Highly Nonlinear Mappings Claude Carlet a and Cunsheng Ding b a INRIA Projet Codes, Domaine de Voluceau, BP 105, Le Chesnay Cedex, France. Also

Transcription

1 Highly Nonlinear Mappings Claude Carlet a and Cunsheng Ding b a INRIA Projet Codes, Domaine de Voluceau, BP 105, Le Chesnay Cedex, France. Also at University of Paris 8 and GREYC-Caen. Claude.Carlet@inria.fr b Department of Computer Science, Hong Kong University of Science and Technology, Clear Water Bay, Kowloon, Hong Kong, China. cding@cs.ust.hk Abstract Functions with high nonlinearity have important applications in cryptography, sequences and coding theory. The purpose of this paper is to give a well-rounded treatment of non-boolean functions with optimal nonlinearity. We summarize and generalize known results, and prove a number of new results. We also present open problems about functions with high nonlinearity. Key words: Functions, nonlinearity, cryptography, coding, sequences, dierence partition, dierence matrices, dierence sets, almost dierence sets, generalized Hadamard matrices. 1 Introduction Functions with high nonlinearityhave important applications in cryptography [3,14,4,65,66,68,69], sequences [71] and coding theory [11,55,63,77]. In cryptography, functions with high nonlinearity are necessary for achieving confusion. They are used to construct keystream generators for stream ciphers, S-boxes for block ciphers, building blocks for hash algorithms, and authentication codes. In coding theory, they permit to construct good error correcting codes. In sequences, they are used to obtain good autocorrelation for CDMA communication systems. During the last twenty years, there has been a lot of studies of Boolean functions with high nonlinearity. See for example, [10], [1], [13], [14], [15], [17], [18], [19], [37], [38], [39], [40], [69], [73]. Non-Boolean functions have also important applications in cryptography [8,9,66], sequences [57,70] and coding Preprint submitted to Elsevier Preprint

2 theory [43,71], but they have been less studied. It turns out that functions with optimum nonlinearity correspond to certain combinatorial designs. Thus the study of functions with optimum nonlinearity could lead to new problems in combinatorics. The purpose of this paper is to give a well-rounded treatment of non-boolean functions with optimum or almost optimum nonlinearity. We summarize the known results on this subject, which have been presented in a large number of papers. We generalize several of them and we prove new results. We present open problems about functions with high nonlinearity, and propose new problems in combinatorics by establishing relations between functions with optimum nonlinearity and certain subjects of combinatorics. Preliminaries Let f be a function from an abelian group (A +) of order n to another abelian group (B +) of order m. f is linear if and only if f(x+y) =f(x)+f(y) for all x y A. A function g is ane if and only if g = f +b, where f is linear and b is a constant. Clearly, the zero function is linear. If f is a nonzero linear function from A to B, let H = fx Aj f(x) =0g. Then H is a subgroup of A, f(a) is a subgroup of B and, denoting by jsj the size of a set S, jf(a)jjhj = n. In the case that n is odd and m is a power of, the only linear function from A to B is the zero function, since if f 6= 0, then jf(a)j is even, a contradiction with the fact that n is odd thus all ane functions are constant functions. The (Hamming) distance between two functions f and g from A to B, denoted by d(f g), is dened to be d(f g) =jfx Ajf(x) ; g(x) 6= 0gj: One way of measuring the nonlinearity ofafunction f from (A +) to (B +) is to use the minimum distance between f and all ane functions from (A +) to (B +). With this approach the nonlinearity off is dened to be N f = min d(f l) (1) ll where L denotes the set of all ane functions from (A +) to (B +). This measure of nonlinearity is related to linear cryptanalysis (cf. [65]) but it is not useful in some general cases. For example, as pointed out above, in the case jaj is odd and jbj is a power of, this measure makes little sense as there are no non-constant ane functions from (A +) to (B +).

