I. INTRODUCTION. A bent function is a Boolean function with even number of variables whose Walsh transform has a constant magnitude [1]. In coding context ...
1
Constructions of Quadratic Bent Functions Nam Yul Yu and Guang Gong, Member, IEEE Department of Electrical and Computer Engineering University of Waterloo, CANADA
Abstract We show that a necessary condition for being bent is
� �" ��
�/.
�������� ����� ������ ����� ��� ����� � ��! � � �"� #� ��� �$����%#&(' �� ) � �+*-, � � � � �" �� �
. We then present several constructions and enumerations for such bent functions.
Using an iterative approach, we give a method to construct bent functions with maximum degree
� by �
using quadratic bent functions constructed in this paper.
Index Terms Boolean functions, Bent functions, Semi-bent functions, Maximum nonlinearity.
I. I NTRODUCTION A bent function is a Boolean function with even number of variables whose Walsh transform has a constant magnitude [1]. In coding context, it is a coset of the first order Reed-Muller code with the largest minimum weight [2]. In other words, a bent function has a maximum distance from a linear function, so it is maximally nonlinear. For the maximum nonlinearity, bent functions have been paid a lot of attention to by researchers for cryptographic applications, see [3] - [7]. Moreover, the maximum nonlinearity corresponds to the minimized maximum correlation with a trace function. Thus, bent functions also have many applications in algebraic coding and sequence design [2] [8]. In [9] and [10], Khoo, Gong and Stinson investigated the following sum of monomial trace terms with quadratic exponents, i.e., the exponent of variables has Hamming weight 0 : for odd 1 , = @ > @(E-F 243�5�687:? @9 B 3�5 � 5 �� 6 . Khoo, Gong and Stinson derived the necessary and 9 D 1 even J D KLM H A9 to H . Or equivalently, the monomial > ! H 3#5 B#G+H ! H 3#5 B#G+H > 6 6 9$" E F has to be presented in the construction. (Note. The single term B B 9$" 9$" 3�5�6 together with linear function generates the Kasami (small) signal set [11] [12].) Using a 243�5�6 similar approach as in [10], we show that a necessary and sufficient condition for , given 3 3#5 6 J0/1/1/ D where maximum value of 3 with nonzero = �> /1/1/ - is called the degree of the Boolean function D 243 6 * .
4
M M M In terms of a basis of H , a polynomial function of a sum of trace functions from H to H 9 9 M M corresponds to a Boolean function from H to H . For example, a sum of monomial trace terms with quadratic exponents corresponds to a quadratic Boolean function. B. Bent functions A Boolean function of 1
variables is called a bent function if its Walsh transform has a 243 6 constant magnitude [1] [2], where the Walsh transform of a Boolean function * is defined by
?
2 3 � 687
3
����� >
In an equivalent polynomial function by
9 6 243#5�
?
243�� 687
3 �
�
� 6�� / G� � � J
M from H 9
KLM � H �
M to H , its Hadamard transform is defined
� 6�� � � � � G� � � J
� KLM
����� >
2�3�5�6 2�3�� 6 K Then, is bent if � = J�� > � . For even 1 , on ��� 0 9� functions exist only for even 1 to a quadratic bent function.
243�5�687
H � 9
9 2 3�5�6 4 2 3�� 6 K is semi-bent if 0 9> � , where 1 is even. For odd 1 , �"> 243#5 6 2 3�� 6 K J � the other hand, is semi-bent if ��� 0 9 >�� . Bent 243#5 6 . For example, the following polynomial function corresponds �
�
� H � B E F
?@
ACB
3�5 B#G+H I 6 �
E-F
� H 3�5 B#G+H
B
9#"
> 6 � G . From the definition of , we have that where A9 D D � D � D 3 687 3 687 D 9 � � if and only if � . D @ 3 6 7 @ � � � D � 3�5�6 3 6 7 3#5�6 7 � 3�5�6 7 � @ � 0 � if and only if If , is irreducible. Hence,
