On a generalized combinatorial conjecture involving addition mod 2 k 1

Transcription

1 On a generalized combinatorial conjecture involving addition mod k 1 Gérard Cohen Jean-Pierre Flori Tuesday 14 th February, 01 Abstract In this note, e give a simple proof of the combinatorial conjecture proposed by Tang, Carlet and Tang, based on hich they constructed to classes of Boolean functions ith many good cryptographic properties. We also give more general properties about the generalization of the conjecture they propose. 1 Introduction In a very recent paper inspired by the previous ork of Tu and Deng [6], Tang, Carlet and Tang [5] constructed an infinite family of Boolean functions ith many good cryptographic interesting properties depending on the validity of the folloing combinatorial property: Conjecture 1. k, max # (a, b ( Z/( k 1Z } a b = t; (a + (b k 1 k 1. t (Z/( k 1Z They verified it experimentally for k 9, as ell as the folloing generalized property for k 15 here u Z/( k 1Z is such that gcd(u, k 1 = 1: Conjecture. k, max # (a, b ( Z/( k 1Z } ua ± b = t; (a + (b k 1 k 1. t (Z/( k 1Z This generalized conjecture includes the original conjecture proposed by Tu and Deng [6]. From no on, let us denote by S k,t,±,u the quantity of interest: S k,t,±,u = # (a, b ( Z/( k 1Z } ua ± b = t; (a + (b k 1. In Section, e give some general properties about such sets and their cardinalities. In Section 3, e give the proof of Conjecture 1. In Section 4, e conjecture a recursive formula for k 1 S k,t,,1. Institut Télécom, Télécom ParisTech, UMR 7539, CNRS LTCI, 46 rue Barrault, F Paris Cedex 13, France, flori,cohen}@enst.fr 1

2 General properties Here e follo the approach of the previous attempts to prove the original conjecture of Tu and Deng [, 1]. We recall the elementary results: Lemma 1. For k 1, a Z/( k 1Z, (a = (a; a ( Z/( k 1Z, ( a = k (a. We first remark that for a given a Z/( k 1Z, b must be equal to ±(t ua, hence the folloing lemma. Lemma. For k, S k,t,±,u = # a Z/( k 1Z (a + (±(t ua k 1 }. We no sho that is enough to study the conjecture for one t, but also one u, in each cyclotomic class. Lemma 3. For k, S k,t,±,u = S k,t,±,u. Proof. Indeed a a is a permutation of Z/( k 1Z so that S k,t,±,u = # a Z/( k 1Z (a + (±(t ua k 1 } = # a Z/( k 1Z (a + (±(t ua k 1 } = # a Z/( k 1Z (a + (±(t ua k 1 } = S k,t,±,u. Lemma 4. For k, S k,t,±,u = S k,t,±,u. Proof. Using the previous lemma: S k,t,±,u = S k,t,±,u = # a Z/( k 1Z (a + (±(t ua k 1 } = # a Z/( k 1Z (a + (±(t ua k 1 } = S k,t,±,u. We no sho a more elaborate relation. Lemma 5. For k and gcd(u, k 1 = 1, S k,t,±,u = S k,±u 1 t,±,u 1.

