Hadamard Matrices, Bent Functions and Cryptography. The University of Wollongong. Abstract

Transcription

1 Hadamard Matrices, Bent Functions and Cryptography Jennifer Seberry and ian-mo Zhang Department of Computer Science The University of Wollongong Wollongong, NSW 5, AUSTRALIA November 3, 1995 Abstract The recent incorporation of the HAVAL (Hashing Algorithm with Variable Lengths) into the Tripwire security package for SUN workstations and research for the latest LOKI family of algorithms, both of which use bent functions, have led many to ask us \What are bent functions?". This article is to help introduce bent functions to those who work in Combinatorial Theory. 1 Denitions We consider functions from V n to GF () (or simply functions on V n ), where V n is the vector space of n tuples of elements from GF (), V n =(0 1) n. These functions are also called Boolean functions. Example 1 (Vector Space) V =(0 1), therefore are all the vectors in V. Notation 1 (Vectors) We use the notation: 0 =(0 ::: 0 0) 1 =(0 ::: 0 1) ::: n;1 ;1 =(1 ::: 1 1): Denition 1 (Sequence, Truth Table and Matrix of a Function) Let f be a function on V n.use i as in Notation 1. The (1 ;1)-sequence dened by ((;1) f( 0),(;1) f( 1) ::: (;1) f( n ;1) ) is called the sequence of f: The (0 1)-sequence dened by(f( 0 ), f( 1 ) ::: f( n ;1)) is called the truth table of f. The (1 1)-matrix of order n dened by((;1) f( i j ) ) is called the matrix of f. Example (Truth Table, Sequence and Matrix of a Function) Let f(x) =x 1 x x 3 x 1 x 3 x x 3 1 be a function on V 3. 1

2 The truth table of f f(000) = 1 f(001) = 0 f(010) = 0 f(011) = 1 f(100) = 1 f(101) = 1 f(110) = 0 f(111) = 1: The sequence of f is ;1 1 1 ;1 ;1 ;1 1 ;1. The matrix of f is 6 4 ; + + ; ; ; + ; + ; ; + ; ; ; + + ; ; + + ; ; ; ; + + ; ; + ; ; ; ; + ; ; + + ; ; ; ; + + ; ; + + ; ; ; + ; ; + ; + ; ; ; + + ; : Denition (Balanced Functions) A function f on V n is said to be balanced if its truth table has n;1 zeros (ones). Example 3 (Balance) f = x 1 x x 3, a function on V 3, is balanced since the truth table of f is : f takes the value zero 3;1 = 4 times. Denition 3 (Ane and Linear Functions) An ane function f on V n is a function that takes the form of f = a 1 x 1 a n x n c, where a j c GF (), j =1 ::: n. Furthermore f is called a linear function if c =0. Example 4 (Ane and Linear Functions) An ane function is one like f = x 3 x 1 1 and a linear function is one like f = x 3 x 1 : Note: There are no terms such asx 1 x or x 1 x 3. Denition 4 (Ane Sequence) The sequence of an ane (or linear) function is called an ane (or linear) sequence. Denition 5 (Hamming Weight and Hamming Distance) The Hamming weight of avector V n, denoted by W (), is the number of ones in its truth table. Given two functions f and g on V n, the Hamming distance between them is dened as d(f g) = W (f(x) g(x)), where x =(x 1 x ::: x n ).

3 Example 5 (Hamming Weight) If = (101) than W () =. Example 6 (Hamming Distance) If f(x) =x 1 x and g(x) =x 1 x then d(f g) =W (f(x) g(x)) = W (x 1 x x 1 x ): Hence for x =(x 1 x )=f(0 0) (0 1) (1 0) (1 1)g d(f g) = respectively. Notation (Scalar Product) Let =(a 1 a n )and =(b 1 b n )betwo vectors (or sequences), the scalar product of and, denoted by h i, is dened as the sum of the component-wise multiplications. In particular, when and are from V n, h i = a 1 b 1 a n b n, where the P addition and multiplication are over GF (). If and are n (1 ;1)-sequences, h i = i=1 a ib i, and the addition and multiplication is taken over the reals. Lemma 1 If =(a 1 ::: a n) and =(b 1 ::: b n) are thesequences of functions f 1 and f on V n respectively, then =(a 1 b 1 a b ::: a nb n) is the sequence off 1 (x) f (x), where x =(x 1 x ::: x n ). Proof. The two sequences are given by a i =(;1) f 1( i) and b i =(;1) f ( i), for i as before. Then a i b i =(;1) f 1( i) (;1) f ( i) =(;1) f 1( i )f( i ) ut Example 7 (Sequence of The Sum of Two Functions) We use the notation ; to represent ;1. Let f 1 (x) =x 1 x, which has sequence =(;1) f 1(0 0) (;1) f 1(0 1) (;1) f 1(1 0) (;1) f 1(1 1) =111; and f (x) =x, which has sequence =(;1) f (0 0) (;1) f (0 1) (;1) f (1 0) (;1) f (1 1) =1 ; 1 ; : Now f 1 (x)f (x) =x 1 x x has the sequence 1 ; 1 1, whichis =(a 0 b 0 a 1 b 1 a b a 3 b 3 ): 3

4 Denition 6 (Walsh-Hadamard Matrix) A(1 ;1)-matrix H of order m is called a Hadamard matrix if HH t = mi m, where H t is the transpose of H and I m is the identity matrix of order m. Itiswell known that the order of a Hadamard matrix is 1, or divisible by 4 [4]. A special kind of Hadamard matrix, called Sylvester-Hadamard matrix or Walsh- Hadamard matrix, will be relevant to this paper. A Sylvester-Hadamard matrix of order n, denoted by H n, is generated by the following recursive relation " # H H 0 =1 H n = n;1 H n;1 n=1 :::: H n;1 ;H n;1 Lemma The ith row of H n is the sequence oflinear function ' i (x) =h i xi, where x V n and i is the binary representation of i, i =0 1 ::: n ; 1. " # + + Proof. By induction on n. Let n = 1. Since H 1 =, `0 = (+ +), the sequence of + ; h0 xi and `1 =(+;), the sequence of h1 xi where x V 1,+and; stand for 1 and ;1 respectively. Suppose the lemma is true for n =1 ::: k; 1. Since H k = H 1 H k;1, where is the Kronecker product, each rowofh n can be expressed as ` where =(++)or(+;), and ` is a row ofh n;1. By the assumption ` is the sequence of a function, say '(x) =h xi, where x V k;1. Thus ` is the sequence of h yi where y V k, =(0) or(1) according as =(++)or(+;). Thus the lemma is true for n = k. ut Example 8 (Walsh-Hadamard Matrices) The rst few Walsh-Hadamard matrices are: H 1 = H 0 =[1] " ;1 # H 3 = 6 4 H = ;1 1 ;1 1 1 ;1 ;1 1 ;1 ; ;1 1 ;1 1 ;1 1 ;1 1 1 ;1 ;1 1 1 ;1 ;1 1 ;1 ;1 1 1 ;1 ; ;1 ;1 ;1 ;1 1 ;1 1 ;1 ;1 1 ; ;1 ;1 ;1 ; ;1 ;1 1 ;1 1 1 ;