= � � D D > 3�5 � � 5 � 6 ��� . This is equivalent to AC; B � @ @ ��� � � � 7 � J � � (9) � 0 � 3�5�687 3�5�6 3�5�6 3�5�6 3#5�6 3 6 7 � B 7 B H If � � 0 � H and is odd, on the other hand, where B and H � � � B 3#5 6 7 5 3#5 � B 6 3#5 6 H B � are irreducible and [3]. From (8), we see that has a root of as well D 3#5 6 3#5�6 as . If has an irreducible factor B , therefore, it simultaneously has another irreducible D 3#5�6 3 6 7 3#5 687 3�5�6 3�5�68� 7 � 3�5�6 B H factor H , and vice versa. Hence, � if and only if . Finally, D D � 3 6 243#5�6 24� 3#5 6 is non-bent if and only if (9) is achieved regardless of � is bent if 0 . Conversely,
�
�
�
��
�
� ��
�
�
�
�� ��
� ��
�
�
�
�
�� ��
� achieving (6). @ we consider @ the number of @ 3#5 6 corresponding to non-bent functions. From the definition Next, 7 �> � B � D � 7 � G . We will show that the intersection of sets � � � of , we have 9A J J � � � � � � D � 7 � J J H � � is empty. If there is a pair 3 J � 6 such that � and � H �� 7 �� � � 7 � GCB � ��� � � �
and only if there exists at least one
� +
�
�
�
�
$&$&$
� �
�
�
�
�
�
, then
�
�
H
�
�
�
$&$&$
. If
��
��
, then
�
��
��
� , and if
�
�
, then
�
�H
. Therefore,
8
�
� � � �
there exist no such ’s for
� B
@ H . Consequently,@ all indices
�
distinct. Since the number of distinct coefficients in satisfying (9) is given by
� 7���� 0 �� � 0 � � �
�
J
Besides, note that in (7), coefficients
D
number of such cases is given by
Finally, the number of
�
3�5�6
�
�%$&$&$ �
�
7
D
H
J
$&$&$
J
0 0
�
�
and
��
;
�
>� � B
D 9
= >
� �
7
@
�
@ of ’s in and � are � D 7 0 , the number of ’s is � D H � � B > = �
0
;
� can take any values of � or , so the
�
� B 7 H� =� B � 0 �> 9
0 ;
corresponding to non-bent functions, denoted by = � 7 � � 7 $ 0 9; >;
� �
D
�
Remark 2: The first few primes
�
��� �
�
� J
�
$&$&$
@ For easy visualizing the construction shown in Theorem 4, we consider a H D
, i.e.,
�
+
���� 7
D
���
�
, is given by
of Theorem 4 are
� J� �J���J J � J �� J 0 � J 0 � J � ��J���� J� � J� � J�� �J �
coefficients
@
D
$2$&$
B
G B D�. ..
D .� ..
$2$&$ $&$&$
D
�
� H
H � H D �. ..
$2$&$
D
�
� B
H � B D �. ..
����� ��
�� �
�
matrix of
@ > � H > � B � 9 9 9 D D D + 7 7 + J J � � � @ � B where B � . Let � where is the @ th column vector of � D � J � B @ @ � H . Then, we see the sum of all elements of is equal to . From Theorem 4, 2�3�5�6 � , therefore, is bent if and only if there exists at least a pair of column vectors and � � B � such that the sum of elements in the pair is equal to � . We illustrates in Fig. 1 the � H 7 0� 0 construction of bent functions for 1 with the matrix .
� "!$# �#
�
>� � B
>� � B GCB
�# &% # � ��� # � ���
D J $&9 $&$ J
�
� ��
7 Example 1: For 1 �
�
0
7 0
H
�
#
#
� , the matrix representation of each coefficients is given by � � � 7 � DB DH � D(' D�) D�* �
9
�
Fig. 1.
��
������ '
'
Matrix illustration of construction of a bent function for
��� ��
���� '
'
������
����� �� �
TABLE I C ONSTRUCTION OF BENT FUNCTIONS WITH QUADRATIC EXPONENTS FOR
$# = # > # %&# '�# +�+�+�+ + �
+�+ + + B +�+�+ B�B +�+ B B�B + +�+ B B + + B B B +�+�+ � B B + + � B B B
Thus,
2�3�5�6 7
@
* ACB D
@(E-F B
#B H 3�5 #B G+H I 6 �
Trace exponents 65 9, 65 17, 33, 65 9, 17, 33, 65 5, 33, 65 5, 9, 33, 65 3, 33, 65 3, 9, 33, 65
E-F
$# = # > # %(# ')# + + + � B B + + B�B B +�+ + � B B + + � B B B +�+ + � B B + + � B B B + � B B B�B � B B B B�B
*
�������
(65 CORRESPONDS TO
�����=���� � �"! )
Trace exponents 5, 17, 65 5, 9, 17, 65 3, 17, 65 3, 9, 17, 65 3, 5, 65 3, 5, 9, 65 3, 5, 17, 33, 65 3, 5, 9, 17, 33, 65
* 3�5 * 6 B
is bent if and only if 7 � H � B � � D D D D and can be free to choose. Also, the number of bent functions is given by D =�> = % 7 7 � � � � 7 � � � 0 0 ;> ; 0 � All possible bent functions are listed in Table I.
