A conjecture about Gauss sums and bentness of binomial Boolean functions. 1 Introduction. Jean-Pierre Flori

Transcription

1 A conjecture about Gauss sums and bentness of binomial Boolean functions Jean-Pierre Flori arxiv: v2 [math.nt] 9 Aug 206 Abstract In this note, the polar decomposition of binary fields of even extension degree is used to reduce the evaluation of the Walsh transform of binomial Boolean functions to that of Gauss sums. In the case of extensions of degree four times an odd number, an explicit formula involving a Kloosterman sum is conjectured, proved with further restrictions, and supported by extensive experimental data in the general case. In particular, the validity of this formula is shown to be equivalent to a simple and efficient characterization for bentness previously conjectured by Mesnager. Keywords. Boolean functions, bent functions, Walsh spectrum, exponential sums, Gauss sums, Kloosterman sums. Introduction Bent functions are Boolean functions defined over an extension of even degree and achieving optimal non-linearity. They are of both combinatorial and cryptographic interest. Unfortunately, characterizing bentness of an arbitrary Boolean function is a difficult problem, and even the less general question of providing simple and efficient criteria within infinite families of functions in a specific polynomial form is still challenging. For a Boolean function f defined over F 2 n with n = 2m and given in polynomial form, a classical characterization for bentness is that its Walsh transform χ f values are only 2 ±m. Nevertheless, such a characterization is neither concise nor efficient: the best algorithm to compute the full Walsh spectrum has complexity On2 n ), which is asymptotically optimal. Whence the need to restrict to functions in a given form and to look for more efficient criteria. Unfortunately, only a few infinite families of Boolean functions with a simple and efficient criterion for bentness are known. The most classical family is due to Dillon [7] and is made of monomial functions: ) f a x) = Tr n ax r2m ), where n = 2m, a F 2 n and r is co-prime with 2m +. Such functions are bent and even hyper-bent: for any r coprime with 2 n ) the function f a x r ) is also bent) if ANSSI Agence nationale de la sécurité des systèmes d information), 5, boulevard de La Tour- Maubourg, Paris 07 SP, France. jean-pierre.flori@ssi.gouv.fr

2 and only if the Kloosterman sum K m a) associated with a is equal to zero [7, 5, ]. Not only does such a criterion gives a concise and elegant characterization for bentness, but using the connection between Kloosterman sums and elliptic curves [4, ] it also allows to check for bentness in polynomial time [6, ]. Further results on Kloosterman sums involving p-adic arithmetic [2,, 20] lead to even faster generation of zeros of Kloosterman sums and so of hyper-)bent functions. Mesnager [9, 8] proved a similar criterion for a family Boolean functions in binomial form: ) f a,b x) = Tr n ) ax r2m ) + Tr 2 bx 2n where n = 2m, a F 2 n, b F 4 and r is co-prime with 2m + but also r = which divides 2 m + [7]). When the extension degree n is twice an odd number, that is when m is odd, f a,b is hyper-)bent if and only if K m a) = 4. Moreover, hyper-)bent functions in this family can be quickly generated as techniques used to generate zeros of Kloosterman sums can be transposed to the value 4 [9]. Unfortunately, the proof of the aforementioned characterization does not extend to the case where m is even. Nevertheless, it is easy to show that K m a) = 4 is still a necessary condition for f a,b to be bent in this latter case but note that f a,b can no longer be hyper-bent). Further experimental evidence gathered by Flori, Mesnager and Cohen [9] supported the conjecture that it should also be a sufficient condition: for m up to 6, f a,b is bent if and only if K m a) = 4. In this note, the polar decomposition of fields of even extension degree n = 2 ν m with m odd is used to reduce the evaluation of the Walsh transform of f a,b at ω F 2n to that of a Gauss sum of the form ψ n b Tr n m Tr ωu)) χ n u U )) au 22ν m,, ) where F 2 n is decomposed as F 2 n U F 2 m, ψ n is a cubic multiplicative character and χ a quadratic additive character. In the case of extensions of degree four times an odd number, that is when n is four times an odd number m, an explicit formula involving the Kloosterman sum K n/2 a) is proved for ω lying in the subfield F 2 n/2, and conjectured and supported by extensive experimental evidence when ω F 2 n. In particular, the validity of this formula would prove the following conjecture for extensions of degree four times an odd number and give hope to prove the conjecture for n of any 2-adic valuation): Conjecture. Let n = 4m with m odd, a F 2 n/2 and b F 4. The function f a,b is bent if and only if K n/2 a) = 4. 2 Notation 2. Field trace Definition 2 Field trace). For extension degrees m and n such that m divides n, the field trace from F 2 n down to F 2 m is denoted by Tr n m x). 2

