Notes on Bent Functions in Polynomial Forms - DergiPark

INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Koc¸ak et al., Vol.1, No.2

Notes on Bent Functions in Polynomial Forms 1 ¨ Onur Koc¸ak1 , Onur Kurt1,2 , Nes¸e Oztop , Zulf Saygı3 ¨ ukar ¨ 1

Department of Cryptography, Institute of Applied Mathematics, Middle East Technical University, Ankara, Turkey 2 Department of Mathematics, Middle East Technical University, Ankara, Turkey 3 Department of Mathematics, TOBB Economics and Technology University, Ankara, Turkey e-mail:{onur.kocak, konur, noztop}@metu.edu.tr, [email protected]

Abstract—The existence and construction of bent functions are two of the most widely studied problems in Boolean functions. For monomial functions f (x) = T r1n (axs ), these problems were examined extensively and it was shown that the bentness of the monomial functions is complete for n ≤ 20. However, in the binomial function case, i.e. f (x) = T r1n (axs1 ) + T r1k (bxs2 ), this characterization is not complete and there are still open problems. In this paper, we give a summary of the literature on the bentness m m of binomial functions and show that there exist no bent functions of the form T r1n (axr(2 −1) ) + T r1m (bxs(2 +1) ) where n =n2m, 2 −1 m gcd(r, 2m + 1) = 1, gcd(s, 2m − 1) = 1. Also, we give a bent function example of the form fa,b (x) = T r1n (ax2 −1 ) + T r12 (bx 3 ) for n = 4, although, it is stated in [9] that there is no such bent function of this form for any value of a and b. Keywords—Boolean function, Bent functions, Walsh-Hadamard Transform, Dillon exponents, Kloosterman Sums.

1.

Introduction

existence conditions of bent functions are given for some values of the parameters n, k, s1 and s2 . HowThe class of bent functions is a special set of ever, the characterization of binomial bent functions functions that achieve the highest possible non- is not complete and open problems remain. linearity among Boolean functions. Such functions In this paper, we give a brief summary of current are of great importance for cryptography and coding studies on binomial bent functions. Moreover, we theory. Therefore, the existence of bent functions give existence and non-existence results for some is a widely studied problem. When considering the specific forms of bent function families. polynomial form, monomial bent functions, which The paper is organized as follows: Section II is are of the form T r1n (axs ) are studied by [1], [3], [4], [7] and all monomial bent functions are known devoted to the notation used in the rest of the paper if n ≤ 20. After reaching such a point, community and necessary knowledge. In the third section, in started to pay attention on binomial bent functions order to give the historical background, we mention of the form T r1n (axs1 ) + T r1k (bxs2 ). These functions the known results on monomial bent functions. are examined in [6], [8], [9], [10], [15], [16] and the Next, in Section IV, we investigate the bentness of binomial functions, give some examples and results Manuscript received May 22, 2012; revised June 28, 2012. on specific values of k, t and m for the functions

43

INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Koc¸ak et al., Vol.1, No.2

fa,b (x) = T r1n (ax2

2. 2.1.

m −1

) + T r1k (bx

2n −1 t

).

Definition 1: A Boolean function f : F2n → F2 n is said to be bent if Wf (ω) = ±2 2 for all ω ∈ F2n .

Notation and Preliminaries

The classical binary Kloosterman sums on F2m are defined as follows:

Boolean Functions and Polynomial Forms

Definition 2: Let a ∈ F2m . The binary Kloosterman sum associated with a is

Let f : F2n → F2 be a Boolean function in n variables. The truth table of f is defined as the X 1 m Km (a) = (−1)T r1 (ax+ x ) . vector (f (x0 ), f (x1 ), . . . , f (x2n −1 )). The number of x∈F2m non-zero coordinates in the truth table is called the Proposition 1: [12] Let m be a positive inteHamming weight wt(f ) of f , or weight in short. ger. The set {Km (a), a ∈ F2m } is the set of Equivalently, one can define weight as all the integers multiple of 4 in the range X h i m+2 m+2 wt(f ) = f (x). 2 2 −2 + 1, 2 +1 . x∈F2n

