Boolean Functions Whose Restrictions are Highly Nonlinear

Transcription

1 Boolean Functions Whose Restrictions are Highly Nonlinear Constanza Riera Høgskolen i Bergen Nygårdsgt. Bergen 58, Norway csr@hib.no Matthew G. Parker Selmer Centre, nst. for nformatikk University of Bergen Bergen 5, Norway matthew@ii.uib.no Abstract We construct Boolean functions whose non-trivial restrictions are either highly nonlinear with respect to the Walsh- Hadamard or the negahadamard transform. We generalise these properties, identify group actions that preserve them, obtain complementary sets from our functions.. NTRODUCTON This paper investigates spectral properties of basic classes of Boolean function. Typical cryptanalysis considers Walsh- Hadamard spectra of Boolean functions, we examine spectra with respect to more general transform sets. This is one in a series of papers that tackles such ideas [], [4], [8] []. We also propose two new types of multivariate complementary set to add to the one proposed in [7]. The first construction generates Boolean functions whose restrictions remain highly nonlinear with respect to the Walsh-Hadamard transform WHT. We then modify the construction so that, instead, the restrictions remain highly nonlinear with respect to the negahadamard transform NHT. Re-expressing these results in terms of unitary matrices facilitates a significant generalisation, where each of the two constructions is shown to retain its spectral properties with respect to an infinite class of unitary transforms. We highlight unitary group actions that preserve the spectral properties of the two constructions, show that each of the two constructions leads to a new type of multivariate complementary set.. BACKGROUND Denote the set of Boolean functions in m variables by B m. Let S {,,..., m } := {s, s,..., s t } be an ordered set of size t m, let S := {,,..., m } \ S. Let x S := x s, x s,..., x st F t. For f B m, a F t, a constant, the restriction of fx to x S = a is denoted by f a,s B m t, satisfies f a,s x S = fx if x S = a, is undefined otherwise. The Walsh-Hadamard spectrum of f a,s is defined as `F a,sw H := t m x F m t f a,sx+x w, where w F m t, x w := m i= x iw i. Denote `F H S := { `F H a,s a Ft } as the set of t Walsh-Hadamard spectra of the restrictions of fx to x S. The nonlinearity of f a,s is given by nlf a,s := m t m t `F H a,sw. nl is not so useful for comparing nonlinearities over all choices of S, so instead we propose peak-to-average power ratio, P H `f, where `f := f, P H `f a,s := `F H a,sw, nlf a,s = m t m t P H `f a,s. Define peak-to-average power ratio over all restrictions of `f by PH r `f := P H `f a,s, a F S,S {,,...,m } where PH r `f m. Construction generates functions, f B n, from functions, f B m, n > m, that satisfy PH r `f m, irrespective of the size of n relative to m. A. Construction. CONSTRUCTONS Let K := {K, K,..., K m } be an m-wise partition of {,,..., n }, where m i= K i = {,,..., n }, K i K j =, i j. Let k := k, k,..., k m, k j := K j, j, K j := m x i x l B n, K := K j. Let y := i,l K j,i<l j= y, y,..., y m, where y j := i K j x i, j < m. For f B m, define the expansion of f with respect to K by f K := fy B n, abbreviate to f if K is clear from context. Construction : f x = f + K. Construction is reserved for functions described in [7].