3 2.2 Polar decomposition Definition Extension degrees). Let n 2 be an even integer and ν denote its 2-adic valuation. We denote by m i for 0 i ν the integer n/2 i, e.g. m 0 = n and m ν = m in the introduction. For 0 i < ν, the multiplicative group F 2 m i decomposition can be split using the so-called polar F 2 m i U i+ F 2 m i+, where U i+ F 2 m i is the subgroup of 2 m i+ + )-th roots of unity and F 2 m i+ the subgroup of 2 m i+ )-th roots of unity. Repeating this construction yields the following decomposition. Lemma 4 Polar decomposition). Let ν and denote by U denote the image of U U ν within F 2 m 0. Then F 2 m 0 decomposes as 2. Hilbert s Theorem 90 F 2 m 0 U U ν F 2 mν U F 2 mν. Definition 5. For i ν and j F 2, let T j m i be the set T j m i = { x F 2 m i, Tr m i x ) } = j of elements of F 2 m i whose inverses have trace j defining 0 to be 0). Hilbert s Theorem 90 [8] implies that the function x x+x is 2-to- from U i \ {} to T m i and from F 2 m i \ {} to T 0 m i \ {0} and both 0 and are sent onto 0). 2.4 Dickson polynomials Definition 6. We denote by D the third Dickson polynomial of the first kind D x) = x + x. A notable property of D is that D x + x ) = x + x. It implies in particular that D induces a permutation of T 0 m when m is odd and of T m when m is even [8, Propositions 5, 6 and Theorem 7]. 2.5 Characters Definition 7 Additive character). Denote by χ the non-principal quadratic additive character of F 2. Together with the field trace, χ can be used to construct all quadratic additive characters of F 2 m i for any 0 i ν.

4 Definition 8 Multiplicative character). The non-principal cubic multiplicative character ψ mi of F 2 m i for any 0 i < ν is defined for x F 2 m i as ψ mi x) = x 2m i. Note that if x lies in a subextension, that is x F 2 m i+j with 0 i + j < ν, then ψ mi x) = ψ mi+j x) 2j. Remark that divides 2 mν + and is coprime with 2 mν and 2 m i + for 0 i < ν. Therefore the function x x is a permutation of F 2 mν and U i for i < ν, and -to- on U ν. In particular, the multiplicative character ψ m0 is trivial everywhere on F 2 m 0 but on U ν. 2.6 Walsh transform Definition 9. The Walsh transform of a Boolean function f at ω F 2 m 0 χ f ω) = χ fx) + Tr m0 ωx)). x F 2 m 0 is It is well-known that a Boolean function f is bent if and only if its Walsh transform only takes the values 2 ±m. 2.7 Kloosterman sums Definition 0. For a F 2 m, the Kloosterman sum K m a) is K m a) = x F 2 m χ Tr m ax + x )). The following identities proved using the map from Section 2.) are well-known: 2.8 Cubic sums χ Tr m0 au )) = + 2 χ Tr m at)) u U t Tm = 2 χ Tr m at)) t Tm 0 = K m a). Definition. For a, b F 2 m, the cubic sum C m a, b) is C m a, b) = x F 2 m χ )) Tr m ax + bx. 4