5 Notation 3 Let =(i 1 i ::: i p ) be a constant vector in V p. Then D,theD-function of, is a function on V p dened by D (y 1 y ::: y p )=(y 1 i1 ) (y p ip ): This notation is very useful in obtaining the functional representation of a concatenated sequence. Let f 00 (x 1 ::: x q ), f 01 (x 1 ::: x q ), :::, f 11 (x 1 ::: x q ) be functions on V q, and let 00, 01, :::, 11 be their sequences. Let be the concatenation of 00, 01, :::, 11 (i.e., =( ::: 11 ) ). Then is the sequence of the following function on V p+q f (y x) = M V p D (y)f (x) (1) where y =(y 1 ::: y p )andx =(x 1 ::: x q ). (See also Lemma 9 of [0]). In particular, if 1, are the sequences of functions f 1, f on V n then =( 1 )is the sequence of the following function on V n+1 g(u x 1 ::: x n )=(1 u)f 1 (x 1 ::: x n ) f (x 1 ::: x n ): Example 9 (Finding Polynomial from Truth Table) Consider the sequence ; ; + + which corresponds to the binary sequence In order to nd the equivalent sequence we consider a bx 1 cx dx 1 x for respectively, obtaining upon substitution the equations 0=a 0=a b 1=a c 1=a b c d which have solution a =0,b =0,c =1andd = 0, so the associated boolean function is f(x) =x, which is linear. We note that the matrix [abcd] =[0011] gives the same equations and so the solution is [abcd]=[0011] ;1 =[0011] Because [abcd] = [0010] the boolean function is f(x) =x. 5

6 Example 10 (Formula (1)) To nd the boolean function associated with the sequence for a three variable solution, we consider [ ] x 1 x x x 1 x x 1 x x 3 x 1 x 3 x x 3 x 1 x x obtaining x x 1 x x 3 x 1 x 3 Lemma 3 In general if G 0 =1and G n = " # G n;1 G n;1 0 G n;1 the boolean function associated with the binary sequence =(a 0 a 1 :::a n ;1) is G n x T, where x T =(1 x 1 x x 1 x x 3 x 1 x 3 x x 3 x 1 x x 3 x 4 ::: ): Example 11 (Application of Lemma 3) Now we consider the balanced sequences ( ) and ( ) respectively, which give ( )G 3 x T = ( )x T and ( )G 3 x T = ( )x T which are the boolean functions f (x)=x 1 x x 3 and f(x) =1 x 1 x : Cryptographically Desirable Properties We list these and then give more details and discussion of each. The art of cryptography has led practitioner to believe that cryptographically desirable properties are: Balance, Nonlinearity, SAC, propagation, Correlation immunity, Algebraic degree. 6

7 .1 Balance Denition 7 (Balanced Functions) A function f on V n is said to be balanced if its truth table has n;1 zeros (ones). Example 1 (Balance) f = x 1 x x 3, a function on V 3, is balanced since the truth table of f is : f takes the value zero 3;1 = 4 times. We noted before, in Denition the value zero n;1 times. 7, that a function, say f on Vn is balanced if f takes We now explore further properties of balanced functions. Lemma 4 (Nondegenerate Transformation) Let g(x) =f(xb ) where B is any nonsingular matrix of order n and is any vector in V n. Then g is balanced if and only if f is balanced. Proof. We note that if B is nonsingular, then x runs through all vectors 0 =(0 ::: 0) to n ;1 =(1 ::: 1), so y = xb. Hence if f(x) is balanced so is g(x) =f(xb ): ut Example 13 (For Lemma 4) Set g(x) =f(xb ) where 6 B = =(1 1 1): Thus g(x 1 x x 3 )=f(x 1 x 1 x 1 x 3 1 x 1): g is also balanced since g(x 0 ) = 0, if and only if f(x 0 B ) =0. 7

8 Lemma 5 (Sum of Functions) Let f and g be functions on V n and V m respectively. Then f (x) g(y) is balanced iff is balanced. Proof. Since g(y 0 ) is constant for given y 0 and since the truth table of f(x) is zero (one) half the time the truth table of f(x) g(y 0 ) is zero (one) half the time. ut. Nonlinearity We recall from Denition 5 the Hamming distance d(f g). The following denition is given by Pieprzyk and Finkelstein [16]: Denition 8 (N f or nonlinearity of a function f) is called the nonlinearity of f. N f = minfd(f ')j' is aneg Example 14 (Nonlinearity) To show a calculation using this denition we consider x f(x) =x 1 x 1 (x) =1 x 1 (x) =1 x 3 (x) =1 x 1 x So that d(f i )= P f(x)6=g(x) = 1 gives and the nonlinearity or min d(f i )=1. Lemma 6 d(f 1 )=3 d(f )=3 d(f 3 )=1 d(f g) = n;1 ; 1 h i where are thesequences of f and g respectively. Proof. Write = a 0 a 1 ::: a n ;1 and = b 0 b 1 ::: b ;1. Let (+) ((;)) denote the n number of j, such that a j = b j (a j 6= b j ). Hence h i = (+) ; (;) = n ; (;) and hence (;) = n;1 ; 1 h i. Obviously, (;) =d(f g). This proves the lemma. ut 8

9 Example 15 (For Lemma 6) The sequences of f 1 3, are =(1 1 1 ;1), 1 = (;1 1 ;1 1), =(;1 ;1 1 1) and 3 =(;1 1 1 ;1) respectively, so and so and the nonlinearity or min d(f i )=1. h 1 i = ; h i = ; h 3 i = d(f 1 )=3 d(f )=3 d(f 3 )=1 Lemma 7 Any nonzero ane function is balanced. Proof. The lemma immediately follows Lemma 5. ut Lemma 8 (Nonlinearity Inequality) Let f be anarbitrary function on V n. Then the nonlinearity of f, N f, satises N f < = n;1 ; 1 n;1 : Proof. There exist many proofs for this lemma. We now give a direct proof. Let f be any function on V n and be the sequence of f. Let `j be the jth row (column) of H n, j =0 1 ::: n ; 1. Note that H n = h `0i h `1i ::: h `n ;1i: Hence H n H n T = P n ;1 j=0 h `ji and hence n T = P n ;1 j=0 h `ji. This proves n ;1 j=0 h `ji = n : () () is called Parseval's equation (see P. 416 of [11]). Thus there exist a j 0,0 < = j 0 < = n ; 1, such that h `j0 i > = n and thus h `j0 i > = 1 n or h `j0 i < = ; 1 n. From Lemma, `j0 is the sequence of a linear function, denoted by ' j0. In the rst case, by using Lemma 6, d(f ' j 0 ) < = n;1 ; 1 n;1. In the second case, h ;`j0 i > = 1 n. Note that ;`j0 is the sequence of ane function 1 ' j0. By using Lemma 6, d(f 1 ' j0 ) < = n;1 ; 1 n;1. By the denition of the nonlinearity, wehave proved N f < = n;1 ; 1 n;1. ut Lemma 9 Let g(x) =f(xb ) where B is any nonsingular matrix of order n and is any vector in V n.then N g = N f : 9