3 A robust measure (cf. [68]) of the nonlinearity of functions is related to dierential cryptanalysis (cf. [5]) and uses the derivatives D a f(x) =f(x+a);f(x). It may be dened by P f = max 06=aA max bb Pr(D af(x) =b) () where Pr(E) denotes the probability of the occurrence of event E. The smaller the value of P f, the higher the corresponding nonlinearity off (if f is linear, then P f = 1). In some cases, it is possible to nd the exact relation between the two measures on nonlinearity. We will come back to this later. Note that both nonlinearity measures are relative to the two operations of the two abelian groups. 3 Functions with perfect nonlinearity Let f be a function from (A +) to (B +). For any b B dene C b = f ;1 (b) =fa Ajf(a) =bg: (3) We have the following property. Lemma 1 Let f be a function from (A +) to (B +). Then, for every a A and every b B Pr(D a f(x) =b) = P zb jc z \ (C z+b ; a)j : jaj PROOF. We have = = jfx AjD a f(x) =bgj [ [ zb zb fx Ajf(x) =z and f(x + a) =z + bg (C z \ (C z+b ; a)) = jc z \ (C z+b ; a)j : zb The conclusion then follows. 3

4 Notice that, for every a A, the sets fx AjD a f(x) =bg constitute a partition of A, and thus we have the following lemma. Lemma For every a A, we have jaj = jfx AjD a f(x) =bgj : bb Note that the maximum of a sequence of numbers is greater than or equal to its mean. It then follows that, for every a A, max [Pr(D jfx AjD a f(x) =bgj af(x) =b)] = max bb bb jaj 1 jbj : Then P f 1 jbj : (4) This lower bound can be considered as an upper bound for the nonlinearity of f. For applications in coding theory and cryptography we wish to nd functions with the smallest possible P f. Denition 3 A function f : A! B has perfect nonlinearity if P f = 1 jbj. Since the maximum of a sequence of numbers equals its mean if and only if the sequence is constant, inequality (4) is an equality if and only if, for every b B and every a A = A nf0g, the quantity jfx AjD a f(x) =bgj has value jaj jbj. Denition 4 A function g : A! B is balanced if the size of g ;1 (b) is the same for every b B (this size is then jaj jbj ). Theorem 5 A function f : A! B has perfect nonlinearity if and only if, for every a A = A nf0g, the derivative D a f is balanced (this is possible only if jbj divides jaj). In the case of Boolean functions (i.e. functions from GF () n to GF (), where GF () is the two-element eld), perfect nonlinear functions are also called bent (cf. [73]). We recall at Subsection 3.6 the denitions and properties of bent functions. 4

5 3.1 Stability of the set of perfect nonlinear functions under actions of general ane groups The addition of any perfect nonlinear function from (A +) to (B +) and any ane function from (A +) to (B +) is clearly a perfect nonlinear function. Theorem 6 Assume that f(x) is a function from (A +) to (B +) with perfect nonlinearity and l(x) is a linear or an ane permutation from (A +) to (A +), then the composition f l is another function from (A +) to (B +) with perfect nonlinearity. PROOF. If l(x) is a linear permutation, then f(l(x + a)) ; f(l(x)) is equal to f(l(x) +l(a)) ; f(l(x)) and is balanced for every a 6= 0 since l(a) 6= 0 if andonlyifa 6= 0.Ifl(x) is a translation, say l(x) =x + u, then f(l(x + a)) ; f(l(x)) = f(x + u + a) ; f(x + u) is balanced. The conclusion then follows by composition. Theorem 7 Let f : (A +)! (B +) have perfect nonlinearity, and let l : (B +)! (C +) be a linear onto function. Then the composition l f is a function from (A +) to (C +) with perfect nonlinearity. PROOF. Since l is linear, we have l(f(x + a)) ; l(f(x)) = l(f(x + a) ; f(x)): The conclusion then follows from the facts that l is linear and onto and that f has perfect nonlinearity. Theorem 7 leads to a construction of perfect nonlinear functions which is rather useful, as justied by the results of Proposition Perfect nonlinear functions and dierence partitions Perfect nonlinear functions are naturally related to the combinatorial notion of dierence partition. Let (A +) and (B +) be two abelian groups of orders n and m respectively. Assume that fc b jb Bg is a partition of A. We call fc b jb Bg an (n m ) dierence partition of (A +) with respect to (B +) if 5