5 The possible values of C m a, b) were determined by Carlitz [2] together with simple criteria involving a and b. The most important consequence of Carlitz s results in our context is that C m a, a) = x F 2 m χ Tr m ad x))) = 0 if and only if Tr m α) = 0 for α F 2 m such that a = α when m is odd in that case a is always a cube), and when there exists α F 2 m such that a = α that is a is a cube or equivalently ψ m a) = ) and Tr m 2 α) 0 that is the cube root s half-trace is non zero) when m is even. Charpin et al. later deduced that both in the odd case [4] and in the even case [5, 6] these conditions are equivalent to K m a) mod ). For completeness, the other possible values for C m a, a) when m is even follow: When a is a cube and Tr m 2 α) = 0, then C m a, a) = 2 m2+ χ Tr m )) u 0, where u 0 is any solution to u 4 +u = α 4, that is u 0 = m 2 )/2 i=0 α 42 i+2 +γ for any γ F 4. au 0 )), where u0 is the When a is not a cube, then C m a, a) = 2 m 2 χ Tr m unique solution to u 4 + u/a =, that is u 0 = ψ m a) m 2 i=0 a 4i a 4i )/. Finally, Carlitz also proved the following result on C m a, 0) when m = 2m 2 is even: { ) m 2 C m a, 0) = + 2 m 2+ if ψ m a) =, ) m 2 2 m 2 if ψ m a). 2.9 Binomial functions The binomial Boolean functions f a,b studied in this note are defined over F 2 m 0. Definition 2. For ν, a F 2 m 0 and b F 4, we denote by f a,b the binomial function f a,b x) = ax 2m ) + Tr 2 bψ m 0 x)). 2) We also define f a = f a,0 corresponding to Dillon s monomial) and g b x) = Tr 2 bψ m0 x)). Preliminaries. Field of definition of the coefficients First notice that it is enough to know how to evaluate the Walsh transform of functions f a,b for a F 2 m. Lemma. Let a F 2 m 0 be written as a = αã with α U and ã F 2 m using the polar decomposition of F 2 m 0. Let α U be a square root of α and β F 4 be β = ψ m 0 α). Then fa,b ω) = χ fã,βb αω). 5

6 Proof. Indeed, x αx induces a permutation of F 2 m 0, α 2m = α 2 = α, and ψ m0 α) = ψ m0 α), so that fa,b ω) = χ f a,b x) + Tr m0 ωx)) x F 2 m 0 = χ f a,b αx) + Tr m0 ω αx)) x F 2 m 0 = χ fã,βb x) + Tr m0 ω αx)) x F 2 m 0 = χ fã,βb αω). From now on we can suppose that a F 2 m without loss of generality..2 Polar decomposition The polar decomposition yields the following expression for f a,b. Lemma 4. For ν, a F 2 m 0 and b F 4, and x F 2 m 0, f a,b x) is f a,b x) = f a,b u) = f a u ) + g b u ν ). ) Proof. Notice that f a,b x) = f a x)+g b x). Moreover f a is trivial on F 2 m and g b is trivial everywhere but on U ν as noted in Section 2.5. We now split the sum expressing the Walsh transform of f a,b at ω F 2 m 0 using the polar decomposition of F 2 m 0 as F 2 m 0 U F 2 mν. We write x F 2 m 0 as x = uy for u U, and y F 2 mν. Lemma 5. For ν, a F 2 m and b F 4, the Walsh transform of f a,b at ω F 2 m 0 is, for ω = 0: fa,b 0) = + 2 mν ) χ f a,b u)), 4) u U and for ω 0: fa,b ω) = χ f a,b u)) + 2 mν u U u U, mν ωu)=0 χ f a,b u)). 5) Proof. Using the polar decomposition, the Walsh transform of f a,b at ω F 2 m 0 indeed be written fa,b ω) = χ f a,b x) + Tr m0 ωx)) x F 2 m 0 = + x F 2 m 0 χ f a,b x) + ωx)) can 6