2 For f so constructed, we can show that P r H `f = P r H `f m. 3 We defer proofs of 3 6 until the end of section V. For n m, Construction generates functions, f, whose nontrivial restrictions are highly nonlinear with respect to the WHT. Proposition 38 of [] is a sub-case of Construction, where degf, all k j are equal. Example: Let f := x x + x x B 3. Then f, = f, f,{} = x x, f,{} = x x + x, f,{} =, f,{} = x + x, f,{} = x x, f,{} = x x + x, f,{,} = f,{,} = f,{,} = f,{,} = f,{,} =, f,{,} = x, f,{,} = x +, f,{,} = f,{,} = x, f,{,} = x, f,{,} = x +, f,{,,} = f,{,,} = f,{,,} = f,{,,} = f,{,,} = f,{,,} =, f,{,,} = f,{,,} =. Computations give, a, P H `f, = P H `f a,{,} = P H `f a,{,} = P H `f a,{,} =, P H `f a,{} = P H `f a,{} = P H `f a,{,,} =, P H `f a,{} = 4. So P r H `f = 4. Let K := {, 3}{, 4}{, 5}. Then, by, f = x + x 3 x + x 4 + x + x 4 x + x 5, K = x x 3 + x x 4 + x x 5, f = x x +x x 3 +x x 4 +x x +x x 3 +x x 4 +x x 5 + x x 4 + x x 5 + x 3 x 4 + x 4 x 5. One can verify that P r H `f = P r H `f = 4, in agreement with 3. B. Construction Define the negahadamard spectrum of f a,s as `F a,sw N := t m i f a,sx+x w+ wtx, 4 x F m t where i := wt. denotes Hamming weight. Denote `F S N := { `F a,s N a Ft } as the set of t negahadamard spectra of the restrictions of fx to x S. Define peak-toaverage power ratio of `f a,s with respect to the NHT by, P N `f a,s := `F N a,sw, peak-to-average power ratio over all restrictions of `f by PN r `f := P N `f a,s, where P r N `f m. a F S,S {,,...,m } Construction : f. 5 For f B n, we can show that P r N `f = P r N `f m. 6 So, for n m, Construction generates functions, f, whose restrictions are highly nonlinear with respect to the NHT. Example continued: Computations give, a, P N `f a,{} = P N `f a,{} =, P N `f, = P N `f a,{} = P N `f a,{,} = P N `f a,{,} = P N `f a,{,} = P N `f a,{,,} =. So P r N `f =. One can verify that P r N `f = P r N `f =, in agreement with 6. n section V we establish peak-to-average properties of Constructions with respect to an infinitely larger set of transforms than just WHT NHT. To do so we first recast `F H S `F N S in terms of unitary matrices. This clarifies subsequent generalisations. V. MATRX CHARACTERSATON nterpret `f = f as an m-variate array, `f C m, with elements indexed by members of F m, i.e. `f j := fj, j F m. Define unitary matrices H :=, :=. Comparing with, the WHT of fa,s C m t is given by `F H a,s := H m t `fa,s, 7 where `F a,s H C m t, H l = l i= H is the l-fold tensor product of H with itself, such that the wth element of `F a,s H is given by `F a,s,w H = `F a,s H w, w Fm t. Let m m unitary, U j, denote m-fold tensor product U j :=... U..., with unitary, U, being in the jth position from the left numbering from zero. For S {,,..., m }, let U S := j S U j, 3. Then `F S H C m, the concatenation of `F a,s H, a Ft, is given by `F H S := H S `f = `F H a,s, a F t, 8 P r H `f := S {,,...,m },w F m Example continued: For S = {, }, `F,S H = H `f,s = H `F,S H = H `f,s = H `F,S H = H `f,s = H `F,S H = H `f,s = H Therefore, `F H S = H S `f = `F H S,w. = = = = =,,,,,,, T.. Similarly, for S = {}, we get `F H S =,,,,,,, T. Computing over all subsets, S, we establish, as before, that P r H `f = 4, where the imum occurs for S = {}. A unitary matrix, U, satisfies UU = for the identity. 3 A BC D = AC BD, so U j U k =... U... U... = U k U j, for j k, U, U unitaries.