6 zb jc z \ (C z+b ; a)j (5) for all b B and all nonzero elements a of A, and if for at least one pair (a b) the equality of (5) is achieved. Note that for a dierence partition fc b jb Bg some C b may be empty. The dierence partitions dened here are quite dierent from the dierence families that have been studied in combinatorics [4, Chapter VII]. Since fc z \ (C z+b ; a)jz b Bg is a partition of A, we have m n: (6) The case of equality corresponds to perfect nonlinear functions. Proposition 8 Let (A +) and (B +) be abelian groups of orders n and m respectively. Let fc b jb Bg be an (n m ) dierence partition of (A +) with respect to (B +). Let f be the function from A to B dened by f(x) =b, for every x C b. Then P f =. Thus, f has perfect nonlinearity if and only if m n divides n and fc b (f)jb Bg is an (n m n=m) dierence partition of (A +) with respect to (B +). PROOF. It follows from Lemma 1. If fc b (f)jb Bg is an (n m n=m) dierence partition of (A +) with respect to (B +), then the equality in (5) holds for all b B and all nonzero elements a of A. There are some restrictions on the possible sizes of the sets C b. Theorem 9 Let (A +) and (B +) be abelian groups of orders n and m respectively, where m divides n. If an (n m n=m) dierence partition fc b jb Bg of A with respect to B exists, then for any nonzero b B 8 >< >: PzB kz = n +(m;1)n m PzB k z k z+b = n(n;1) m P zb k z = n (7) where k z = jc z j for each z B. PROOF. If fc b jb Bg is an (n m n=m) dierence partition, wehave P zb k z = n and 6

7 zb jc z \ (C z+b ; a)j = n m for all b B and all nonzero elements a of A. It then follows that for any nonzero b B n(n ; 1) m = aanf0g zb = zb aanf0g jc z \ (C z+b ; a)j jc z \ (C z+b ; a)j = jfx A a A jf(x) =z and f(x + a) =z + bgj zb = jfx A a Ajf(x) =z and f(x + a) =z + bgj zb = zb k z k b+z : Similarly, we obtain n(n ; 1) m = aanf0g zb = zb aanf0g jc z \ (C z ; a)j jc z \ (C z ; a)j = jfx A a A jf(x) =z and f(x + a) =zgj zb = zb k z (k z ; 1) = k z ; k z zb zb = k z ; n: zb This completes the proof. Remark: Theorem 9 may be deduced from know results on relative dierence sets, but our proof is elementary. Theorem 10 Let (A +) and (B +) be abelian groups of orders n and m respectively, where n is a multiple of m. If f is a function from A to B with perfect nonlinearity P f = 1, then for any b B m s n (m ; 1)n m ; m s k b n (m ; 1)n m + m 7

8 where k z = jfx Ajf(x) =zgj. Furthermore, s (m ; 1)n (m ; 1)n ; m m N f (m ; 1)n + m s (m ; 1)n m : If B has exponent, i.e., b =0for any b B, then for any b B n ; (m ; 1) p n m k b n +(m ; 1)p n m where k z = jfx Ajf(x) =zgj. Furthermore, (m ; 1)n ; (m ; 1) p n m N f (m ; 1)n +(m ; 1)p n : m PROOF. We prove the rst conclusion. Set k b = n=m + b. It follows from the last equation of (7) that P b b =0.Combining this equality and the rst one of (7) yields (m ; 1)n b = m : q b (m;1)n Hence j b j. This proves the conclusion on m k b. The lower and upper bounds on N f then follow from the bounds on k b and the fact that the sum of a function with perfect nonlinearity is again a function with perfect nonlinearity. We now prove the bounds for the case that B has exponent.for any nonzero b B, by (7) P zb(k z ; k z+b ) = P zb k z ; P zb k z k z+b + P zb k z+b = n +(m;1)n m = n: ; n(n;1) m (8) Since B has exponent, in the summation zb (k z ; k z+b ) both (k z ; k z+b ) and (k z+b ; k z ) occur as terms. Then by (8) (k z ; k z+b ) =(k z ; k z+b ) +(k z+b ; k z ) n 8