3 Proof. We use the fact that a u 1 ( a + t is a permutation of Z/( k 1Z. S k,t,±,u = # a Z/( k 1Z (a + (±(t ua k 1 } = # a Z/( k 1Z (u 1 ( a + t + (a k 1 } = # a Z/( k 1Z (±(±u 1 t u 1 a + (a k 1 } = S k,±u 1 t,±,u 1. 3 Proof of the conjecture We no prove Conjecture 1, and so its extension for u equal to any poer of, that is Conjecture for u = i and the sign, according to Lemma 4. First, e note that for u = 1 and the sign, Lemma 5 becomes S k,t,,1 = S k, t,,1. Second, for the specific values of a = 0, t, e have that (0 + ( t = ( t k 1, and (t + (0 = (t k 1, so that e alays have 0, t} a Z/( k 1Z (a + ( (t a k 1 }. Finally, for a 0, t, e have that (a + ( (t a = k ( a + k (t a = k (( a + (t a. Then using the fact that a a is a permutation of Z/( k 1Z: Hence S k,t,,1 = + # a Z/( k 1Z \ 0, t} (a + ( (t a k 1 } = + # a Z/( k 1Z \ 0, t} ( a + (t a k + 1 } = + # a Z/( k 1Z ( a + (t a k + 1 } = + # a Z/( k 1Z (a + (t + a k + 1 } = + ( k 1 # a Z/( k 1Z (a + (t + a k } + ( k 1 # a Z/( k 1Z (a + (t + a k 1 } k + 1 S k, t,,1 k + 1 S k,t,,1. S k,t,,1 k + 1, but e kno that S k,t,,1 is an integer, hich concludes the proof of Conjecture 1. 3

4 We also note that for t = 0, S k,0,,1 = # a Z/( k 1Z (a k 1 } = = k 1 =0 k 1 =0 # a Z/( k 1Z (a = } ( k, hich is equal to k 1 ( k (k+1/ if k is odd, and k 1 ( ( k k/ 1 k/ k / if k is even. Therefore the conjecture can be naturally extended to include the case t = 0. 4 Computing the exact gap If e rerite the above reasoning more carefully, e find that S k,t,,1 = k 1 + (1 # a Z/( k 1Z (a + (t + a = k } /. It is an interesting problem to find a closed-form formula for the value of M k,t = # a ( Z/( k 1Z } (a + (t + a = k, M k = min M k,t. t Z/( k 1Z We denote by k the folloing value k = M k 1 so that S k,t,,1 = k 1 k. The experimental results of Tang, Carlet and Tang suggest that the folloing recursive formula is verified: k + 1 if k even, k+1 = k + 1 Γ (k 1/ if k odd, here n 1 Γ n = 1 + and C = ( /( + 1 is the -th Catalan number. Γn is the sequence A in OEIS [3]. Further experimental investigations made ith Sage [4] sho that the minimal value M k seems to be attained for t = 1 if k is even and t = 3 if k is odd. In fact, the next proposition gives explicit formulae for M k,1 and M k,3. We recall that r(a, t = (a + t (a (t can be interpreted as the number of carries occurring hile adding a and t. Then e can describe M k,t as M k,t = # a ( Z/( k 1Z } (a + (t + a = k = # a ( Z/( k 1Z } (a + (t r(a, t = k = # a ( Z/( k 1Z } r(a, t = k + (t + (a. =0, C 4

5 Proposition 1. For k, M k,1 = (k+1/ ( 1 Proof. We kno that M k,1 = M k, 1, so e enumerate the set of a s verifying r(a, 1 = (a 1 according to (a or equivalently r(a, 1. The binary expansion of 1 is First, for any number t Z/( k 1Z, 0 r(a, t k, so e deduce that a must verify 1 (a (k + 1/. Second, for a given number of carries r, a number a verifying r(a, 1 = r must be of the folloing form 1 = , a =???? r Such a description is valid even if r(a, 1 = k. So, for a given eight, a number a verifying (a = and r(a, 1 = 1 must be of the folloing form 1 = , a =????10---0, 1 ith the other 1 bits equal to 1 anyhere among the first bits. Hence there are ( 1 differents a s of eight verifying r(a, 1 = 1. Finally, summing up on 1 (k + 1/, e get that M k,1 = (k+1/ ( 1. Proposition. For k 3, M k,3 = 1 + k/ ( 1 Proof. We proceed as in the proof of Proposition 1. The arguments are only slightly more technical. We kno that M k,3 = M k, 3, so e enumerate the set of a s verifying r(a, 3 = (a according to (a or equivalently r(a, 3. The binary expansion of 3 is First, from r(a, 3 = (a, e deduce that 1 k/ + 1. Second, for a given number of carries r, there are no different possibilities... ( k (t For any t Z/( k 1Z, there are exactly k (t 1 =0 different a s producing no carries. Indeed, such a s are characterized by the facts that they have no bits equal to 1 in front of any bit of t equal to 1 and that they can not have only 1 s in front of the bits of t equal to 0. For t = 3, the such a s are exactly 0, 1 and and both 1 and have eight 1. Then, for a given number of carries 1 r < k/, a number a verifying r(a, 3 = r cannot have its to last bits (in front of the to bits of 3 equal to 0 equal to 1. Otherise it ould produce k carries. So it must be of one of the folloing forms 3 = , a =????10--0?0, r a =??? r 1 5