10 Proof. Let ' be an arbitrary ane function on V n. By the denition of the nonlinearity, there exists an ane function on V n,say ', such that d(f ') =N f.set (x) ='(xb ). Obviously d(g ) = d(f '). Note that is also an ane function. By the denition of nonlinearity, N g < = d(g ). This proves that N g < = N f. Since B is nonsingular, the deduction can be reversed and thus N f < = N g. The proof is completed. ut.3 Propagation Criterion Now we introduce the denition of the propagation criterion. Denition 9 (Propagation and SAC) Let f be a function on V n.wesay that f satises 1. the propagation criterion with respect to if f (x) f(x ) is a balanced function, where x =(x 1 x ::: x n ) and is a non-zero vector in V n,. the propagation criterion of degree k if it satises the propagation criterion with respecttoall V n with 1 < = W () < = k, 3. strict avalanche criterion (SAC) if the propagation criterion degree of f is 1. The above denition of the propagation criterion is from in [18]. Further work on the topic can be found in [17] where a nonsystematic method for obtaining balanced functions satisfying the propagation criterion was suggested. Note that the strict avalanche criterion (SAC) introduced by Webster and Tavares [5, 6] is equivalent to the propagation criterion of degree 1 whereas the perfect nonlinearity studied by Meier and Staelbach [1]is equivalent to the propagation criterion of degree n where n is the number of the coordinates of the function. Example 16 (Propagation Criterion) Consider f = x 1 x x 3, a function on V 3. Let =(1 1 0). Hence f(x) f(x ) =(x 1 x x 3 ) ((x 1 1)(x 1) x 3 )=x 1 x 1 is balanced. Thus f satises the propagation criterion with respect to =(1 1 0). Example 17 (Propagation Criterion) Consider the following function on V 5 f(x 1 x x 3 x 4 x 5 )=x 1 x 1 x 5 x x 4 x x 5 x x 4 x 5 x 3 x 4 x 5 : Let =( ) then f (x) f (x ) =x 3 x 4 x 5 (x 3 1)x 4 x 5 = x 4 x 5 which is not balanced. In fact, f does not satisfy the propagation criterion with respect to any vector in the subset of vectors < = f( ) ( ) ( ) ( ) ( )g: 10

11 Theorem 1 Let f be a function on V n and A be anonsingular matrix of order n over GF (). If f(x) f(x ) is balanced foreach row of A. Then (x) =f(xa) satises the strict avalanche criterion (SAC). Theorem Let f 1 ::: f m be functions on V n Set < = fjf j (x) f j (x ) is not balanced for a j, 1 < = j < = mg: If j<j < n;1 then there exists a nonsingular matrixoforder n over GF () such that each j(x) =f j (xa) satises the SAC. Example 18 (For Theorem 1) f = x 1 x x 3 does not satisfy SAC as f(x) f(x e 3 )=x 1 x x 3 x 1 x (x 3 1) = 1 is not balanced, for e 3 = (001). On the other hand, for e 1 = (100), e = (010), =(111) f(x) f(x e 1 )=x f(x) f(x e )=x 1 f(x) f(x ) =x 1 x 1 are balanced. Consider Then satises the SAC. A = 6 4 e 1 e = g(x) =f(xa) : Example 19 (For Theorem ) Let f 1 = x 1 x 3 x x 3, f = x 1 x x 1 x x x 3 and f 3 = x 1 x x x 3 x 1 x 3. Since f 1 does not satisfy the propagation criterion with respect to only (1 0 0), f does not satisfy the propagation criterion with respect to only (1 0 1), and f 3 does not satisfy the propagation criterion with respect to only (1 1 1). Hence < = f(1 0 0) (1 0 1) (1 1 1)g and j<j =3< n;1,wheren = 3. By Theorem, there exists a nonsingular there exists a matrix of order 3 over GF () such that each j(x) =f j (xa) satises the SAC. In fact, by using Theorem 1, A can be chosen as 6 A = :.4 Linear Structure Denition 10 Let f be a function on V n. A vector,, is called a linear structure of f if f(x) f(x ) is constant. 11

12 Every function has at least one linear structure because of the zero vector. Example 0 (Linear Structure) Consider the function f = x 1 x x 3 on V 3.Now = (0 0 1) is a linear structure of f, since f(x) f(x ) =(x 1 x x 3 ) (x 1 x x 3 1) = 1: Note: a linear structure is not good for cryptographic purposes and it will be avoided or minimized in cryptographic design..5 Bent Functions We now introduce the concept of bent functions. Denition 11 (Bent Functions) A function f on V n is called a bent function if ; n xv n (;1) f(x)h xi = 1 for all V n.heref(x) h xi is regarded as a real-valued function. Let f be a function on V n.weknow that the following seven statements are equivalent (i) f is bent, (ii) h `i = 1 n for any ane sequence ` of length n, where is the sequence of f, (iii) ; 1 n H n T is a (1 ;1) vector, (iv) f(x)f(x) is balanced for any non-zero vector V n,wherex =(x 1 x ::: x n ), (v) M, the matrix of f, is an Hadamard matrix, (vi) the nonlinearity N f satises N f = n;1 ; 1 n;1, (vii) D = fxjf(x) =1g is an Hadamard dierence set in V n, D =( n n;1 1 n;1 n; 1 n;1 ): The proof can be found in many literatures, for example, [1, 0, 7]. As examples, we now prove that bent functions can be dened as mentioned in (v), (vi) or (vii) by supposing the equivalence of (i), (ii), (iii) and (iv). Proof. [(v), (ii)] From a very pretty result by R.L.McFarland (see Theorem 3.3 of [5]) M = ;n H n diag(h `0i h `n ;1i)H n (3) 1

13 the equivalence of (v) and (ii) is obvious. ut Proof. [(vi), (ii)] Suppose (ii) holds i.e. h `ji = 1 n for each linear sequence of length n,say `j, that is the sequence of linear function, say ' j. Note that h 1+`ji = 1 n for each linear sequence of length n, `j. Note that 1+`j is the sequence of ane function 1' j. From Lemma 6, for any linear ' j, either d(f ' j )= n;1 ; 1 n or d(f 1 ' j )= n;1 ; 1 n. This proves (vi). Conversely, suppose (vi) holds. We prove that (ii) must hold. Otherwise, from (), there exists a linear sequence of length n,say `, that is the sequence of a linear function, say ', such that jh `ij > 1 n. Hence h `i > 1 n or h `i < ; 1 n. In the rst case, by Lemma 6, d(f ' j ) < n;1 ; 1 n hence N f < n;1 ; 1 n. The second case can be rewritten as h ;`i > 1 n. Note that ;` is the sequence of ane function 1 '. By the same reasoning, d(f 1 ' j ) < n;1 ; 1 n hence N f < n;1 ; 1 n. This contradicts the assumption that N f = n;1 ; 1 n. Hence (ii) holds. ut Proof. [(vii), (v)] Before the proof, we introduce the concepts of dierence sets and Hadamard dierence sets. Let G be an Abelian group of order v and let D be a k-subset of G. D is a (v k )-dierence set in G if for each nonzero element g G the equation g = d i ;d j has exactly solutions (d i d j ) with d i d j D. In particular, a (v k )-dierence set is called an Hadamard dierence set if v =4(k ; ). Let [D] bea(0 1) (real value) matrix of order v v, whose entries are label by ( ), where G and entry on ( ) position is 1 if and only if ; D. From [6], D is a(v k )-dierence set if and only if [D] =(k ; )I ; J, wherei is the identity matrix and J is the all-one matrix. Set [D ]=J ; [D]. Equivalently, D is a (v k )-dierence set if and only if [D ] =4(k ; )I +(v ; 4(k ; ))J. Hence D is a (v k )- Hadamard dierence set if and only if [D ] is an Hadamard matrix. We now prove the equivalence between (vii) and (v). Specialize G as the set of all the vectors in V n and regard the operation of G as the boolean addition of the vectors. Hence G is an Abelian group. Specialize D as D = fxjf(x) =1g. It is not hard to nd that [D ]is identied with M, the matrix of f. From last paragraph, M is an Hadamard matrix if and only if D is a (v k )-Hadamard dierence set, where v = n thus k must be n;1 1 n;1 and must be n; 1 n;1 (see [6]). ut It was Rothaus who rst introduced and studied bent functions [19]. Other issues related to bent functions, such as their properties, construction and enumeration, can be found in [1, 7, 9, 15, 7]. Kumar, Scholtz and Welch [8] dened and studied bent functions from Zq n to Z q,where q is a positive integer. Applications of bent functions to digital communications, coding theory and cryptography can be found in [, 4, 9, 10, 11, 1, 13, 15]. Example 1 (for Hadamard Dierence Set) f = x 1 x x 3 x 4 is a bent function on V 4. Hence, from (vii), D = fxjf(x) =1g = f(0011) (0111) (1011) (1100) (1101) (1110)g is an Hadamard dierence set. 13