Any Boolean function f can be uniquely repre- 3. Monomial Bent Functions sented in a polynomial form as Let f : F2n → F2 be a Boolean function such X n−1 o(r) T r1 (ar xr ) + (1 + x2 ), f (x) = that f (x) = T r1n (axs ) for a given positive integer s r∈R and for some a ∈ F2n . Functions of this form are Pn−1 2i n ∀x ∈ F2n , ar ∈ F2o(r) where T r1 (x) = i=0 x , called monomial functions. The exponent s is said the trace function from F2n to F2 , is the sum of the to be a bent exponent if there exists a ∈ F∗2n such conjugates of x ∈ F2n , R is the set of cyclotomic that T r1n (axs ) is bent. In order f to be bent, the coset leaders r, o(r) is the size of the coset that following two conditions should be satisfied [3]: contains r and  is the modulo 2 value of wt(f ). n • gcd(s, 2 − 1) 6= 1. n/2

n/2

• either gcd(s, 2 + 1) = 1 or gcd(s, 2 − 1) = 1. Note that bent functions defined on F2n exist only for even values of n. Moreover, it is well known that All known bent exponents s for power functions, their Hamming weights are even. Therefore,  = 0 with o(s) = n, are given in Table 1. and their polynomial form is TABLE 1 X All known bent exponents, s, o(s) = n o(r) f (x) = T r1 (ar xr ) ∀x ∈ F2n .

r∈R

2.2.

Bent Functions

The Walsh-Hadamard transform of f is the discrete Fourier transform of (−1)f . It is defined for the value ω ∈ F2n as follows: Wf (ω) =

X x∈F2n

f (x)+T r1n (ωx)

(−1)

.

s 2i + 1 r · (2n/2 − 1) 22i − 2i + 1 (2n/4 + 1)2 n/3 2 + 2n/6 + 1

Condition even, 1 ≤ i ≤ n2 gcd(r, 2n/2 + 1) = 1 gcd(n, i) = 1 n = 4r, r odd n = 0 mod 6

n gcd(n,i)

Reference [13] [1], [3], [7], [12] [14] [3], [5] [4]

Also, Canteaut et al. [4] showed by computer experiments that there is no other exponent s for n ≤ 20.

44

INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Koc¸ak et al., Vol.1, No.2

Moreover, for the exponents s where o(s) < n, Mesnager [11], based on an exhaustive search up to n ≤ 14, claimed that the only bent Boolean n/2 n/2 functions are of the form T r1 (ax2 +1 ) for some a ∈ F2n . A specific form of monomial functions, fa(r) , namely monomial Dillon functions, can be represented as fa(r) (x) = T r1n (axr(2

m −1)

positive integer s (always understood modulo 2n −1) is said to be a Niho exponent, and xs is Niho power function, if the restriction of xs to F2m is linear or in other words s ≡ 2j (mod 2m − 1) for some j < n. The following are bent Niho exponents given by Dobbertin et al. [2]. The fractions are interpreted modulo 2m + 1, for instance 12 = 2m−1 + 1. • • •

),

∀x ∈ F2n , a ∈ F∗2n , n = 2m. Bentness of these functions has been first studied by Dillon [1] for the case r = 1. Then, Leander [3] next Charpin and Gong [7] investigated the bentness of monomial Dillon functions in the case gcd(r, 2m + 1) = 1. The following theorem shows the relation between the bentness of monomial Dillon functions and Kloosterman sums.

s1 = (2m − 1) 12 + 1 and s2 = (2m − 1)3 + 1; s1 = (2m − 1) 21 + 1 and s2 = (2m − 1) 14 + 1 (m odd); s1 = (2m − 1) 21 + 1 and s2 = (2m − 1) 16 + 1 (m even);

Then, in [6], [8], [9], Mesnager investigated the 2n −1 r(2m −1) 2 n 3 ) + T r1 (bx ) and gave functions T r1 (ax ∗ the conditions on a ∈ F2m and b ∈ F∗22 for bentness. Following Mesnager’s approach, Wang et al. [15] considered the functions of the form 2n −1 n r(2m −1) 4 5 fa,b (x) = T r1 (ax ) + T r1 (bx ) where n = 2m, m ≡ 2 (mod 4), a ∈ F2m and b ∈ F24 .