7 = + χ f a,b uy)) χ Tr m0 ωuy)). u,y) U F 2 mν Note that divides 2 mν + so that 2m 0 = 2 mν ) 2mν + f a,b u). Therefore fa,b ω) = + χ f a,b u)) χ Tr mν u U y F 2 mν ν i= 2m i +) and f a,b uy) = Tr m 0 m ν ωu) y )). The sum ranging over F 2 mν is equal to when m ν ωu) 0 and 2 m when m ν ωu) = 0. In particular, when ω = 0, the trace is 0 for all u U. To go further, the cases ν = and ν > have to be dealt with separately. 4 Odd case In this section, it is supposed that ν =, i.e. m is odd and U = U, which is the case that Mesnager settled [9, 8] with the following proposition. We recall the main ingredients and results of her work as similar ideas will be used for the even case. Proposition 6 [9, 8]). For ν =, a F 2 m f a,b at ω F 2 m 0 is, for ω = 0: and b F 4, the Walsh transform of and for ω 0: fa,b ω) = fa,b 0) = + 2 m χ + 2 m χ { + 2 m K m a) 4C m a, a)) if b =, + 2m K m a) + 2C m a, a)) if b, ) f a,b w ) + K m a) 4C m a, a)) if b =, ) f a,b w ) + K m a) + 2C m a, a)) if b. 6) 7) Proof. For ω 0, m ωu ) = 0 if and only if u = w, so that u U, m ωu )=0 χ f a,b u )) = χ ) f a,b w ) The only difficulty lies in the computation of u U χ f a,b u )) which can be done by splitting the sum on U according to the value of ψ m u ): χ f a,b u )) = χ f a u )) χ g b u )) u U u U = χ f a u )) χ f a u )) = 2 u U,bψ m0 u )= u U,bψ m0 u )= 7 χ f a u )) u U,bψ m0 u ) u U χ f a u ))..

8 As noted in Section 2.7 the second sum is u U χ f a u )) = K m a). As far as the first one is concerned, let us denote it S a, b, ω). As m is odd, using properties of the Dickson polynomial D given in Section 2.4, one can show that for b = : S a, b, ω) = K m a) + 2C m a, a)). As S a, b, ω) takes the same value for both b, one deduces that for b : S a, b, ω) = K m a) C m a, a)). Results of Carlitz [2] on C m a, a) when m is odd yield a concise and easy to compute the Walsh transform of f a,b at any ω F 2 m 0. Together with Charpin et al. results [5, 6] and the Hasse Weil bound on K m a), these formulae prove that f a,b is hyper-)bent if and only if K m a) = 4 as was noted by Mesnager [9, 8]. Theorem 7 [9, 8]). For ν =, a F 2 m and b F 4, the function f a,b is bent if and only if K m a) = 4. 5 Even case 5. General extension degree In this section, it is supposed that ν >, i.e. both m 0 and m are even. The main difference with the case ν = is that does now divide 2 m in fact 2 mν + ) rather than 2 m +, and ψ m0 u) does not depend on the value of u but only on that of u ν ). In particular, the computation of u U f a,b u) becomes straightforward. Lemma 8. For ν >, a F 2 m and b F 4, u U χ f a,b u)) = 22ν m ν 2 mν ) K m a)). 8) Proof. Splitting U as U U U ν, the sum can be rewritten: ν χ f a,b u)) = 2 m j + ) χ f a u )) χ g b u ν )) u U u U u ν U ν = ν 2 m j + ) 2mν + K m a)) c F 4 ) χ Tr 2 bc) 8

9 Finally, using the identity 2 m j + ) s is ν = 2 m j + ) 2mν + 2 2j m ν + ) ) 2 2j m ν = K m a)). ) 2 2j+ m ν, the product of the ν ν ) 2 m j + ) = 2 2ν j m ν + = 22ν m ν 2 mν. The value of the Walsh transform at ω = 0 given by Equation 4) can now be simplified. Lemma 9. For ν >, a F 2 m and b F 4, the Walsh transform of f a,b at ω = 0 is fa,b 0) = 2m K m a)). 9) As noted by Mesnager [9, 8], the Hasse Weil bound on K m a) implies that, if f a,b is bent, then χ fa,b 0) = 2 m and K m a) = 4. Proposition 20 [9, 8]). For ν >, a F 2 m then K m a) = 4. and b F 4, if the function f a,b is bent, Finally, the value of the Walsh transform at ω 0 given by Equation 5) is simplified as follows. Lemma 2. For ν >, a F 2 m and b F 4, the Walsh transform of f a,b at ω F 2 m 0 is 22ν m ν fa,b ω) = + 2 mν ) K m a)) + 2 mν χ f a,b u)). 0) u U, mν ωu)=0 5.2 Descending to an odd degree extension To simplify further Equation 0), the sum over u U can be split into smaller sums according to the extension F 2 m i with i ν) where m i uω) becomes 0, giving the following expression. Proposition 22. For ν >, a F 2 m and b F 4, and ω F 2 m 0, denote by S ν a, b, ω) the sum S ν a, b, ω) = χ f a u )). ) m ν uω) 0, mν uω)=0,bψm 0 uν)= The Walsh transform of f a,b at ω 0 is fa,b ω) = 2 22ν )m ν K m a)) 9