6 So for a given eight, a number a verifying (a = and r(a, 3 = must be of one of the folloing forms 3 = , a =????10--0?0, a =??? , 3 ith the other 1 bits set to 1 anyhere among the remaining bits in the first case, and the other bits set to 1 anyhere among the 4 first bits in the second one. Hence there are ( ( differents a s of eight. Finally, if k is odd and (a = k/ + 1, then r(a, t = k 1 and a must be of the folloing form 3 = , a =????101. There are ( 4 different such a s. And, if k is even and (a = k/ + 1, then r(a, t = k and a must be of the folloing form There are also ( 4 different such a s. Therefore, e find that M k,3 = + = 1 + k/ = 3 = , k/ a =?????11. ( + 1 ( 1 k/ +1. = ( 4 We no prove recurrence relations for M k,1 and M k,3. Corollary 1. If k is even, then If k is odd, then M k,1 + 1 = M k+1,3. M k,3 Γ (k 1/ = (M k+1,1 1/. Proof. The first equality is a simple consequence of the fact k/ = (k + 1/ hen k is even. For the second one, e rite M k,3 Γ (k 1/ = 1 + = k/ (k 1/ ( 1 1 ( 1 (k 3/ =0 (k 3/ =0 ( (k 3/ ( = 1 + ( 1/( + 1, ( /( + 1 /( + 1 6

7 and (M k+1,1 1/ = = k/ +1 = (k 1/ ( / 1 ( /, so that e can equivalently sho that ( (k 3/ k 1 ( = (3 /( + 1 (k 1/, hich follos from a simple induction. For k = 3, this reduces to 0 = 0 hich is indeed true; for k > 3 odd, e have ( ( k + 1 k 1 = 4k/(k + 1 (k + 1/ (k 1/ ( k 1 = (4 1/(k + 1, (k 1/ and (k 1/ ( (3 /( + 1 = (k 3/ ( ( (3 /( + 1 k 1 + (3 1/(k + 1 (k 1/. To conclude this section, let us note that M k,1 M k,3 if k is even and M k,3 M k,1 if k is odd. So, if e assume that these are indeed the minimal values M k according to the parity of k, then k is given by (Mk,1 1/ if k even, k = (M k,3 1/ if k odd, and the recursive formulae are proved. References [1] Jean-Pierre Flori and Hugues Randriam. On the number of carries occuring in an addition mod k 1. Cryptology eprint Archive, Report 011/45, [] Jean-Pierre Flori, Hugues Randriam, Gérard D. Cohen, and Sihem Mesnager. On a conjecture about binary strings distribution. In Claude Carlet and Alexander Pott, editors, SETA, volume 6338 of Lecture Notes in Computer Science, pages Springer, 010. [3] The OEIS Foundation Inc. The On-Line Encyclopedia of Integer Sequences. [4] William Stein. Sage: Open Source Mathematical Softare (Version The Sage Group,

8 [5] Deng Tang, Claude Carlet, and Xiaohu Tang. Highly nonlinear boolean functions ith optimal algebraic immunity and good behavior against fast algebraic attacks. Cryptology eprint Archive, Report 011/366, [6] Ziran Tu and Yingpu Deng. A conjecture about binary strings and its applications on constructing boolean functions ith optimal algebraic immunity. Des. Codes Cryptography, 60(1:1 14,