In this section, we investigate bentness of 2n −1 2m −1 k n )+T r1 (bx t ) when t|2m +1 fa,b (x) = T r1 (ax ∗ Theorem 1: [1], [7] Suppose that a ∈ F2m . and when t|2m − 1. We cover the previous work The function fa(r) defined on F2n by fa(r) (x) = of Mesnager [9] and Wang et al. [10], [15], give m T r1n (axr(2 −1) ) where gcd(r, 2m + 1) = 1 is bent some examples for both cases and state a result if and only if the Kloosterman sum on F2m denoted on the existence of bent functions of the form 2n −1 m by Km satisfies Km (a) = 0. fa,b (x) = T r1n (ax(2 −1) ) + T r12 (bx 3 ) for n = 4. In this paper, we focus on the bent functions with 2n −1 m Dillon exponents. 4.1. T r1n (ax(2 −1) ) + T r1k (bx t ), where o( 2

4.

n −1

t

) = k and t|2m + 1

Binomial Bent Functions Mesnager [9] showed that the bentness of

Monomial bent functions have been intensively investigated over the years and all the bent exponents have been identified for n ≤ 20. As the search heavily relies on computer experiments, it is very hard to find a new exponent s for n > 20 so that T r1n (axs ) does not belong to any of the previous constructions. Therefore, the community started to search bent functions with multiple trace terms where the first step, naturally, is binomial functions. The first studies in finding binomial bent functions were performed by Dobbertin et al. [2] where they showed that T r1n (a1 xs1 + a2 xs2 ) is bent with s1 and s2 being Niho exponents. Note that, a

fa,b (x) = T r1n (ax(2

m −1)

) + T r12 (bx

2n −1 3

)

a ∈ F∗2n , b ∈ F∗4 , n = 2m, can be characterized via Kloosterman sums for m > 3, m odd. If Km (a) = 4, then fa,1 ,fa,β and fa,β 2 are bent while if Km (a) 6= 4 then fa,1 ,fa,β and fa,β 2 are not bent. Wang et al. [10] followed similar approach given in [9] and showed that

ga,b (x) = T r1n (ax(2

m −1)

) + T r14 (bx

2n −1 5

)

45

INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Koc¸ak et al., Vol.1, No.2

is bent for some values of a and b, where a ∈ F2n , b ∈ F24 , n = 2m and m ≡ 2 mod 4. The following function can be given as an example of a bent function of this form: T r112 (x63 ) + T r14 (βx819 ) where β = α273 is a root of the primitive polynomial x4 +x+1 and α is a root of the primitive polynomial x12 + x6 + x4 + x + 1. Both these approaches are quite similar and depend on the fact that 3 or 5 do not only divide 2n −1 but also 2m + 1. Mesnager [16] proved this idea for general case

TABLE 2 x

4 (x3 ) T r1

2 (x5 ) T r1

f (x)

Wf (x)

0 1 α α + 1 = α4 α2 α2 + 1 = α8 α2 + α = α5 α2 + α + 1 = α10 α3 α3 + 1 = α14 α3 + α = α9 α3 + α + 1 = α7 α3 + α2 = α6 α3 + α2 + 1 = α13 α3 + α2 + α = α11 α3 + α2 + α + 1 = α12