9 and hence ; p n k z ; k z+b p n: (9) It follows that ;(m ; 1) p n (m ; 1)k z ; b6=0 k z+b (m ; 1) p n: Note that P b6=0 k z+b = n ; k z. We have n ; (m ; 1) p n m k z n +(m ; 1)p n : m The bounds on N f follow from those on k b and the fact that the sum of a function with perfect nonlinearityandany ane function gives also a function with perfect nonlinearity. For the existence of functions with perfect nonlinearity, we have the following result. Theorem 11 Assume that there is a function with perfect nonlinearity from an abelian group of order n to another abelian group of order m, where m divides n. If m is even, then n is a square. If m is odd, then z = nx +(;1) (m;1)= my has a nontrivial solution in integers. Theorem 11 is a direct consequence of Lemma 4 below, which was stated in [6,7] for the existence of generalized Hadamard matrices. 3.3 Functions with perfect nonlinearity and dierence matrices It is known that Boolean functions with perfect nonlinearity (i.e. bent functions) are related to Hadamard matrices (cf. [73]). More generally, functions with perfect nonlinearity are related to the so-called dierence matrices and generalized Hadamard matrices. 9

10 Let (G +) be a group of order m. An (m k ) dierence matrix is a k m matrix D =(d ij ) with entries from G, so that for each 1 h<j k, the list fd hl ; d jl j1 l mg contains times every element of G. Similarly, dierence matrices can be de- ned over nonabelian groups [4,]. A generalized Hadamard matrix GH(m ) is a (m m ) dierence matrix. Hence Hadamard dierence matrices are special dierence matrices. In particular, a Hadamard matrix H(4n) is a GH( n) over the group (f1 ;1g ). Theorem 1 Let f be a function from an abelian group (A +) of order n to another one (B +) of order m, where m divides n. Let A = fa 0 a 1 ::: a n;1 g, and dene an n n matrix D as D = 0 f(a 0 + a 0 ) f(a 0 + a 1 ) f(a 0 + a n;1 ) f(a 1 + a 0 ) f(a 1 + a 1 ) f(a 1 + a n;1 ).. f(a n;1 + a 0 ) f(a n;1 + a 1 ) f(a n;1 + a n;1 ). Then f has perfect nonlinearity P f = 1 if and only if D is a GH(m n=m), m i.e., an n n generalized Hadamard matrix.. 1 C A : PROOF. By Theorem 5, f has perfect nonlinearity ifandonly if D a f(x) = f(x +a);f(x) takes on each element of B exactly n=m times for each nonzero element a of A. The conclusion then follows. Remarks: (a) Any k rows of the matrix D of Theorem 1 gives an (m k n=m) difference matrix over B. Theorem 1 shows that every function with perfect nonlinearity gives generalized Hadamard matrices. But clearly, many generalized Hadamard matrices do not give functions with optimum nonlinearity. (b) Theorem 1 is a rather straightforward result, which traces back to at least [8]. Example 13 Dene the function f(x) fromgf (q) t to GF (q) as f(x 1 x ::: x t )=x 1 x + x 3 x 4 + :::+ x t;1 x t : 10

11 We willshow in Theorem 39 that this function is perfect nonlinear. Then the matrix D of Theorem 1 is a (q q t q t;1 ) dierence matrix, i.e., a generalized Hadamard matrix GH(q q t;1 ). Remark: It is shown by de Launey that for any group G of prime power order q and any integer t>0, there is a GH(q q t;1 ) over G [7]. Here G may not be elementary abelian. It remains to be checked whether the construction of Corollary 13 is the same as the one of de Launey [7]. 3.4 A characterization of perfect nonlinearity by means of Fourier transform We denote by e the exponent ofa it is the maximum order of elements of A it is also called the characteristic of A since A is in additive representation. A homomorphism between A and a multiplicative group G is any mapping from A to G such that (a + a 0 )=(a)(a 0 ) for all a a 0 A: A character of A is any homomorphism from A to the multiplicative group of all complex e-th roots of unity. Themultiplicative group ^A of characters of A is isomorphic to the group A (cf. [46]). We x some isomorphism from A to ^A and we denote by the image of A by this isomorphism. 0 is the trivial character, i.e. the constant function 1. For every a 6= 0, we have P A (a) = 0 indeed, there exists 0 A such that 0 (a) 6= 1 thenthe equality implies P A (a) =0. A (a) = A +0 (a) = 0 (a) A (a) Let E be any subgroup of A. Denote by E? the subgroup of A of elements such that (a) =1for all a E. Then ae (a) =0 8 = E? (10) and E? (a) =0 8a = E: (11) 11