3 Define unitary N := i i. Comparing with 4, the NHT of f a,s C m t is given by `F N a,s := N m t `fa,s, 9 The concatenation of `F N a,s, a Ft, is given by `F N S := N S `f = `F N a,s, a F t, P r N `f := S {,,...,m },w F m Example continued: For S = {}, `F,S N = N `f,s = N `F,S N = N `f,s = N Therefore, `F N S = N S `f = `F N S,w. = = i i i i i i i i i i i i i i i i = + i,,, i,, i, + i, T. W W,w F m + i i i + i. For W a set of m m unitaries, define peak-to-average power ratio of `f with respect to W by P W `f := W `f w. Let D be the set of all n n unitaries where any member of D only has one non-zero entry per row column. Let U be a set of n n unitaries, DU be the set of n n unitaries, {DW, D D, W U}. Then, for h B n, P U `h = P DU `h. We abbreviate, D D, this equivalence by DU U, DU`h U`h. Proof: of sketch Let V := m j= V j, where V j K j. Let O V := {j V j odd}. Then we can show that H V `f H OV `f NV f ` NOV `f, so over all choices for V, the spectral elements with respect to the WHT resp. NHT of the restrictions of `f resp. `f, comprise, to within phase position, multiplicities of the spectral elements with respect to the WHT resp. NHT of the restrictions of `f, where magnitudes are unchanged 4. 4 n particular, the proof implies that `f f are bent negabent, respectively, for k j even j. V. GENERALSED NONLNEARTES For V a set of unitaries we say that W iff W = n j= U j, U j V, j. Using this notation, P {,H} m `f = PH r `f, P {,N} m `f = PN r `f. Let V := { cos θ sin θ sin θ cos θ, θ R}, V := { cos θ i sin θ sin θ i cos θ, θ R}, be infinite sets of unitaries, called type-, type- unitaries, respectively [], [8], [9]. We can show that `f m. `f m. 3 By, equations 3 have 3 6, respectively, as special cases as, for any S {,,..., n }, H S {, H} {D, D D} N S {, N} {D, D D}. To sketch proofs for 3, we introduce Type- unitaries, V = { α, α = }. α Let #`h be the number of non-zero elements of `h. The following results are critical to our proofs. #N `f m. 4 #H `f m. 5 Remark : Every entry of every matrix in has the same magnitude. Proof: for - sketch From 4 Remark, it follows that N `f m. follows by observing that V NV. Proof: for 3 - sketch From 5 Remark, it follows that H `f m. 3 follows by observing that V HV. V. GROUP ACTONS PRESERVNG NONLNEARTY Constructions give `f `f, for which 3 hold, respectively. Furthermore, groups exist under whose action properties 3 are preserved. First we establish matrix representations for these groups. V group V ZV is a matrix group as, for U V, UV ZV. Affine group Two Boolean functions f, g B n are affine equivalent if gx = fax + b + d x + c, 6 for A a binary invertible n n matrix, b, d F n c F. We recast affine equivalence by the affine group in matrix form. Let X :=, Z :=, Y := XZ =, be unitary Pauli matrices. Define Xj k := = δ z,uz, where u =, z = x j, x k T, i.e. elements of Xj k are one at positions z, uz zero otherwise, z F - one should remember that matrix Xj k C C is a matrix with

4 both rows columns indexed by elements from F. Define matrix group 5, A n =, X j, Z j, Xj k, j, k {,,..., n }, j k. Then f, g B n are affine equivalent iff W A n, such that `f = W `g. Extended orthogonal group The functions f, g B n are extended orthogonal equivalent if 6 holds for AA T =, b = d of even weight. Define V,,,3 as the 4 4 unitary, V,,,3 := δ z,uz, where u =, z = x, x, x, x 3 T. Based on theorem 9 of [5], the orthogonal group has the following unitary representation for n > 4, O n := V,,,3, P j,k, j, k {,,..., n }, j k, where P j,k is the 4 4 permutation matrix swapping tensor positions j k, i.e. P j,k := = δ z,uz, where u =, z = xj, x k T. Repeated action of P j,k at various pairs, j, k, generates the symmetric group, S n The extended orthogonal group, E n, for n > 4, has the following matrix representation, E n :=, V,,,3, Y j,k, P j,k, j, k {,,..., n }, j k, where Y j,k := takes the role of evenweight vector b = d in 6. Then f, g B n are extended orthogonal equivalent iff W E n, such that `f = W `g. Observe that O n E n A n. Type- invariance V ZV is a group so W `f = `f, W. 7 n general there exist W {, H} h B n, such that `h = W `f. But it is currently unclear to us whether W {D, D D}, W {, H}, such that `h = W `f. W `f =, W E n. 8 Proof: of 8, sketch One can verify that N 4 V,,,3 N 4, N Y j,k N, N P j,k N so, for W E n, N W `f N `f, the proof follows, like, by Remark 4. Type- invariance W ` f = f, ` W A n. 9 Proof: of 9, sketch One can verify that H Xj k H, HX H, HZ H so, for W A n, H W f ` H f, ` the proof follows, like 3, by remark 5. 