('
�
�)
*
�
�*
� �
1 7 0 � � F 7 � J ���� � In this section, we construct all bent functions for 1 0 with � � 0 which is a 7 �� 1 generalization of in Section IV. We start from the following definition and lemma. 0 V. C ONSTRUCTION
FOR
� 3�5�6
Definition 1: Let
7
@ #
�
ACB
@
�
circular symmetric if
�
10
@ @ 5 ��� 7
� #
, where
@
�J �7
�
@
� J
K M
H and
J� $&$&$ � 0
�
is even. Then,
�
� 3#5�6
is called
�
3#5�6 � 7 � � � � Lemma 1: Let be a circular symmetric polynomial of for odd prime and 3#5 6 3�5�6 7 � 3#5 6 3�5�6 � � � an integer . Assume that there exists � such that . Then, � 3#5 6 3 6 � � B � � (a) � is also circular symmetric of ����� � . @ (b) =� B @ � B 3#5�6 � 7 � 3#5 6 � ?� � ? @ ; 5 G � = � � ; � @ � A + ACB @ @ @ =� B 5 � � J 3#5 687 KLM 3�5�6 H . In other words, � A ;B � � where � contains all monomial terms � 3�5�6 in .
�
� �
�
�
�
Proof: (a) The circular symmetric polynomial property.
From
5
� 3�5�6 7 �
� �
5 �
� 3#5 � B 687 � 3�5�6 � �
� 3�5�6 5
with
7 �
�
�
�
�
has the following
����� �
(10)
3#5 6 �3 5�6 � #3 5�6 � and the self-reciprocity of from Property 1, � 3�5 � B 687 5 � 3�5 � B 6 3#5 � B 687 5 � �3 5 � B 6 $ 5 � 3�5 � B 6 � � � � � � � � 7 � � 3�5�6 $ 5 � 3�5 � B 6 � � � �
(11)
�
From (10) and (11),
3�5�6 = � 687 ?@ ; ; 3 � = � 6� � A9 +
� ?@
B
@
� B
ACB @ G
�
� 3�5
�
@
�
5
@
�
. Hence,
� 6 ��� 7
= @ ?@ > ; 3 � � ACB
�
@
�
�
6 � B ?9 3#5 � 5 �� 6 � 5 > � �%$&$&$�� @ 9 A �> � B GCB D � @ @9 � 7 �> + B 3#5�6 A9 G , With � is given by (13). D � D
�
��� �
�
�
�
�
5 � � H �
6
12
3�5�6 �
Lemma 3:
3�5�6
divides
3#5�6 �
if and only if
divides
�D 3#5�6 .
� D 3�5�6 3�5�6 Proof: From the definition of and a polynomial , 3#5 6 7 D #3 5�6 =
���
; .� ; ..
�� �
� B
�
�
�
$&$&$
�
..
�
=� =�
� �
� �
; . We write
..
> =
;
� B �
�
.. ; . �
�
= GCB �
;
�
=G B�
�
..
�
$&$&$
.. . $&$&$
�
$&$&$
��� 7
� �
� 7
+
7
� ��
@
, then
�
����
��
�
�
� � � @ � ��� � � B matrix whose entries are given by � � � , i.e., � � �� � B �� � >= = �� � = �� � = G B �� � = G ; ; >= = �� � H ; = � � � H ; = GCB � � � H ; = G ; >=; = �� ;. ; . ; ; .; .
In (13), we denote
Let
3�5�6 �
B
3�5�6 �@
�
D
� �
� B �
;
$&$&$ $&$&$
..
.. .
=G
�
� � � � � �� ; � H = B � � ��� � ; = B � � ��� ' ; ... ��� � > = G > = = � � ��� ; . ; ; �
$&$&$
= > � ..; .
(14)
= = � ; ;
�
�
�
�
�
�
$&$&$
>
=� B�
.. .
�
$&$&$
�
..
� B�
�
� @ = � B � � � � � 7���� � � � B � � @ (15) ; � � � is the � th column vector of � � . From (14), � � � is circular symmetric, 7 F @ where i.e., � � � � � � � . Using the matrix � � , we can construct bent functions for 1 7 0 J � 0 in the following +
@
$&$&$
�
����
�
way. � F let � be odd prime with � � 3 0 6 7 � � � or � H B 7 , Theorem 5: With the above notation, � 1 7 0 ���� J�� � � J � 0 . Then, 2�3�5�6 given by (2) is @ bent if and only if for F where is odd, and =� B �J � J each , there exist at least one � such that @ � given by (15) is not � ; H =� B J + � 7 3 � J � J $&$&$ J � 6 � � 7 3 J J $&$2$ J 6 where � ;H a constant vector, i.e., , or for D D D K J � � ��� . D 243�5�6 3 3#5�6
�
; = > ;� = > � B
� Fig. 2.