12 The characters satisfy the orthogonality relation h 1 i = aa 1 (a) (a) = 8 >< >: 0 if 1 6= jaj if 1 = where (a) denotes the complex conjugate of (a). The Fourier transform of any complex-valued function ' on A is dened by b'() = aa '(a) (a): A direct consequence of property (11) is that for every elements 0 and a 0 in A and for every subgroup E of A, we have (a 0 ) b'() =je? j 0 (a 0 ) 0 (a)'(a): (1) 0 +E? a;a 0 +E Indeed, (a 0 ) b'()= 0 +E? E? 0 +(a 0 ) b'( 0 + ) = E? aa '(a) 0 +(a 0 + a) = aa '(a) 0 (a 0 + a) = je? j 0 (a 0 ) a;a 0 +E E? (a 0 + a) 0 (a)'(a): The Fourier transform of the product of two functions ' 1 and ' equals the normalized convolution of the Fourier transforms of ' 1 and ' : ' d 1 ' () = 1 jaj c' 1 c' () = 1 jaj 0 A 1 A c' 1 ( 0 )c' ( ; 0 ): (13) Equality (13) with ' = ' 1 and =0gives Parseval's relation: aa j'(a)j = 1 jaj A j b'()j : The inverse Fourier transform is determined by the equality: '(a) = 1 jaj A b'() (a): 1

13 Note that ' satises '(a) = 0, for every a 6= 0, if and only if b' is constant and that ' is constant if and only if b'() =0,for every 6= 0. Let f be a function from A to a group B. We denote by e 0 the exponent of B and we x again an isomorphism between B and ^B (the group of homomorphisms from B to the multiplicative group of all complex e 0 -th roots of unity) we denote by 0 the image of B by this isomorphism. For every B, we denote by f the complex-valued function 0 f and we have, for every A, cf () = 0 f(a) (a): aa Parseval's relation on f gives A j c f ()j = jaj : We give in Theorem 16 a characterization of perfect nonlinearity by means of Fourier transform, which generalizes results given in [73] for Boolean functions, in [1] for functions dened over nite elds and in [16] for functions dened over residue class rings. We need rst to characterize balanced functions and to recall a classical property of Fourier transform. Proposition 14 Let f be any function from A to B. Then f is balanced if and only if, for every B we have cf (0)=0: PROOF. We have cf (0) = aa 0 f(a) = bb jc b j 0 (b): (14) Thus, if f is balanced and 6= 0,thenf c P (0) = jaj jbj bb 0 (b) = 0. Conversely, if, for every B we have f c (0) = 0, then, according to relation (14), the integer-valued 8 function b 7! jc b j admits as Fourier transform the function >< 0 if 6= 0 7!, and according to the properties of the Fourier transform >: jaj if =0 recalled above, it is constant. Lemma 15 Let f : A! B and D a f(x) =f(x+a);f(x). Let AC f (a) be the value at 0 of the Fourier transform of (D a f) : AC f (a) = P xa 0 (D af(x)). Then, AC f has Fourier transform j c f j. 13