14 Basic Properties of Bent Functions Let f beabent function on V n then 1. n must be even,. the degree of f is less than or equal to 1 n, except for n =, 3. for any ane function ', f ' is also bent, 4. f(xa ) isalsobentwherea is any nonsingular matrix of order n, and is any vector in V n, 5. f takes the value zero n;1 1 n;1 times, 6. ; 1 n H n T is also a bent sequence. Example (Bent Function) We nowprove that f (x) =x 1 x is a bent function on V. 1. P roof (using sequences). The truth table of f is f(0 0) = 0 f(0 1) = 0 f(1 0) = 0 f(1 1) = 1 Now consider the Sylvester-Hadamard matrix of order We consider thus the sequence of f is H = 6 4 Hence the statement (ii) is satised.. P roof (using matrices). The matrix of f is ; + ; + + ; ; + ; ; = 6 4 `1 ` `3 ` : h `1i = h `i = h `3i = h `4i = ; M = =+++ ; : ; + + ; + + ; + + ; which is an Hadamard matrix as MM T =4I P roof (using balance). Let =(a 1 a ) 6= (0 0). f(x) f(x ) =x 1 x (x 1 a 1 )(x a )=a 1 x a x 1 a 1 a is a nonconstant ane function thus 0-1 balanced

15 Example 3 (Bent Functions Are Not Balanced) f = x 1 x x 3 x 4 is a bent function on V 4. The truth table of f is : f takes the value zero 4; ;1 balanced. = 8 + = 10 times Therefore this function is not 3 The Relationship Between Avalanche Eect and Nonlinearity Let f be a function on V n, () be the sequence of f (x). Thus (0)() is the sequence of f(x) f(x ). Dene (), the excess of, tobe() =h(0) ()i: Let `i be the ith row ofh n. By Lemma of [3], `i is the sequence of linear function ' i = h i xi, where i is dened as in Denition 1. Lemma 10 Let f be a function on V n. Then the Hamming weight of f(x) f(x ) is equal to n;1 ; 1 (). Proof. Let e + (e ; ) denote the number of ones (minus ones) in the sequence of (0) (). Thus e + ; e ; =() and ( n ; e ; ) ; e ; =() ande ; = n;1 ; 1(). Note that e ; is also the number of ones in the truth table of f(x) f(x ). Thus the lemma holds. ut Obviously, by Lemma 10, Lemma 11 () =0if and only if f (x) f(x ) is balanced i.e.f satises the propagation criterion with respect to. If j()j = n then f(x) f(x ) is constant andthen is a linear structure (see [14]). However the propagation criterion is not satised by every function. In most cases, () 6= 0 but is relatively small, thus f (x) f(x ) is nearly balanced, and thus f has good avalanche eects. To measure the avalanche eect of a function, say f, with respect to every vector we consider V n () which we hope will be as small as possible. In fact, it is smallest for bent functions and largest for ane functions. 15

16 Let M be the matrix of f (see Section 1), be the sequence of f. From (3), the rst row ofmm T is (( 0 ) ( 1 ) ( ;1)): n The rst row of can be expressed as where Thus ;n H n diag(h `0i h `n ;1i )H n ;n (h `0i h `n ;1i) = ;n H n =(h `0i h `n ;1i ): (( 0 ) ( 1 ) ( n ;1)) = ;n (h `0i h `n ;1i )H n : We have now constructed innite balanced functions with nonlinearity greater than the lower bounds. Theorem 3 Let f be a function on V n.then (( 0 ) ( 1 ) ( n ;1))H n =(h `0i h `n ;1i ): Theorem 3 shows the relationship between the nonlinearity and the avalanche eect. This can be seen from Lemma 10 and the following fact (see Lemma 4 of [3]) d(g 1 g )= n;1 ; 1 h 1 i where each i is the sequence of function g i on V n. Write =(( 0 ) ( 1 ) ( ;1)). Since n h i = hh n H n i = H n H T n T = n h i n ;1 j=0 h `ji 4 = n V n (): Thus we have Corollary 1 Let f be a function on V n. Then V n () = ;n n ;1 j=0 h `ji 4 : 16

17 From Corollary 1, we can unite the nonlinearity and the dierence of a function on V n, say f, by a new criterion, denoted by (f), dened as follows n ;1 (f) = () = ;n h `ji 4 : V n j=0 From Theorem 1, the larger the nonlinearity of a function is the better the avalanche eect is. Theorem 4 Let f be a function on V n.then (i) n < = (f) < = 3n, (ii) (f) = n if and only if f is a bent function, (iii) (f) = 3n if and only if f is an ane function. Proof. (i) By Theorem 1, From (), we have Thus (ii) Note that (0) = n. n ;1 (f) = ;n h `ji 4 = ;n ( j=0 (f) = n ;1 j=0 h `ji = n : n ;1 j=0 (f) < = ;n 4n = 3n : h `ji ) : V n () = (0) = n : (4) From (4), (f) = n if and only if () = 0 for any 6= 0 i.e. f is bent (see 1). (iii) Set y j = h `ji.byparseval's equation, P n ;1 j=0 y j = n. P P It is not hard to see (f) = 3n () ;n n ;1 j=0 y j =3n () n ;1 j=0 y j =4n () P n ;1 =(P j=0 y n ;1 j y j=0 j) () y i y j =0ifj 6= i () there exists a j 0 such that y j 0 =n and y j =0ifj 6= j 0 () there exists a j 0 such that h `j0 i = n and h `ji =0ifj 6= j 0 () there exists a j 0 such that = `j0 i.e. f is an ane function. ut 4 Some Balanced Functions Bent functions have the largest nonlinearity and the smallest dierence but are not balanced thus they cannot be used in most cryptographic designs. In [, 0, 1, 3] the authors constructed balanced functions having high nonlinearity and satisfying the propagation criterion. We now analyze (f) for each construction. 17