10 2 22ν )m ν 2 m ν ) χ f a w )) + 2 mν+ S ν a, b, ω). 2) Proof. The sum over U can be divided into subsums σ i over U i : u U, mν ωu)=0 χ f a,bu)) = νi= σ i with σ i = m i u u i w w i ) 0, m i u u i w w i )=0, u i+ U i+,...,u ν U ν χ f a u )) χ g b u ν )). The first sum σ can be simplified as Equation 8): ν ) σ = 2 m j + ) χ f a w ) χ g b u ν )) u ν U ν ν = 2 m j + ) 2mν + ) χ f a w ) 22ν m ν ) = 2 mν ) χ f a w ). ) The last sum σ ν can be split according to the value of ψ m0 u ν ) as in Section 4: σ ν = 2 m ν uω) 0, mν uω)=0, bψ m0 u ν)= χ f a u )) m ν uω) 0, mν uω)=0 where the first term is 2S ν a, b, ω) and the second term is χ f a u )), 4) m ν uω) 0, mν uω)=0 ν χ f a u )) = 2 m j ν = 2 m j u w = 2 22ν 2 )m ν χ χ f a u )) ) ) χ f a w ) K m a) ) ) f a w ) K m a), 5) as the product of the 2 m j s is ν 2 m j = ν 2 2ν j m ν = 2 2ν 2 ν j=0 2 j m ν = 2 2ν ν+2 )m ν. 6) 0

11 For ν > 2, the intermediate sums σ i for 2 < i < ν are: σ i = i ν 2 m j j=i+ ν 2 m j j=i+ i = 2 m j + ) u w 2 m j + ) 2mν + χ f a u )) u ν U ν χ g b u ν )) ) ) χ f a w ) K m a). Fortunately, a simpler expression for the sum of of the products of 2 m j s and 2 m j + ) s for < j < ν can be devised. Indeed, for k and any rational number m, the sum that we denote by Σm, k) is k i Σm, k) = i=2 k 2 2k j m j=i+ ) 2 2k jm + )m = 222k 2 2 m. 7) The proof goes by induction on k. For k =, the identity states 2 m + = 22m 2 m. Let us now suppose that Equation 7) is verified up to some k for all rational numbers m s. The sum for k + is k Σm, k + ) = 2 m + ) Σ2m, k) + 2 m + ) 2 2k j 2m) By induction and a variation of Equation 6), the identity is proved for k + : 222k 2 Σm, k + ) = 2 m )2m) + ) 2 2m + 2 m + ) 2 42k 2 )m 242k 2 )m 2 2m ) 2 42k 2 )m = 2 m + 2 m = 222k )m 2 m Setting k = ν and m = m ν in Equation 7) yields ν i=2 σ i = 222ν 2 )m ν 2 mν ). ) ) χ f a w ) K m a). 8) Note that for ν = 2, both sides of the above equality are zero. Therefore, for any ν >, Equations ), 4), 5) and 8), lead to the following expression for the Walsh transform at ω 0: 22ν m ν fa,b ω) = + 2 mν ) K m a)) 22ν m ν ) 2 mν 2 mν ) χ f a w )