14 PROOF. d AC f () = aa d D a f (0) (a) = aa xa 0 (f(x + a)) 0 (f(x)) (a) = 0 (f(x + a)) 0 (f(x)) (x + a) (x) = f c () f c (): aa xa AC f is often called the autocorrelation function of f. When only one nonzero exists, i.e. when B = GF (), it is also called the autocorrelation function of f. Theorem 16 Let f be any function from an abelian group A to an abelian group B. Then f has perfect nonlinearity if and only if, for every B and every A, f c q () has magnitude jaj. PROOF. According to Theorem 5, f has perfect nonlinearity if and only if for every a 6= 0 the function D a f(x) = f(x + a) ; f(x) is balanced. Thus, according to Proposition 14, f has perfect nonlinearity if and only if for every a A and every B we have AC f (a) = 0. Thus, according to the properties of the Fourier transform recalled above, f has perfect nonlinearity if and only if for every B, AC f has constant Fourier transform (this constant value must be jaj). Lemma 15 completes the proof. Theorem 16 states that f has perfect nonlinearity if and only if, for every B, f is bent in the sense of Logachev, Salnikov and Yashchenko. We recall at Subsection 3.6 the original notion of bent functions and its successive generalizations. 3.5 Obtaining functions with perfect nonlinearity from known ones At Subsection 3.1, we have seen obvious ways of obtaining perfect nonlinear functions from known ones. Another one is as follows: let A, A 0 and B be three abelian groups. Let f : A 7! B and g : A 0 7! B be two perfect nonlinear mappings. Then f g : A A 0 7! B dened by (f g)(x y) =f(x)+g(y) is perfect nonlinear. We givenow a non-trivial similar construction. Theorem 17 and the remark which follows it generalize the most part of the theorem in [1], which was stated for Boolean bent functions. Theoremq17 Assume that the size of A is a square. Let E be a subgroup of A of size jaj. Assume that f(x) is a function from (A +) to (B +) with 14

15 perfect nonlinearity and that f takes constant value on E. Then every function obtained from f by choosing another constant value for f on E has also perfect nonlinearity. PROOF. Let b be any element of B. Dene g(x) = f(x) if x = E g(x) = f(x) +b if x E. Let be any nonzero element of B. Denote by! the constant value of f on E. Recallthatwe denote by E? the set of elements of A such that (a) = 1 for all a E. Let us rst prove that c f () =! jej for every E?. According to relation (1) applied to ' = f and to a 0 = 0 =0,wehave E? c f () =! je? jjej. Since, according to Theorem 16, c f () has magnitude jej = q jaj for every, we deduce that c f () equals! q jaj for every E?. We have cg () = c f ()+! ( 0 (b) ; 1) ae (a): Thus cg () equals c f () for every = E?. And for every E? we have cg () =! q jaj +! ( 0 (b) ; 1) q jaj =! 0 (b) q jaj. Thus, cg () has magnitude q jaj for every A and every B, and g has therefore perfect nonlinearity. Remarks: (a) The same proof shows that if ' is bent on A in the sense of Logachev, Salnikov and Yashchenko (see Subsection 3.6) and if it is constant on E, then b' is constant on E? and ' remains bent if we change its constant value on E. (b) Since f c is constant on E?, applying property (1) to f c and to 0 =0 shows that for every a 0 = E: aa 0 +E f (a) = 0. This is equivalent to the fact that f is balanced on every coset of E in A, according to Proposition 14. (c) According to property (1), we have also f c() = 0 for every 0 +E? 0 = E?. If there exists a function g from A to B such that c f = q jaj g (using the same terminology as Kumar, Scholtz and Welch in[57],wecan say that f is regular-bent), this implies that g is balanced on every coset of E?. (d) Theorem 17 is still valid if we only assume that the restriction of f to E is ane and if we change the values of f on E by adding a constant 15