18 4.1 Concatenating Bent Functions On V k+1 Let f be a bent function on V k and g be a function on V k+1 dened by g(x 1 x ::: x k+1 )=x 1 f(x ::: x k+1 ): Set g (x) =g(xa) where A is any nonsingular matrix of order k +1over GF (). By Corollary 6 of [3], g is a balanced function on V k+1 and satises the propagation criterion with respect to all non-zero vectors except for where is the rst row ofa. The nonlinearity of g satises N g > = k ; k. For any nonzero vector V k+1, Consider g(x) g(x ). Case 1: 6= (1 0 ::: 0). From the denition of g, g(x) g(x ) is balanced thus () =0. Case : =(1 0 ::: 0) = 1. From the denition of g, g(x) g(x ) =1,forall x V k+1.thus ( 1 )=; k+1. Hence (g) = Vk+1 () = (0) + ( 1 )= 4k+ = 4k+3 : Note that (g) is invariant under any nondegenerate linear transformation on the variables. Thus (g )= 4k+3. By Theorem 4, the lower bound of (f), where f is a function on V k+1,is k+1. However this bound cannot be reached as this bound is only attained by bent functions and bent functions only exist in even dimension vector spaces. By Lemma 10 of [3], the nonlinearity and the number of vectors for which the propagation criterion is satised, is the same for g and g. Unfortunately, g has a linear structure although it satises the propagation criterion with respect to other nonzero vectors On V k Let f be a bent function on V k; and g be a function on V k+1 dened by Set g(x 1 x ::: x k )=x 1 x f(x 3 ::: x k ): g (x) =g(xa) where A is any nonsingular matrix of order k over GF (). By Corollary 7 of [3], g is a balanced function on V k and satises the propagation criterion with respect to all but three non-zero vectors. The nonlinearity of g satises N g > = k;1 ; k. 18

19 For any nonzero vector V k, Consider g(x) g(x ). Write 1 =(1 0 ::: 0), =(0 1 ::: 0), 3 =(1 1 ::: 0). Case 1: 6= 1 3 : From the denition of g, g(x) g(x ) is balanced thus () =0. Case : = j, j =1 3. From the denition of g, g(x) g(x j )=1,j =1, for all x V k+1.thus ( j )=; k, j =1. g(x) g(x 3 ) = 0, since ( 3 )= k. Thus (g) = () = (0) + 3 Vk j=1 ( j )=4 4k = 4k+ : Note that (g) is invariant under any nondegenerate linear transformation on the variables. Thus (g )= 4k+ : By Theorem 4, the lower bound of (f), where f is a function on V k,is k. But this bound is reached only by bent functions and not by balanced functions. By Lemma 10 of [3], the nonlinearity and the number of vectors to which the propagation criterion is satised, is the same for g and g. Unfortunately, g has three linear structures although it satises the propagation criterion with respect to other nonzero vectors. 4. Concatenating Linear Functions Let p<q, y =(y 1 ::: y p )andx =(x 1 ::: x q ). Since there exist q distinct linear functions on V q,we can choose p dierent those and give each a subscript, V p. Write the set of the p linear functions as <. We can construct balanced, highly nonlinear functions satisfying the propagation criterion by the following method g(z) =g(y x) = M V p D (y)' (x) (5) where z =(y x). By Lemma 3 of [1], (i) g is balanced, (ii) the nonlinearity of g satises N g > = p+q;1 ; q;1, (iii) g satises the propagation criterion with respect to any =( ) with 6= 0, where V p and V q, (iv) the degree of g can be p +1if < is appropriate. 19

20 Let is the sequence of ' and is the sequence of g. By Lemma 1 of [0], is a concatenation of p distinct. Note that H p+q = H p H q. and hence any rowofh p+q,say L, can be represented as L = `0 `00, where `0 is a row ofh p and `00 is a row ofh q. Since dierent rows of H p is orthogonal ( q if f <, wherel = `0 h Li = `00 0 if f 6 <, where L = `0 `00 where f is the corresponding linear function of `00. Note that there exist p p L such that the corresponding linear function of `00 belongs to <, where L = `0 `00. By Theorem 1, (g) = ;p;q p p 4q = p+3q : Note that (g) is invariable under any nondegenerate linear transformation on the variables. Thus (g )= p+3q : By Theorem 4, the lower bound of (f), where f is a function on V p+q,is p+q. But this bound is reached only by bent functions instead of balanced functions. By Lemma 10 of [3], the nonlinearity and the number of vectors to which the propagation criterion is satised, of g is the same with g. We now prove the following conclusion. If there exists 0 V p such that rank of f' ' 0 j V pg = q then g, dened in (5), has no linear structures. Consider g(z) g(z ) =g(y x) g(y x ): (6) (iii) of Lemma 3 of [1] (see a previous paragraph in this subsection) (6) is balanced for 6= 0. Thus to nd a linear structure of g we only need to discuss (6) for = 0. In this case (6) is specialized as g(z) g(z ) =g(y x) g(y x ) = M V p D (y)(' (x) '(x ) = M V p D (y)' (): (7) Clearly, =(0 ) is a linear structure if and only if (7) is constant if and only if ' () =c (8) 0

21 for every V p, where c GF (). (8) is equivalent to ' () ' 0 () =0 (9) for each V p. Since the rank of f' ' 0 j V pg = q, also V q, there exists no nonzero satisfying (9), a set of linear equations about. This proves that g has no linear structures. The condition in this conclusion is easy to satisfy. For example, h 1 (x) =x 1, h (x) =x, :::, h q (x) =x q are linearly independent functions on V q. Let ' 0 be an arbitrary linear function on V q.write ' j = h j ' 0, j =1 ::: q.thus ' 1 ' 0, :::, ' q ' 0 are linearly independent. To construct function g, denedby (5), we need p linear functions on V q, whose collection is denoted by 0 = f' j V p g. Count ' 1 = h 1 ' 0, ::: ' q = h q ' 0 and ' 0,asq + 1 linear functions in 0 and choose any p ; q ; 1 linear functions on V q as the rest we construct 0. Clearly 0 satises the condition in the above conclusion. Also, g still satises (i), (ii), (iii), (iv), mentioned in the beginning of this subsection. We only need to expline (iv). Since p ; p ; 1 linear functions can be chosen arbitrarily after q + 1 linear functions are xed, we canmake L V p ' 6= 0. By the proof of Lemma 3of[1], the degree of g is p +1. The request that a function has no linear structures is an important criterion for cryptographic function as a linear structure shows the function has an unnecessary variable that will be identied by cryptographic attack. It is impossible to calculate the maximum of functions constructed in (5) unless further request or information are given. However we guarantee that we can easily construct functions without linear structures using (5). 5 New Construction of Cryptographic Functions with Small Dierence In this section we construct balanced functions having high nonlinearity and satisfying the propagation criterion with respect to many vectors. Furthermore we require the functions to have small (f) and dierence. Big dierence with respect to a nonzero vector implies the avalanche eect of the function is week. In particular, if the dierence with respect to a nonzero vector reaches the maxmun value i.e. the vector is a linear structure, the function contains an unnecessary variable. In this paper we are concerned with the dierence as well as other criteria and make the dierence as small as possible. At least, we require the functions to have no linear structure. 5.1 On V k For z V k, write z =(y x), y V k, x V k. Set g(z) =g(y x) = ( hy xi if y 6= 0 h 1 xi if y =0 (10) 1

22 where where 0 1 ::: k ;1 are dened as at beginning of Section 1. Obviously, for any xed V k, g( x) is a nonzero linear function and thus balanced. Hence we have Lemma 1 g, a function on V k, dened as in (10), is balanced. Let =( ) be a nonzero vector in V k,where V k. By the denition of () () = (;1) g(y x)g(y x) : xv k yv k Case 1: 6= 0. () = y=0 xv k (;1) g(y x)g(y x) + y6=0 xv k (;1) g(y x)g(y x) : For y =0, g(0 x) g( x ) =h 1 xih x i = h 1 xih i: (11) For y =, g( x) g(0 x ) =h xih 1 x i = h 1 xih 1 i: (1) For y 6= 0, g(y x) g(y x ) =hy xihy x i = h ih xihy i: (13) Case1.1: = 1. In this case, (11) becomes h i, (1) becomes h 1 i and (13) is a nonzero linear function of x for xed y and thus balanced. Hence () = xv k [(;1) h1 i +(;1) h1 i ]= where c =(;1) h 1 i = 1. k c = k+1 c Case 1.: 6= 1. (11), (1) and (13) are all nonzero linear functions and thus balanced. Hence () = 0. Case : = 0. In this case, 6= 0 is necessary. (10) is specialized as () = (;1) g(0 x)g(0 x) + (;1) g(y x)g(y x) : xv k y6=0 xv k