5 We use to encompass group generators, as is used in this paper for expansion. V. COMPLEMENTARY SETS A size m complementary set, CW n := {f j j F m }, of arrays, f j C, with respect to a set, W, of n n unitaries is defined by the property, W,j `F w = m, w F n, W W, j F m where `F W,j = W `f j. Previous work [7] proposed Construction for a set of functions, h F n, where, for n = tm, t h = θ i z i θ i+ z i+ + g i z i, i= where z i = x im, x im+, +..., x i+m F m, θ i : F m F m, are permutations, g i z i B m. These functions satisfy, `h m. Let = {h + j z t j F m }. Then C n is a type- complementary set of size m. Constructions similarly lead to complementary sets. For y = y, y,..., y m, y j = i K j x i, let = {f + j y j F m }. Then C n is a type- complementary set of size m. For some fixed r {,,..., m }, let y r = y, y,..., y r, y r+,..., y m, = { f + j y r j F m }. Then C n is a type- complementary set of size m. Observe that the upper bounds of 3 follow immediately from the fact that C n C n are complementary sets of type- type-, respectively. V. FNAL COMMENTS Construction may be a step towards the difficult problem of constructing cryptographically-interesting k-normal Boolean functions, k n/, for which infinite constructions do not yet exist [3], [6], where any function affineequivalent to such a function remains nonlinear up to kthorder restrictions. n contrast, Construction yields a basic class of functions whose non-trivial restrictions only remain nonlinear up to extended-orthogonal equivalence, where the extended-orthogonal group is a subgroup of the affine group. Construction is a generalisation of the class of affine functions. The constructions properties mentioned herein focus on Boolean functions, but all results carry over, without modification, to generalised Boolean functions, where one constructs, from `f : F m C, functions `f, `f : F n C, where `f x = `f x `Kx. The set of functions constructed using is much larger than that constructed using or 5 6, even if one takes 6 Moreover, section 5 of [7] identifies a further generalisation of.

5 into account symmetries 7, 8, 9, suggesting that Constructions might be generalised further. REFERENCES [] R. Arratia, B. Bollobas, G. B. Sorkin, The nterlace Polynomial of a Graph, J. Combin. Theory Ser. B, 9,, 99 33, 4. [] Tor E. Bjørstad, Matthew G. Parker, Equivalence Between Certain Complementary Pairs of Types, in Enhancing Cryptographic Primitives with Techniques from Error Correcting Codes, Vol. 3, NATO Science for Peace Security Series, 9. [3] A. Canteaut, M. Daum, H. Dobbertin, G. Leer, Finding nonnormal bent functions, Discrete Applied Mathematics, 54 8, 6. [4] Lars Eirik Danielsen, Matthew G. Parker, Spectral orbits peak-toaverage power ratio of Boolean functions with respect to the, H, N n transform, Lecture Notes in Computer Science, LNCS 3486, , 5. [5] Gerald J. Janusz, Parametrization of self-dual codes by orthogonal matrices, Finite Fields Their Applications, 3, 3, 45 49, 7. [6] Gregor Leer, Gary McGuire, Construction of bent functions from nearbent functions, Journal of Comb. Theory, Series A , 9. [7] Matthew G. Parker, Chintha Tellambura, A Construction for Binary Sequence Sets with Low Peak-to-Average Power Ratio, Reports in nformatics, University of Bergen, 4, Feb publikasjoner/texrap/ps/3-4.ps. [8] Matthew G. Parker, Close encounters with Boolean functions of three different kinds, Lecture Notes in Computer Science, LNCS 58, 5 9 Sept. 8. [9] Matthew G. Parker, Polynomial Residue Systems via Unitary Transforms, to appear in post-proceedings of Contact Forum Coding Theory Cryptography, Brussels, 9. matthew/prnsunitary. pdf [] Constanza Riera, Matthew G. Parker, Generalised Bent Criteria for Boolean Functions, EEE Trans nform. Theory, 5, 9, , Sept. 6.