12 222ν 2 )m ν 2 mν 2 mν ) 2 mν 2 22ν 2 )m ν χ + 2 mν+ S ν a, b, ω), χ f a w ) ) ) K m a) ) f a w ) ) K m a) ) which gives the announced expression by gathering independently the terms in χ f a w ) and K m a)). Unfortunately, making the remaining sum S ν a, b, ω) explicit is a hard problem. Doing so is equivalent to evaluating a Gauss sum as in Equation ): an exponential sum involving a multiplicative character and an additive character. In the next section, we manage to tackle the case ν = 2 when ω F 2 m that is w = ) and conjecture a partial formula when ω F 2 m. 5. Four times an odd number From now on, it is supposed that ν = 2, i.e. m 0 is four times the odd number m 2. For m 2 uω) to be zero with u w, u 2 must be the polar part of ω 2 m u ω ) ) so that the sum of Equation ) becomes S 2 a, b, ω) = 5.. The subfield case u w,ψm 0w 2 m u w ))=b χ au 2 We now restrict to the case w =, that is ω F 2 m rather than ω F 2 m 0. )). 9) Lemma 2. For a F 2 m and b F 4, and ω F 2 m, define γ F 4 by γ = bψ m w 2 ). Then S 2 a, b, ω) = 2 t T m,ψ m t)=γ χ Tr m at)). 20) Proof. As w =, both the multiplicative and additive characters act on the the same inputs so that we can use the function u u + u to transform the sum over U of Equation 9) into a sum over Tm : S 2 a, b, ω) = = = 2 u,ψ m u 2 +u 2 )=bψ m w 2 ) u,ψ m u +u )=bψ m w 2 ) t T m,ψ m t)=bψ m w 2 ) ))) χ Tr m a u 2 + u 2 χ Tr m a χ Tr m at)). u + u ))) 2

13 Remark that the sum in Equation 20) can be seen as a first step toward generalizing the sum computed in Section 4 in the odd case: rather than involving u directly, it involves its trace t = m u ). As is customary, the sum over Tm can be evaluated using sums over all of F 2 m : S 2 a, b, ω) = χ Tr m ax)) x F 2 m,ψm x)=γ x F 2 m,ψm x)=γ χ Tr m ax + x )). The first sum is easily seen to be a cubic sum whereas the computation of the second sum is more involved. 2) Proposition 24. For ν = 2, a F 2 m following equality holds: and γ F 4. Define α F 4 by α = ψ m a). The χ Tr m ax)) = x F 2 m,ψm x)=γ { 2 m 2 + if γ = α, 2 m 2 if γ α. 22) Proof. Let c F 2 m be such that ψ m c) = γ. We make the change of variables x = cx to transform the sum into a cubic sum: χ Tr m ax)) = χ Tr m ax)) x F 2 m,ψm x)=γ x F 2 m,ψm x)=ψm c) = χ Tr m acx)) x F 2 m,ψm x)= = x F 2 m χ Tr m acx )) = C m ac, 0) ). Carlitz s results [2] give explicit values for this cubic sum when m is even and m 2 is odd. Proposition 25. For ν = 2, a F 2 m following equality holds: and γ F 4. Define α F 4 by α = ψ m a). The x F 2 m,ψm x)=γ χ Tr m ax + x )) = x F 2 m { 2C m a, a) + K m a) ) if γ = α, C m a, a) + K m a) ) if γ α. Proof. First remark that summing over the three possible values of γ yields χ Tr m ax + x )) = K m a). 2)

14 Moreover, making the change of variable x = ax) shows that the sum takes the same value for γ and α γ. In particular, it takes the same value for αβ and αβ 2, where β F 4 is a primitive third root of unity, that is for the elements of F 4 different from α, and this value can be deduced from the value for γ = α which we now compute. Denote by r a square root of a. The change of variable x = rx and properties of the Dickson polynomial D when m is even show that for γ = α = ψ m r ) : x F 2 m,ψm x)=α χ Tr m ax + x )) = = = x F 2 m,ψm x)= χ x F 2 m x F 2 m Tr m r x + x ))) χ Tr m r x + x ))) )) χ Tr m rd x + x ) = 2 χ Tr m rd t))) t Tm 0 = 2C m r, r) 2 χ Tr m rt)) t Tm = 2C m r, r) + K m r) ) = 2C m a, a) + K m a) ). Equations 22) and 2) give the following expression for S 2 a, b, ω). Theorem 26. For ν = 2, a F 2 m and b F 4, and ω F 2 m, let γ = bψ m w 2 ). Then the sum S 2 a, b, ω) is 2 m 2 + 2C m a, a) K m a) ) if γ = α and γ = α, S 2 a, b, ω) = 2m 2 2C m a, a) K m a)) if γ = α and γ α, 2 m C m a, a) K m a) ) if γ α and γ = α, 2m 2 + C m a, a) K m a)) if γ α and γ α. Carlitz s results [2] recalled in Section 2.8 can be used to make the cubic sum C m a, a) explicit. In the particular case where K m a) mod ), which is equivalent to C m a, a) = 0 and implies that a is a cube, the expression for S 2 a, b, ω) gets very concise, as does Equation 2) for the Walsh transform. 24) 4