23 For y =0, g(0 x) g(0 x ) =h 1 xih 1 x i = h 1 i: (14) For y 6= 0, g(y x) g(y x ) =hy xihy x i = hy i: (15) () = (;1) h1 i + xv k (;1) h1 i + (;1) hy i = xv k y6=0 xv k yv k xv k (;1) hy i ; xv k (;1) h0 i : Note that hy i is a nonzero linear function and thus balanced. () = (;1) h1 i ; (;1) h0 i = [(;1) h1 i ; 1] = xv k xv k xv k Summarize Cases 1 and, we conclude ( 0 if h1 i =0 k+1 if h 1 i =1 Lemma 13 Let g, be the function on V k, dened as in (10). Then for any nonzero vector V k. j()j < = k+1 Lemma 13 shows that function g has no linear structure furthermore the dierence with respect to any nonzero vector is bounded by a small value. In Case 1., () =0, 6= 0, 6= 1, is arbitrary. There exist ( k ;) k = k ; k+1 such =( ). In Case, () =0, =0. satises 6= 0andh 1 i =0,thathas k;1 ; 1 nonzero solutions of. Hence there exist k ; k+1 + k;1 ; 1 =( ) such that () =0. Since() =0 if and only if g(z) g(z ) is balanced, we have the following conclusion Lemma 14 g, a function on V k, dened as in (10) satises the propagation criterion with respect to k ; k+1 + k;1 ; 1 nonzero vectors. 3

24 Let `i be the sequence of linear function, on V k, h i xi. By Lemma of [0], `i is the ith row ofh k, i =0 1 ::: k ; 1. Let be the sequence of g, dened as in (10). From Lemma 1 of [0], =(`1 `1 ` ::: `k ;1): Let L s be the sth row ofh k. By Lemma of [0], L s is a linear sequence of length k. Since H k = H k H k, L s can be rewritten as L s = `p`q, for some p and q,0 < = p q < = k ;1. Write `p =(c 0 c 1 ::: c k ;1) thus L s =(c 0`q c 1`q ::: c k ;1`q): Since H k is a Hadamard matrix, h`i `ji =0,ifj 6= i. Hence h L s i = 8 >< >: (c 0 + c 1 )h`1 `1i =(c 0 + c 1 ) k if q =1 k if q 6= if q =0 Note that c 0 = 1 and c 1 = 1. There exist k;1 `p such that c 1 = 1. Hence there exist k;1 L s such that L s = `p `q with c 1 =1andq =1. For such L s h L s i = k+1. For c 1 = ;1, h Li =0. There exits k ( k ;) L s such that L s = `p`q with q 6= 0 1. For such L s h L s i = k. Hence k ;1 (g) = ;k h L s i 4 = k;1 4(k+1) + k ( k ; ) 4k s=0 = 4k + 3k+3 ; 3k+1 : This proves that the following conclusion Lemma 15 g, a function on V k, dened as in (10) satises (g) = 4k + 3k+3 ; 3k+1. Note that jh L s ij < = k+1 for any L s, that is a row ofh k, also a linear sequence of length k. By using Lemma 3 of [0], we have Lemma 16 g, a function on V k, dened as in (10) satises N g > = k;1 ; k. Summarize Lemmas 1, 13, 14, 15 and 16 we have Theorem 5 Let g be the function on V k, dened as in (10). Then 4

25 (i) g is balanced (ii) N g > = k;1 ; k, (iii) g satises the propagation criterion with respect to k ; k+1 + k;1 ; 1 nonzero vectors, (iv) (g) = 4k + 3k+3 ; 3k+1, (v) j()j < = k+1 for any nonzero vector V k. Furthermore, since g does not satises the propagation criterion with respect to k ; ( k ; k+1 + k;1 ; 1) = k+1 ; k;1 +1 < k;1 vectors, by Theorem of [], there exists a nonsingular matrix of order k over GF (), say A, such that h(z) =f(za) satises the strict avalanche criterion (SAC). 5. On V k+1 Lemma 17 There existsapermutation on V k, say m(u), such that u m(u) runs through all the vectors in V k while u runs through V k once. Proof. There are many proofs of this lemma. For example, from Section 4, [1], there exists a matrix, say E, oforder k with entries linear functions on V k such thateachrow (except for the top row) is a listing of all the linear functions on V k and the sum of any two distinct rows is a listing of all linear functions on V k. Let the second and the third rows be and ' 0 ' 1 ::: ' k ;1 ' 3 0 ' 3 1 ::: ' 3 k ;1 respectively, where each 'ij is a linear function on V k. Dene a permutation m on all linear functions on V k by the following regulation m(' j )=' 3 j j =0 1 ::: k ; 1. By the property of matrix E, ' j m(' j )=' j ' 3 j runs through all the linear functions on V k while j runs through 0 1 ::: k ; 1. Since all the linear functions on V k is also a vector space isomorphic to V k the lemma has been proved. ut Write W 1 = f(0 u)ju V k g, W = f(1 u)ju V k g, where 0 1 GF (). Obviously, V k+1 = W 1 [ W. 5

26 For any y V k+1, write y =(y 1 u), y 1 GF (), u V k. For z V k+1, write z =(y x), y V k+1, x V k.set g(z) =g(y x) =( 1 hu xi if y W1 hm(u) xi if y W (16) For any xed V k, there exists a unique 0 V k, such that m( 0 )=. Write y 0 =(0 ), y 00 =(1 0 ). By the denition in (16), g(y 0 x)=1h xi and g(y 00 x)= hm( 0 ) xi = h xi. This proves the following lemma Lemma 18 g, a function on V k+1, dened as in (16), is balanced. Let =( ) be a nonzero vector in V k+1, where V k+1, V k. By the denition of () () = (;1) g(y x)g(y x) + (;1) g(y x)g(y x) : xv k xv k yw1 yw Case 1: 6= 0. Case 1.1: W 1 thus y W 1 implies y W 1 and y W implies y W. Write =(0 ). Since 6= 0, 6= 0. For y W 1, g(y x) g(y x ) =hu xihu x i = hu ih xih i is a nonzero linear function of x for a xed y. g(y x) g(y x ) =hm(u) xihm(u ) x i = hm(u) m(u ) xihm(u ) i is a nonzero linear function and thus balanced since m(u) m(u ) 6= 0for 6= 0. Hence () =0. Case 1.: W thus y W 1 implies y W and y W implies y W 1. For y W 1, g(y x) g(y x ) =hu xihm(u ) x i = hu m(u ) xihm(u ) i: By the properties of permutation m(u), there exists a unique u 0 such that m(u 0 ) m(u 0 ) =0: (17) Thus g(y x) g(y x ) is a nonzero linear function and thus balanced for any xed y =(0 u) 6= (0 u 0 ). 6