16 (apply Theorem 17 to f + l where f is ane). It is also valid if E is a coset of a subgroup (change f(x) into f(x + u)). (e) We give after Theorem 39 an example of application of Theorem 17. In the case q of this example, there exists a function g from A to B such that cf = jaj g. 3.6 Bent functions and perfect nonlinearity Let A be the abelian group GF () n, B = GF () and f a function from A to B. Using the notation of Subsection 3.4, we have f 1 (a) =(;1) f (a) and f c 1 () = P agf () n(;1)f (a)+a where a = 1 a 1 +:::+ n a n is the usual inner product in GF () n. The Fourier transform of f 1 = (;1) f is often called the Walsh transform of f. The notion of binary bent function, introduced by Rothaus in [73], is related to Parseval's relation P jc GF () n f 1 ()j = n : a function f : GF () n! GF () is bent if P agf () n(;1)f (a)+a has constant magnitude for every GF () n, or equivalently if the maximum of jf c 1 ()j equals its mean n (this is equivalent tosay that f lies at maximum Hamming distance from the set of ane functions) this is possible only if n is even. As shown by Rothaus, and also according to Theorem 16, this notion is equivalent to perfect nonlinearity. More information on binary bent functions can be found in the survey paper [14] and in Canteaut, Carlet, Charpin and Fontaine [10], Carlet [1{15], Carlet and Guillot [17,18], Dobbertin [37], Hou and Langevin [49], and Wolfmann [77]. Logachev, Salnikov and Yashchenko have adapted this notion in [6] to the general case of functions ' from any nite abelian group A to the set of complex numbers of magnitude 1 (see also Hou [48]): ' is bent if b'() has constant magnitude q jaj for every A. The notion of binary bent function has been generalized to functions from a nite abelian group A to a nite abelian group B in two directions: - Kumar, Scholtz and Welch [57] have generalized it to functions f from Z n q to Z q = Z=qZ, where q is any positive number. The function f 1 equals then! qf, where! q = exp(i=q) (where i = p ;1) and we have c f 1 () = P az n q! q f (a)+a. Kumar, Scholtz and Welch called generalized bent any function f from Z n q to Z q such thatf c 1 has constant magnitude p q n, i.e. such that f 1 is bent in the sense of Logachev, Salnikov and Yashchenko. Obviously, a stronger notion could also be considered: for every 6= 0, f is bent in the sense of Logachev, Salnikov and Yashchenko. But this notion does not deserve a specic denomination since, as shown in [16] and also according to Theorem 16, it is equivalent to perfect nonlinearity. - Ambrosimov [1] considers functions f from GF (q) n to GF (q) where q is a 16

17 power of a prime p, and GF (q) is the nite eld of order q. For every GF (q), f equals! p Tr(f) where Tr is the trace function from GF (q)togf (p) and where! p = exp(i=p). Then c f () equals P agf (q) n! p Tr(f(a)+a). The function f is called bent by Ambrosimov if, for every nonzero, c f has constant magnitude p q n, i.e. if f =! p Tr(f) is bent in the sense of Logachev, Salnikov and Yashchenko. As shown by Ambrosimov and according to Theorem 16, this notion is equivalent to perfect nonlinearity. The notions of bent functions by Kumar, Scholtz and Welch and by Ambrosimov, when they both apply,thatiswhenq is a prime, have dierent denitions but are in fact equivalent, as shown in [57]. 4 Binary functions with optimum nonlinearity In this section, we consider the case (B +) = (GF () +) and functions from A to B. If(A +) is cyclic, then functions from A to B with optimal nonlinearity are the same as binary sequences with optimal autocorrelation, i.e., perfect sequences. The main references for this section are [4,34,5]. Let n = jaj. For a function f from A to B, the autocorrelation function of f is AC f (a) = xa(;1) f (x+a);f (x) : The support of f is the set S f = fx Ajf(x) =1g: The weight of f is dened to be js f j, and denoted by w f. We also say that f is the characteristic function of S f. Considering the Fourier transform of D a f at vector 0, we have, according to Lemma 15 aa AC f (a) =(n ; w f ) : (15) For any subset H of A, we dene the dierence function d H (a) =j(h + a) \ Hj (16) 17

18 where H + a = fx + ajx Hg. The following easy result plays an important role in the sequel. Theorem 18 Let f be a function from A to B, and let k be the weight of f. Then for any nonzero a A, Pr(D a f(x) =b) = 8 >< >: n;(k;d Sf (a)) n (k;d Sf (a)) n b =0 b =1: PROOF. This is a generalization of Theorem 4.4 in [34] (see also Theorem in [4]). We have Pr(D a f(x) = 1) = 1 n w D af = 1 n ( w f ; d Sf (a)) and Pr(D a f(x) =0)=1; Pr(D a f(x) = 1). 4.1 The case n 0 (mod 4) Let (G +) be an abelian group with v elements, and let D be a k-subset of G. Then D is called a (v k ) dierence set of G if the equation x ; y = g has exactly solutions (x y) D D for every nonzero element g G. A trivial necessary condition for the existence of a (v k ) dierence set is k(k ; 1) = (v ; 1): (17) Theorem 19 Let D be a (v k ) dierence set of an abelian group (A +) with v elements, and let f D (x) be the function with support D. Then (a) for any nonzero a A, Pr(f D (x + a) ; f D (x) =b) = (b) P fd = max n v;(k;) v o (k;) v. 8 >< >: [v ; (k ; )]=v b =0 (k ; )=v b =1: PROOF. This is a generalization of Theorem 4.5 in [34] (see also Theorem 6.3. in [4]). The conclusion follows from Theorem