0 0 1 1 1 1 0 0 1 1 1 1 1 1 1 1

0 0 1 1 1 1 1 1 0 1 0 1 0 1 1 0

0 0 0 0 0 0 1 1 1 0 1 0 1 0 0 1

4 -4 4 -4 4 -4 -4 4 4 4 4 4 4 4 -4 -4

Remark 1: fa,b (x) = T r14 (ax3 )+T r12 (bx5 ) is bent ) + T r1k (bx ) ha,b (x) = T r1n (ar x for a = 1 and b = 1 where F24 = F2 (α) and α is r∈R a root of the primitive polynomial x4 + x + 1 over where n = 2m is an even integer, R is a subset F24 . of representatives of the cyclotomic classes modulo Algebraic normal form of f (x) is m (2m + 1), ar ∈ F∗2m , b ∈ F2k and s = 2 t+1 . Note, f (x) = T r14 (x3 ) + T r12 (x5 ) = x1 + x2 x3 + x1 x4 o(s(2m − 1)) = k, i.e. the size of the cyclotomic coset of s modulo (2m + 1) is k. The proof for the where x = (x1 , x2 , x3 , x4 ). The truth table and general case depends on Dickson polynomials. Walsh spectrum of f (x) can be seen from Table 2n −1 m 2. 4.2. T r1n (ax(2 −1) ) + T r1k (bx t ), where n The following functions are numerical examples o( 2 t−1 ) = k and t|2m − 1 for fa,b when 3 divides 2m − 1 : In [9], Mesnager studied the functions of the form • For n = 8, m = 4, k = 2 and t = 3 2n −1 n (2m −1) 2 fa,b (x) = T r1 (ax ) + T r1 (bx 3 ) T r18 (α51 x15 ) + T r12 (x85 ) and found some results when m is odd. Because of where α is a root of the primitive polynomial the fact that 3 divides 2m − 1 when m is even, this x8 + x4 + x3 + x2 + 1. case seems much harder than the case for m odd. • For n = 12, m = 6, k = 2 and t = 3 Therefore, the bentness of fa,b for even values of m has not been characterized yet. On the other hand, T r112 (α195 x63 ) + T r12 (x1365 ) it is claimed in [9] by conducting exhaustive search where α is a root of the primitive polynomial that for n = 8, 12, there exist bent Boolean functions 2n −1 n (2m −1) 2 x12 + x6 + x4 + x + 1 . of the form fa,b (x) = T r1 (ax )+T r1 (bx 3 ), but there is no bent function of this form for n = 4. However, our computer experiments resulted in the Consider the case t = 2m − 1. Then, existence of a bent function for n = 4 and it is m m shown in Remark 1. fa,b (x) = T r1n (ax2 −1 ) + T r1m (bx2 +1 ). X

r(2m −1)

s(2m −1)

46

INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Koc¸ak et al., Vol.1, No.2

TABLE 3

It is known that if fa,b (x) is bent, then Wf (w) = ±2m , ∀w. Before looking at the Walsh-Hadamard transform, it is worth to note two well-known facts one of which is about the Kloosterman sums.

m 2 3 4 5 6

Proposition 2: [1] X

Km (a) [-3, 5] [-4.65, 6.65] [-7, 9] [-10.31, 12.31] [-15, 17]

Wf (0) ±4 ±8 ±16 ±32 ±64

n

(−1)T r1 (au) = 1 − Km (a),

u∈U

where U is the cyclic group of order 2m + 1 and a ∈ F∗2m . Proposition 3: Any x ∈ F∗2n can be written as x = uy with y ∈ F∗2m and u ∈ U where U is the cyclic group of order 2m + 1.

where gcd(r, 2m + 1) = 1, gcd(s, 2m − 1) = 1 are not bent for any a, b ∈ F∗2m .

5.

Conclusion

Computation of the Walsh-Hadamard transform The classification and characterization of bent for w = 0 shows functions in polynomial forms is a hard problem. m −1 m +1 n 2 m 2 P )+T r1 (bx ) Despite the existence of notably many specified bent Wf (0) = x∈F2n (−1)T r1 (ax functions, there are still open problems and unclassified bent functions. In this note, we studied previm m X X T r1n (a(uy)2 −1 )+T r1m (b(uy)2 +1 ) (−1) = 1+ ous characterization of some binomial functions of 2n −1 u∈U y∈F∗2m n (2m −1) k the form f(a,b) (x) = T r1 (ax ) + T r1 (bx t ) m X X T r1n (au2 −1 ) T r1m (by 2 ) m m = 1+ (−1) (−1) where t divides either 2 + 1 or 2 − 1. Mesnager u∈U y∈F∗2m [9] investigated the former case and presented some X X n m = 1+ (−1)T r1 (au) (−1)T r1 (by) conditions on bentness of this function family. The u∈U y∈F∗2m latter case has not been characterized yet. In this = 1 + (1 − Km (a))(−1) study, we showed for specific values of t, where = Km (a) t = 2m −1, that there is no bent function of the form m m T r1n (ax(2 −1) ) + T r1m (bx2 +1 ). As a future work, In order for fa,b (x) to be bent, Wf (0) = Km (a) = it is planned to study the characterization of f(a,b) ±2m . However, by Proposition 1, we know that m+2 m+2 in the case t divides 2m − 1 which still has open Km (a) is in the interval [−2 2 + 1, 2 2 + 1] problems. ∀a ∈ F∗2m . One can easily show that, for any value of m > 2, ±2m is out of Kloosterman sums bounds. To illustrate, the boundaries for Km (a) and the 6. Acknowledgment Walsh spectrum values are given in Table 3 for This paper is an extended version of the paper apdistinct values of m. This observation is stated in peared in the Proceedings of 5th International ConProposition 4. ference on Information Security and Cryptology, Proposition 4: Boolean functions of the form 2012. The first and the third authors are supported n r(2m −1) m s(2m +1) ¨ ˙ITAK under Fellowship Program No. 2211. by TUB fa,b (x) = T r1 (ax ) + T r1 (bx )