27 For y W, g(y x) g(y x ) =hm(u) xihu x i = hm(u) u xihu i: By the properties of permutation m(u), there exists a unique u such that m(u ) u =0: (18) Thus g(y x) g(y x ) is a nonzero linear function and thus balanced for any xed y 6= (1 u) (1 u ). Rewrite (17) and (18) as and () = xv k (;1) hm(u0 ) i + m(u 0 ) u 0 = m(u ) u = xv k +(;1) hu i : respectively. By the properties of permutation m(u), m(u )=u. This causes m(u 0 ) = u. Hence () = k [(;1) hm(u 0 ) i +(;1) hu i ]= k+1 : Case : = 0. In this case, 6= 0 is necessary. () = (;1) g(y x)g(y x) + xv k yw1 yw xv k (;1) g(y x)g(y x) : For y W 1, g(y x) g(y x ) =hu xihu x i = hu i is a nonzero linear function of x, and thus balanced. For y W, g(y x) g(y x ) =hm(u) xihm(u) x i = hm(u) i: Since m(u) isapermutation on V n, m(u) will run through V k once while u runs through V k once. On the other hand, hu i is balanced hence hm(u) i is balanced. This proves that () = 0 in Case. Summarize Cases 1 and, we conclude 7

28 Lemma 19 Let g, be the function on V k+1, dened as in (16). Then for any nonzero vector V k+1. j()j < = k+1 Lemma 19 shows that function g has no linear structure furthermore the dierence with respect to any nonzero vector is bounded by a small value. In Case 1.1, () =0, 6= 0,and W 1 while is arbitrary. There exist ( k ; 1) k = k ; k such =( ). In Case, () =0, =0. 6= is arbitrary. There exist k ; 1 such =( ). Summarize Cases 1.1 and we have Lemma 0 g, a function on V k+1, dened as in (16) satises the propagation criterion with respect to k ; 1 nonzero vectors. Let `i be the ith row ofh k+1, i =0 1 ::: k+1 ; 1. By Lemma of [0], each `i is is a linear sequence of length k+1. Similarly, denote ith row ofh k by e i. this is the sequence. By Lemma of [0], e i is the sequence of linear function h i xi = 0, where 0 1 ::: k ;1 are dened as at beginning of Section 1. Recall (16), for xed =(y 1 ), y 1 GF (), V k. g( x) =( 1 h xi if W1 hm() xi if W (19) Clearly, for any xed V k+1, g( x) is a linear function on V k. Let be the sequence of g, dened as in (10). FromLemma 1 of[0], is a concatenation of k+1 linear sequences of length k.furthermore, from (19), each linear sequence of length k appear in this concatenation (0). Write = ;e 0 ;e 1 ::: ;e k ;1 e0 0 e0 1 ::: e0 k ;1 (0) where e 0 0 e0 1 ::: e0 k ;1 permutation m(u). is a permutation of e 0 e 1 ::: e k ;1, this permutation depends on Let L s be the sth row ofh k+1. By Lemma of [0], L s is a linear sequence of length k+1. Since H k = H k+1 H k, L s can be rewritten as L s = `p e q, for some p and q, 0 < = p < = k+1 ; 1, 0 < = q < = k ; 1. Write `p =(c 0 c 1 ::: c k+1 ;1 )thus L s =(c 0 e q c 1 e q ::: c k+1 ;1 e q ): Since H k is a Hadamard matrix, he i e j i =0,ifj 6= i. 8

29 Let e q appear the ith entry and jth (j > k ; 1) entry in the sequence (0), whose entries come from linear sequences of length k. Hence h L s i = h `p e q i =(;c i + c j )he q e q i =(;c i + c j ) k = ( k+1 if c j = ;c i 0 if c j = c i There exist k L s = `p e q such that c j = ;c i and k L s = `p e q such that c j = c i and q =1. Hence k+1 ;1 (g) = ;k;1 h L s i 4 = ;k;1 k 4(k+1) = 4k+3 : s=0 This proves that the following conclusion Lemma 1 g, a function on V k+1, dened as in (16) satises (g) = 4k+3. Note that jh L s ij < = k+1 for any L s, that is a row ofh k+1, also a linear sequence of length k+1. By using Lemma 3 of [0], we have Lemma g, a function on V k+1, dened as in (16) satises N g > = k ; k. Summarize Lemmas 18, 19, 0, 1 and we have Theorem 6 Let g be the function on V k+1, dened as in (16). Then (i) g is balanced (ii) N g > = k ; k, (iii) g satises the propagation criterion with respect to k ; 1 nonzero vectors, (iv) (g) = 4k+3, (v) j()j < = k+1 for any nonzero vector V k. We indicate that g does not satises the SAC even we use any nonsingular linear transformation on the variables, since there exists no k + 1 linearly independent vectors which g satises the propagation criterion with respect to. 9

30 6 Group Hadamard Matrices and Bent Functions The properties of Group Hadamard Matrices are: 1. Let G be a group. Dene a vector, say p =(p 1 ::: p n ), where each p j G.. The product of two vectors, say p and q, isp q =(p 1 q 1 ::: p n q n ), where q = (q 1 ::: q n ). 3. The inverse of p is p ;1 =(p ;1 1 ::: p;1 n ), where p ;1 j is the inverse of p j in G. 4. p and q are s-orthogonal if p q ;1 =(p 1 q ;1 1 ::: p nq n ;1 )isslistings of G. In this case n = sjgj. Denition 1 A square matrix with elements from G is called a generalized Hadamard matrix of type s for group G if its rows are mutually s-orthogonal (Butson, Drake). A(1 ;1) Hadamard matrix of order n is a generalized Hadamard matrix of type 1 n for the group G = f1 ;1g. Example 4 (Generalized Hadamard Matrix) Let " be the root of a primitive equation on GF ( 3 ), say 1 x x 3 =0. List 1 " " " 3 " 4 " 5 " 6 : 1 " " 1 " " " 1 " " 1 " : For convenience, write a b" c" as (abc) V 3. Correspondingly, the above sequence becomes (100) (010) (001) (110) (011) (111) (101): Set N = 6 4 (000) (000) (000) (000) (000) (000) (000) (000) (000) (100) (010) (001) (110) (011) (111) (101) (000) (010) (001) (110) (011) (111) (101) (100) (000) (001) (110) (011) (111) (101) (100) (010) (000) (110) (011) (111) (101) (100) (010) (001) (000) (011) (111) (101) (100) (010) (001) (110) (000) (111) (101) (100) (010) (001) (110) (011) (000) (101) (100) (010) (001) (110) (011) (111) The second row ofn is the above sequence with (000). The third row is the left shifting the second and keeping (000). The fourth row is the left shifting the third and keeping (000)... 30

31 N is a generalized Hadamard matrix of type 1 for group G = V 3. Changing each (abc) inn into ax 1 bx cx 3 gives matrix M whose second row is 0 x 1 x x 3 x 1 x x x 3 x 1 x x 3 x 1 x 3 : M is a generalized Hadamard matrix of type 1 for group G = f0 x 1 x x 3 x 1 x x x 3 x 1 x 3 x 1 x x 3 g: Any (1, -1) Hadamard matrix of order n is type 1 n for group G = f1 ;1g. Denition 13 Let M be a generalized Hadamard matrix of type s for group G. M is called a group Hadamard matrix if the rows of M and the columns form a group under the operation (Butson, Drake and de Launey). If G is cyclic then any row group Hadamard matrix for G is also a column group Hadamard matrix. Example 5 (Group Hadamard Matrix) The matrix N in a previous example is a group Hadamard matrix of type 1 for G = V 3. f1 " " 1 " " " 1 " " " 1 " " 1 " g: Example 6 (Group Hadamard Matrix) M in a previous example is a group Hadamard matrix of type 1 for G = f0 x 1 x x 3 x 1 x x x 3 x 1 x 3 x 1 x x 3 g: Example 7 (Group Hadamard Matrix) is a group Hadamard matrix of type 4 for group G = GF () Example 8 (Group Hadamard Matrix) Replace elements 0 and 1 in M by 1and;1 respectively a group Hadamard matrix of type 4 for group G = f1 ;1g. Sylvester-Hadamard matrix H n is a group Hadamard matrix of type n;1 for the group G = f1 ;1g. For example, 31

