acz}{{(1+c+az)}^2}\right)=0$, it has two solutions.

• To summarize all the cases, we define the set

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill E_0(a,b,c)& =\left\{z\in b^{\perp }|z\ne 0,z\ne \frac{1+c}{a},\mathrm{Tr}\left(\frac{acz}{{(1+c+az)}^2}\right)=0\right\}.\hfill \end{array}\end{array}$$

The ${}_c\mathit{DLCT}$ in Case 3 is then

$${}_c\mathit{DLCT}_F(a,b)=\left\{\begin{array}{ll}2\#E_0(a,b,c)+2-2^{n-1}& \mathrm{if}\frac{1}{a}\in b^{\perp },\frac{c}{a}\notin b^{\perp },\\ 2\#E_0(a,b,c)+2-2^{n-1}& \mathrm{if}\frac{1}{a}\notin b^{\perp },\frac{c}{a}\in b^{\perp },\\ 2\#E_0(a,b,c)+4-2^{n-1}& \mathrm{if}\frac{1}{a}\in b^{\perp },\frac{c}{a}\in b^{\perp },\\ 2\#E_0(a,b,c)+2-2^{n-1}& \mathrm{if}\frac{1}{a}\notin b^{\perp },\frac{c}{a}\notin b^{\perp },\end{array}\right.$$

which finishes the proof. □

5.3. Numerical Results for the c-DLCT of the Inverse Function

We have computed the c-DLCT of the inverse function over ${\mathbb{F}}_{2^n}$ for $3\le n\le 7$, and all $c\in {\mathbb{F}}_{2^n}^{\ast }$, while for $n=8$, we only compute it for $c=1,2,\dots ,10$. The inversion and multiplication in ${\mathbb{F}}_{2^n}$ are processed modulo the polynomials presented in Table 1.

Table 1.

The polynomials of ${\mathbb{F}}_{2^n}$ for $3\le n\le 8$.

${\mathbb{F}}_{2^{\mathit{n}}}$	Polynomial
${\mathbb{F}}_{2^3}$	$x^3+x+1$
${\mathbb{F}}_{2^4}$	$x^4+x+1$
${\mathbb{F}}_{2^5}$	$x^5+x^3+1$
${\mathbb{F}}_{2^6}$	$x^6+x^3+1$
${\mathbb{F}}_{2^7}$	$x^7+x^3+1$
${\mathbb{F}}_{2^8}$	$x^8+x^4+x^3+x^2+1$

In Table 2, we present the values of ${}_c\mathit{DLCT}_F(u,v)$ of the inverse function over ${\mathbb{F}}_{2^4}$ with $c=0\times 9$.

Table 2.

The values of ${}_c\mathit{DLCT}_F(u,v)$ of the c-DLCT of the inverse function over ${\mathbb{F}}_{2^4}$ for $c=0\times 9$.

$u\setminus v$	0	1	2	3	4	5	6	7	8	9	a	b	c	d	e	f
0	8	0	0	0	0	0	0	0	0	0	0	0	0	0	0	0
1	8	0	2	2	0	−4	2	−2	2	−4	0	2	2	0	0	−2
2	8	2	0	−2	2	2	2	−2	0	2	−4	2	−4	0	0	0
3	8	0	2	0	−2	−4	0	0	−2	0	2	2	2	2	2	−4
4	8	−2	2	−2	0	2	−4	0	2	0	2	2	2	−4	0	0
5	8	2	0	2	0	0	−2	2	−4	0	2	2	−2	0	2	−4
6	8	0	−2	0	−2	2	2	−4	0	2	−4	0	0	2	2	2
7	8	2	−4	−4	2	−2	0	2	2	0	2	−2	0	0	2	0
8	8	−2	0	0	2	2	2	0	−2	2	2	−4	0	2	−4	0
9	8	2	−4	0	2	0	2	2	0	2	0	−4	2	0	−2	−2
a	8	2	0	2	−4	2	−2	−4	2	0	0	−2	0	2	0	2
b	8	−4	0	2	0	2	2	2	0	−2	0	0	−2	2	−4	2
c	8	0	−2	−4	0	0	0	2	0	−2	2	2	2	−4	2	2
d	8	0	2	2	−4	0	−4	0	2	2	0	0	2	−2	−2	2
e	8	−4	2	2	2	−2	0	0	2	−4	−2	0	0	2	0	2
f	8	2	2	0	2	0	0	2	−4	2	−2	0	−4	−2	2	0

For the inverse function over ${\mathbb{F}}_{2^n}$, we present in Table 3 the c-DLCT spectrum ${}_c\mathsf{\Gamma }_F$ and c-differential-linear uniformity ${}_c\gamma _F$ for $3\le n\le 8$ and for small values of c. All the other c-DLCT spectrums reduce to one of the listed ones in the table.

Table 3.

The c-DLCT spectrum and the c-differential-linear connectivity uniformity of the inverse function over ${\mathbb{F}}_{2^n}$ for $3\le n\le 8$ and small c.