47

INTERNATIONAL JOURNAL OF INFORMATION SECURITY SCIENCE Koc¸ak et al., Vol.1, No.2

¨ ˙ITAK under The fourth author is supported by TUB Grant No. TBAG–109T344.

[16] S. Mesnager, J.-P. Flori, A note on hyper-bent functions via Dillon-like exponents, Cryptology ePrint Archive, Report 2012/033, 2012. http://eprint.iacr.org/.

References [1] J. F. Dillon, Elementary Hadamard Difference Sets, Ph.D Dissertation, University of Maryland 1974. [2] H. Dobbertin, G. Leander, A. Canteaut, C. Carlet, P. Felke, P. Gaborit, Construction of bent functions via Niho power functions, J. Combin. Theory, ser. A, vol. 113, pp 779-798, 2006. [3] G. Leander, Monomial bent functions, IEEE Trans. Inf. Theory, vol. 2, no. 52, pp. 738-743, 2006. [4] A. Canteaut, P. Charpin, and G. Kyureghyan, A new class of monomial bent functions, Finite Fields Applicat., vol. 14, no. 1, pp 221-241, 2008. [5] P. Charpin and G. Kyureghyan, Cubic monomial bent functions: A subclass of M, SIAM J. Discr. Math., vol. 22, no. 2, pp. 650665,2008. [6] S. Mesnager, A new class of bent boolean functions in polynomial forms, in Proc. Int. Workshop on Coding and Cryptography, WCC 2009, pp. 5-18, 2009. [7] P. Charpin, G. Gong, Hyperbent functions, Kloosterman Sums and Dickson Polynomials, IEEE Trans. Inform. Theory 9(54), 4230-4238 (2008). [8] S. Mesnager, A new family of hyper-bent boolean functions in polynomial form, M. G. Parker Ed., in Proc. Twelfth Int. Conf. Cryptography and Coding, Cirencester, United Kingdom. IMACC 2009, Heidelberg, Germany, 2009, vol. 5921, LNCS, pp. 402-417. [9] S. Mesnager, A new class of bent and hyper-bent boolean functions in polynomial forms, Des. Codes Cryptography, 59(13):265-279, 2011. [10] B. Wang, C. Tang, Y. Qi, Y. Yang, M. Xu, A New Class of Hyper-bent Boolean Functions with Multiple Trace Terms, Cryptology ePrint Archive, Report 2011/600, 2011. http://eprint.iacr.org/. [11] S. Mesnager, Recent Results on Bent and Hyper-bent Functions and Their Link With Some Exponential Sums. IEEE Information Theory Workshop (ITW 2010), Dublin, August-September 2010. [12] G. Lachaud, J. Wolfmann, The Weights of the Orthogonals of the Extended Quadratic Binary Goppa Codes IEEE Trans. Inf. Theory, vol. 36, no 3, pp. 686-692, 1990. [13] R.Gold, Maximal Recursive Sequences with 3-valued Recursive Cross-Correlation Functions IEEE Trans. Inf. Theory, vol. 14, no 1, pp. 154-156, 1968. [14] J.F. Dillon, H. Dobbertin, New Cyclic Difference Sets with Singer Parameters Finite Fields and Their Applications, vol.10, no 3, pp. 342-389, 2004. [15] B. Wang, C. Tang, Y. Qi, and Y. Yang, A generalization of the class of hyper-bent Boolean functions in binomial forms, Cryptology ePrint Archive, Report 2011/698, 2011. http://eprint.iacr.org/.

48