32 H 3 = ; + ; + ; + ; + + ; ; + + ; ; + ; ; + + ; ; ; ; ; ; + ; + ; ; + ; ; ; ; ; ; ; + ; + + ; is a group Hadamard matrix of type = 4 for the group G = f1 ;1g. Example 9 (A Set of Bent Functions) Let `0, `1, `, `3, `4, `5, `6, `7 table of the linear functions on V 3 : be the truth f0 x 1 x x 3 x 1 x x x 3 x 1 x 3 x 1 x x 3 g respectively. Construct seven (0 1)-sequences (truth tables) of length 6 : 1 = `0 `1 ` `3 `4 `5 `6 `7 = `0 ` `3 `4 `5 `6 `7 `1 3 = `0 `3 `4 `5 `6 `7 `1 ` 4 = `0 `4 `5 `6 `7 `1 ` `3 5 = `0 `5 `6 `7 `1 ` `3 `4 6 = `0 `6 `7 `1 ` `3 `4 `5 7 = `0 `7 `1 ` `3 `4 `5 `6 : Since M is a group Hadamard matrix, for any j 6= i there exists a unique t such that j i = t. Thus if we let j be the truth table of a (bent) function V 6,say g j,forany j 6= i there exists a unique t such that g j g i = g t. g 1, g and g 3 are linearly independent. Thus any nonzero linear combination of f 1, f, f 3 is also a bent function on V 6. This construction can be extended to any dimension i.e. for any even number, say n there exist 1 n bent functions on V n such that any nonzero linear combination of them is also a bent function on V n. Since bent functions are not balanced we must modify them. Example 30 (Independent Set of Bent Functions) Let g 1, g, :::, g k be bent functions on V k whose any nonzero linear combination of them is also a bent function on V k. 3

33 Let j be the truth table of g j.write 1 = `0 `1 ` `k = `0 ` `3 `1. k = `0 `k `k+1 `k;1 where each `j is the truth table `0 is the truth table of the zero linear functions. Example 31 (Modifying A Set of Independent Functions) Select any t (t<k) columns of the above array excluding the rst column. We have 1 = `j1 `j `j t = `j1+1 `j+1 `j t +1. k = `j1+k;1 `j+k;1 `j t +k;1 : Each j is of length k+t,thus it is the truth table of a function on V k+t,say f j. Set F (x) =(f 1 (x) ::: f k (x)) where x V k+t.thenf is a mapping from V k+t to V k. Select any t (t<k) columns of the above array excluding the rst column. We have 1 = `j1 `j `j t = `j1+1 `j+1 `j t +1. k = `j1+k;1 `j+k;1 `j t +k;1 : Each j is of length k+t,thus it is the truth table of a function on V k+t,say f j. Set F (x) =(f 1 (x) ::: f k (x)) where x V k+t.thenf is a mapping from V k+t to V k. Example 3 (A Set of Bent Functions) Let " be the root of a primitive equation on GF ( 3 ), say 1 x x 3 =0. Consider and rewrite as 1 " " " 3 " 4 " 5 " 6 1 " " 1 " " " 1 " " 1 " : 33

34 Change 1 " " into x 1, x, x 3 respectively. Wehave x 1 x x 3 x 1 x x x 3 x 1 x x 3 x 1 x 3 : Shifting this sequence six times gives seven sequences which form the core of M.From M we construct seven (0 1) sequences (truth tables) 1, :::, 7,asmentioned previously. Let 1,, 3 be the truth tables of g 1, g, g 3. Then any nonzero linear combination of g 1, g, g 3 is bent. 7 S-Box Design Denition 14 A n k S-box is a mapping from V n to V k : F (x)=(f 1 (x) ::: f k (x)) where n > = k,each f j(x) isafunctiononv n. We require: (i) Any nonzero linear combination of f 1, :::, f k,say f = c 1 f 1 c k f k,(c 1 ::: c k ) 6= (0 ::: 0), to be balanced, (ii) any nonzero linear combination of f 1, :::, f k to be highly nonlinear, (iii) any nonzero linear combination of f 1, :::, f k to satisfy SAC, (iv) F (x) toberegular run through each vector in V k n;k times while x runs through V n once, (v) F (x) tohave good dierential distribution i.e. F (x) F (x ) runs through some k;1 vectors in V k each n;k+1 times while x runs through V n once, but does not take another k;1 vectors at all (Biham and Shamir) [3]. Note : (ii) and (iv) are equivalent and some criteria have to be weakened if they cannot be satised completely. Example 33 (S-Box properties) Consider the 3 3 S-box mapping from V 3 to V 3 : F (x) =(f 1 (x) f (x) f 3 (x)) where f 1 = x 1 x 3 x x 3 f = x 1 x x 1 x x x 3 f 3 = x 1 x x x 3 x 1 x 3 : Then 34

35 (i) Any nonzero linear combination of f 1 f f 3,say f = c 1 f 1 c f c 3 f 3,(c 1 c c 3 ) 6= (0 0 0), is balanced, (ii) any nonzero linear combination of f 1, f, f 3,say f, has nonlinearity i.e. N f > = (maximum for balanced functions on V 3 ), (iii) any nonzero linear combination of f 1, f, f 3,say f, satises the propagation criterion except for a single nonzero vector related to the particular combination, f, (iv) F (x) is regular, in this case, it is a permutation, (v) F (x)hasgood dierential distribution i.e. F (x)f (x) runs through some vectors in V 3 each 1 times while x runs through V 3 once, but does not assume another vectors at all. Example 34 (Dierence Distribution) For example, let = (001). F (x) F (x ) runs through some (010), (011), (100), (101) each 1 times while x runs through V 3 once. Let = (111). F (x) F (x ) runs through some (001), (011), (101), (111) each 1 times while x runs through V 3 once. Example 35 (Polynomial Permutation) Note that any element in GF ( n ), say, can be expressed as = a 1 a " a n " n;1, where each a j GF () and " is a primitive element of GF ( n ). Thus we have establish a relationship between V n and GF ( n ), this is isomorphism under the operation, this is boolean addition. Let n be odd. Hence F (x) =x 3, where x V n, can be regarded a permutation on V n. It has been proved that (i) Any nonzero linear combination of the coordinate functions, say f, is balanced (i.e. regular, a permutation), (ii) any nonzero linear combination of the coordinate function, say f, has nonlinearity N f > = n;1 ; 1 (n;1), (iii) any nonzero linear combination of the coordinate function, say f, satises the propagation criterion except for a single nonzero vector related to the particular combination, f, (iv) F (x) hasgood dierential distribution i.e. F (x) F (x ) runs through some n;1 vectors in V n each 1 times while x runs through V 3 once, but does not assume another n;1 vectors at all (Pieprzyk, Tavares and Nyberg). Example 36 (A Counterexample for S-box Design) (i) Let F (x) =(f 1 (x) ::: f k (x)) is a regular mapping with good dierential distribution from V n to V k. Then F (x) =(f 1 (x) ::: f t (x)) where t<k, is regular but does not have gooddierential distribution. 35