15 Corollary 27. For ν = 2, a F 2 m with K m a) mod ) and b F 4, and ω F 2 m, let γ = bψ m w 2 ). Then the sum S 2 a, b, ω) is S 2 a, b, ω) = 2m 2+ K m a) and the Walsh transform at ω 0 is ) fa,b ω) = χ Tr 2 γ) 2 m + 4 K m a) Tr 2 γ) 2 m 2. 25). 26) Note that Corollary 27 shows that for ω F 2 m the Walsh transform of f a,b at ω is that of a bent function if and only if K m a) = A conjectural general formula The techniques used in the previous section do not apply to the general case where w, i.e. ω F 2 m 0. The main reason being that the multiplicative and additive ) characters of F 2 m act on different values, e.g. r = m w u ), or s = m w u, for one of them, and t = m u ) for the other one. Considering v = m w ), these values are related by r + s = vt. Moreover, the sum S 2 a, b, ω) takes the same value for w and w, so there is hope to introduce enough symmetry to reduce the case w to the case w =. Unfortunately, we could not devise a way to do so. Yet, experimental evidence presented in more details in Section 5.5 suggests that the following conjecture, which relates the value of S 2 a, b, ω) for w = and w, is true. Conjecture 28. For ν = 2, a F 2 m with K m a) mod ) and b F 4, and ω F 2 m 0, let γ = bψ m w 2 ). There exists a Boolean function h a,b ω) such that the sum S 2 a, b, ω) is S 2 a, b, ω) = 2m 2+ K m a) The Walsh transform at ω 0 is then 2f a w 2+ ) )2m h a,b ω)χ f a w ) 2 m 2. 27) ) fa,b ω) = χ h a,b ω)f a w ) 2 m + 4 K m a). 28) In particular, this conjecture implies Conjecture : if K m a) = 4, then f a,b is bent. And Corollary 27 already does so when ω F 2 m.) 5.5 Experimental data The computation of S 2 a, b, ω) was implemented in C and assembly, using AVX extensions for the arithmetic of F 2 m 0, PARI/GP [2] to compute the Kloosterman sums K m a), and Pthreads [0] for parallelization. The computational cost of verifying Conjecture 28 can be somewhat leveraged using elementary properties of S 2 a, b, ω): The source code is available at 5

16 it only depends on the cyclotomic class of a F 2 m, it is the same for w and w, the inner value can be computed at the same time for u and u. Whatsoever, there are: values of γ F 4, Õ2m ) values of a F 2 m, 2 m values of w U \ {}, Õ2m ) operations in F 2 m 0 for each triple γ, a, w ). Therefore, checking the conjectured formula for S 2 a, b, ω) over F 2 m 0 has time complexity Õ2 m ) which quickly becomes overcostly and is comparable to that of computing the Walsh spectrum for every cyclotomic class of a F 2 m which has time complexity Õ2 m ) as well but space complexity Õ2m )). Still, we checked Conjecture 28 completely for m 2 =, 5, 7, 9, for i up to 405 where a = z i and z is a primitive element of F 2 m for m 2 =. Finally, assuming K m a) mod ) and Conjecture 28 is correct, Parseval s equality yields the following relation: x F 2 m 0 ) χ h a,b ω)f a w ) = 2m K m a) ) = fa,b 0). This is supported by experimental evidence that there are exactly 2 m +5/6) K m a) 4)+ respectively 2 m /6) K m a) 4)) values of w U such that h a,b ω)f a w ) is zero when γ = respectively γ ). 6 Further research and open problems Hopefully, Conjecture 28 can be proved using similar techniques as the ones used by Mesnager [9, 8] and in this note. Otherwise, more involved techniques could be tried, e.g. considering a whole family of sums as a whole and their geometric structure. Another posibility would be to directly treat the general Gauss sums of Equations ) and ) without focussing on the case ν = 2. 6