${\mathbb{F}}_{2^{\mathit{n}}}$	c	${}_{\mathit{c}}\mathbf{\Gamma }_{\mathit{F}}$	${}_{\mathit{c}}\mathit{\gamma }_{\mathit{F}}$
${\mathbb{F}}_{2^3}$	1	$\{-4,0,4\}$	4
${\mathbb{F}}_{2^3}$	2	$\{-2,0,2,4\}$	2
${\mathbb{F}}_{2^4}$	1	$\{-4,0,4,8\}$	4
${\mathbb{F}}_{2^4}$	2	$\{-4,-2,0,2,8\}$	4
${\mathbb{F}}_{2^4}$	6	$\{-2,0,2,4,8\}$	4
${\mathbb{F}}_{2^5}$	1	$\{-4,0,4,16\}$	4
${\mathbb{F}}_{2^5}$	2	$\{-6,-4,-2,0,2,4,6,16\}$	6
${\mathbb{F}}_{2^5}$	3	$\{-6,-4,-2,0,2,4,16\}$	6
${\mathbb{F}}_{2^5}$	7	$\{-4,-2,0,2,4,16\}$	4
${\mathbb{F}}_{2^6}$	1	$\{-8,-4,0,4,8,32\}$	8
${\mathbb{F}}_{2^6}$	2	$\{-8,-6,-4,-2,0,2,4,6,8,32\}$	8
${\mathbb{F}}_{2^6}$	6	$\{-8,-6,-4,-2,0,2,4,6,32\}$	8
${\mathbb{F}}_{2^6}$	8	$\left\{-6,-4,-2,0,2,6,8,32\right\}$	8
${\mathbb{F}}_{2^7}$	1	$\{-12,-8,-4,0,4,8,64\}$	12
${\mathbb{F}}_{2^7}$	2	$\{-12,-10,-8,-6,-4,-2,0,2,4,6,8,10,64\}$	12
${\mathbb{F}}_{2^8}$	1	$\{-16,-12,-8,-4,0,4,8,12,16,128\}$	16
${\mathbb{F}}_{2^8}$	2	$\{-16,-14,-12,-10,-8,-6,-4,-2,0,2,4,6,8,10,12,14,16,128\}$	16
${\mathbb{F}}_{2^8}$	6	$\{-16,-14,-12,-10,-8,-6,-4,-2,0,2,4,6,8,10,12,14,128\}$	16
${\mathbb{F}}_{2^8}$	10	$\{-14,-12,-10,-8,-6,-4,-2,0,2,4,6,8,10,12,14,16,128\}$	16

6. Conclusions

In this paper, we introduced and studied new cryptographic tools and parameters to help us quantify the security of S-boxes (mathematically, vectorial Boolean functions) involving block ciphers as main components: the c-Walsh transform, the c-autocorrelation, and the c-differential-linear uniformity. We also introduced a new table called the c-Differential-Linear Connectivity Table (c-DLCT) to analyse attacks related to the differential and the linear attacks. We considered various S-box family properties associated with the above-mentioned notion and presented the values of the c-DLCT of the particular crucial case of the inverse function. Finally, recall that codes over finite fields have been studied extensively because of their linear structures and practical implementations. It is the basis of the research on various kinds of codes. One well-known construction method of linear codes is derived from special functions (essentially from cryptographic functions which play a crucial role in symmetric cryptography) over finite fields (see the book [12]). Cryptographic multi-output Boolean functions and codes have essential data communication and storage applications. These two areas are closely related and have had a fascinating interplay (see, e.g., the book chapter in [43] and the references therein). Cryptographic functions and linear codes are closely related and have had a fascinating interplay. Cryptographic functions (e.g., highly nonlinear functions, Perfect Nonlinear (PN), Almost Perfect Nonlinear (APN), Bent, Almost Bent (AB), and Plateaued) have essential applications in coding theory. For instance, Perfect Nonlinear (APN or PN) functions have been employed to construct optimal linear codes (see, e.g., [44,45,46,47,48] and the references therein). Very recently, Mesnager, Shi, and Zhu [40] proposed several constructions of minimal (cyclic) codes from low differential uniform functions. Given these works, the derived functions from this paper would help design new families of binary minimal codes. We will keep an in-depth study of them in future work and cordially invite interested readers to investigate them.

Author Contributions

Conceptualization, S.E. and S.M.; Methodology, S.E. and S.M.; Validation, S.E. and S.M.; Formal analysis, S.E. and S.M.; Investigation, S.E. and S.M.; Writing—original draft, S.E.; Writing—review and editing, S.M. All authors have read and agreed to the published version of the manuscript.

Institutional Review Board Statement

Not applicable.

Data Availability Statement

No new data were created or analyzed in this study. Data sharing is not applicable to this article.

Conflicts of Interest

The authors declare no conflict of interest.

Funding Statement

This research received no external funding.