Submatrix structure of
���
7 Example 2: For 1
� � B �� ���
� 7
�
,
+
� B
����� � B � B 7
� H �B
F
B �B � H �B �
B �
H �B B �B
7
� B � H � H � H ����� ����� � ' � H � ) � H � * � H � * �H � � �H � � �H �
7 H
7
+
����� D�' D
Hence,
7
a) b)
)
����� D B �D ) H 7
�
*
�
�
�
�
� D
D
H �
� B , �� i.e., ���
, we can consider
D
�
�
�
*
D
�
�
7
�
� �
H �
* )
� D B � D D D
�
�
� D
D
�
�
D D D D D D 243#5�6 7 � 0 , on the other hand, for defined by (2) to be bent. If
�
at
�����
7
0 . For
�
����� 7
7
and
From Theorem 5,
at
row index
0 D3
B � D
B �
'
�
*
* 7
�H
�
D D
'
D
�
�
�
�
H � D
D
�
D D
�
* �H
����� '
�H
� �H
B �H � �H �
�)� �D *H D �* (D )B *
�
�
B � D
�
����� ' � H * �H 7
�
� �H
H �H � �H �
)� � H *H � H �* � H )B � H
�
�H
�H
�
�����
�
D
�
D
� or the vector
D
3
B �
�J
�
) *
J
�
�
6
H
is not constant D D D D D D D 2�3�5�6 for defined by (2) to be bent. Finally, is bent at two distinct cases. 7 7 � � � H � � � � * � and ��� cases. D J D � D J �D D 7 3 J � J � 6 J"D 3 � J J D � 6 G � = � '�G � > � '�G � ' � G � = � % � '�G � > � % � ' � � > A � � G � = G � > G � '�G � G � G � � � G � � � G � = � > G � = � %�G � = � G � > � '�G � > � G � > � � � � � � � � G � % � G � % � G � ' � G � � G � � � G � � � % � G � � � � G � = � % � G � = � ' � G � > � � � � � � � � � � � � � � � G �%� � G � =�%�'� G �>�%�'� � � � � � % A � G � G � � � G � � � G � = � %�G � = � G � = � G � > � G � > � G � > � G � % � G � % � � G � ' � � � � � � � � G � ' � � G � ' � G � � G � � � G � � � G � ' � G � � G � �� � G � � � � G � = � > � G � % � �
� � � � � � � G � > � ' � G � % � ��� G � ' � ��� G � � ��� G � � � % � � G � � � � � G � = � % � � G � = � ' � �
� � � � � � G � > � � � G � % � � � G � = � % � ' � � G � > � % � ' � �
� � � � � � � ' A � � G � = G � > G � %�G � '�G � G � G � = � G � � � � G � � � = � G � = � > G � = � G � = � = � G � > � '�G � > � � � G � > � � G � > � = � G � % � G � % � = � G � ' � G � ' � � G � ' � G � ' � = � G � � � G � � � G � � = � G � � � � � � � � G � � = � G � = � � =(= G � � � � = � G � � � ��� = � G � � � �� = � G � = � > � = � G � = � % � = � G � = � � = � G � > � ' � = � � � � G � > � � = � G � > � � = � G � > � ��� = � G � > � �� = � G � > � ��� = � G � % � � = � G � % � ��� = � G � % � �� = � � � � G � � � = � G � � ��� = � G � � ��� = � G � � �� = � G � � ��� = � G � �� ��� = � G � � � � �� = � G � = � > � �� = � � � � � � � � G � > � ' � � = � G � % � � �� = � G � % � ��� �� = � G � ' � ��� �� = � G � � � � �� = � G � � � % � � �� = � G � � � � � �� = � � � � � � G � = � % � � �� = � G � = � ' � � �� = � G � > � � � � = � G � % � � � �� = � G � = � % � ' � � �� = � G � > � % � ' � � �� = � Bent functions
�
*
B
�
�
�
� �
� �
�
Degree
' )
* *
�
VII. C ONCLUSIONS@ @(E-F E-F @ > � H 3#5 B�G H 2�3�5�687 ! H � B 3�5 B#G+H I 6 � � 6 6 B 9$" must be presented, i.e., E F @ � H � B @ E F > ? @ ! H 3�5 B#G+H 243#5�6 7 3�5 B#G+H I 6 � 6