17 References [] Omran Ahmadi and Robert Granger. An efficient deterministic test for Kloosterman sum zeros. CoRR, abs/04.882, 20. [2] Leonard Carlitz. Explicit evaluation of certain exponential sums. Math. Scand., 44):5 6, 979. [] Pascale Charpin and Guang Gong. Hyperbent functions, Kloosterman sums, and Dickson polynomials. IEEE Transactions on Information Theory, 549): , [4] Pascale Charpin, Tor Helleseth, and Victor Zinoviev. The divisibility modulo 24 of Kloosterman sums on GF2 m ), m odd. J. Comb. Theory, Ser. A, 42):22 8, [5] Pascale Charpin, Tor Helleseth, and Victor Zinoviev. Divisibility properties of Kloosterman sums over finite fields of characteristic two. In Information Theory, ISIT IEEE International Symposium on, pages , july [6] Pascale Charpin, Tor Helleseth, and Victor Zinoviev. Divisibility properties of classical binary Kloosterman sums. Discrete Mathematics, 092): , [7] John Francis Dillon. Elementary Hadamard Difference Sets. ProQuest LLC, Ann Arbor, MI, 974. Thesis Ph.D.) University of Maryland, College Park. [8] John Francis Dillon and Hans Dobbertin. New cyclic difference sets with Singer parameters. Finite Fields and Their Applications, 0):42 89, [9] Jean-Pierre Flori, Sihem Mesnager, and Gérard D. Cohen. Binary Kloosterman sums with value 4. In Liqun Chen, editor, IMA Int. Conf., volume 7089 of Lecture Notes in Computer Science, pages Springer, 20. [0] Austin Group. Standard for Information Technology: Portable Operating System Interface POSIXR)) Base Specifications, Issue 7. IEEE Std 00., 20 Edition incorporates IEEE Std , and IEEE Std /Cor -20), pages 906, April 20. [] Faruk Göloğlu, Petr Lisoněk, Gary McGuire, and Richard Moloney. Binary Kloosterman sums modulo 256 and coefficients of the characteristic polynomial. Information Theory, IEEE Transactions on, PP99):, 202. [2] Faruk Göloğlu, Gary McGuire, and Richard Moloney. Binary Kloosterman sums using Stickelberger s theorem and the Gross-Koblitz formula. Acta Arith., 48): , 20. [] Nicholas Katz and Ron Livné. Sommes de Kloosterman et courbes elliptiques universelles en caractéristiques 2 et. C. R. Acad. Sci. Paris Sér. I Math., 09):72 726,

18 [4] Gilles Lachaud and Jacques Wolfmann. Sommes de Kloosterman, courbes elliptiques et codes cycliques en caractéristique 2. C. R. Acad. Sci. Paris Sér. I Math., 0520):88 88, 987. [5] Gregor Leander. Monomial bent functions. IEEE Transactions on Information Theory, 522):78 74, [6] Petr Lisoněk. On the connection between Kloosterman sums and elliptic curves. In Solomon W. Golomb, Matthew G. Parker, Alexander Pott, and Arne Winterhof, editors, SETA, volume 520 of Lecture Notes in Computer Science, pages Springer, [7] Sihem Mesnager. A new family of hyper-bent Boolean functions in polynomial form. In Matthew G. Parker, editor, IMA Int. Conf., volume 592 of Lecture Notes in Computer Science, pages Springer, [8] Sihem Mesnager. Bent and hyper-bent functions in polynomial form and their link with some exponential sums and Dickson polynomials. IEEE Transactions on Information Theory, 579): , 20. [9] Sihem Mesnager. A new class of bent and hyper-bent Boolean functions in polynomial forms. Des. Codes Cryptography, 59-): , 20. [20] Richard Moloney. Divisibility Properties of Kloosterman Sums and Division Polynomials for Edward Curves. PhD thesis, University College Dublin, may 20. [2] The PARI Group, Bordeaux. PARI/GP, version 2.7.0, 204. available from 8