19 Theorem 0 Let f be a function from A to B. Then the following three conclusions are equivalent: (A) P f = 1 (B) AC f (a) =0for every nonzero element a of A (C) the support S f is a (4u u u u(u 1)) dierence set of A, where n =4u. PROOF. According to Theorem 5 and Proposition 14, (A) and (B) are equivalent. By Theorem 19, (C) implies (A). If (B) is true, then for every nonzero a, the function f(x) f(x + a) has constant weight andthesupports f is therefore a dierence set. According to Theorem 19, v 0 (mod 4). It is well known that a symmetric design with v = 4u can only exist if u is a perfect square and the parameters of S f have the form (4u u u u(u1)) (see Jungnickel [51, p. 8]). It follows from Theorem 0 that (4u u u u(u 1)) dierence sets, called Hadamard dierence set, of an abelian group A give all binary functions with perfect nonlinearity. Detailed information about Hadamard dierence sets can be found in [5]. We just mention the following. Lemma 1 [53] Let G be any group which is a direct product of an abelian group of order e and exponent at most e, where e = d + for some nonnegative integer d, with groups of the type Z m i, where each m i is a power of 3, and groups of the type Z 4 p j, where the p j are (not necessarily distinct) odd primes. Then G contains a Hadamard dierence set. Combining Theorem 0 and Lemma 1 proves the following. Theorem Let A = Z d+ Z m 1 ::: Z m t Z 4 p 1 ::: Z 4 p s (18) where each m i is a power of 3, thep j are (not necessarily distinct) odd primes, s 0 and t 0. Then there are binary functions from A to B with perfect nonlinearity. As recalled at Subsection 3.6, Boolean functions (i.e. functions from GF () n to GF ()) have perfect nonlinearity ifandonly if they are bent. Numerous binary functions with perfect nonlinearity from the set A of (18) to B = GF () can be constructed as indicated in Theorem by using the actual constructions of the Hadamard dierence sets indicated in Lemma 1: 19

20 for details, we refer to Arasu, Davis, Jedwab, Sehgal [], Chen [1], Kraemer [56], Turyn [76], and ia [78]. 4. The case n 3 (mod 4) In this section, let (A +) be an abelian group of order n 3 (mod 4), and B = GF (). The following theorem is the function version of perfect sequences [5]. Theorem 3 Let f be a function from A to B. Then the minimum possible value for P f is and the following two conclusions are equivalent: n (A) P f = n (B) the support S f is an n n;1 n;3 4 or n n+1 n+1 4 dierence set of A. PROOF. Let k be the weight of f. Note that [n ; (k ; d Sf (a))] + (k ; d Sf (a)) = n. By Theorem 18, to minimize P f we need to minimize the maximum magnitude of [n ; (k ; d Sf (a))] ; (k ; d Sf (a)) = n ; 4(k ; d Sf (a)) where a ranges over A. Since n ;1 (mod 4), the minimal possible magnitude of n ; 4(k ; d Sf (a)) corresponds to n ; 4(k ; d Sf (a)) = ;1. Thus, P f is minimal if and only if d Sf (a) =k ; n+1 for every nonzero a A, i.e., if S 4 f is an n k k ; n+1 4 dierence set of A. It then follows from the equation k(k ; 1) = (n ; 1) k ; n +1 4 that k = n1, and the minimal value for P f is n. We say that f has optimum nonlinearity if P f (here ). n achieves the minimum value dierence set is an n n+1 n+1 4 Since the complement of any n n;1 n;3 4 dierence set and vice versa, we consider only dierence sets with parameters. Dierence sets of this type are called Paley-Hadamard dierence n n;1 n;3 4 sets. Any Paley-Hadamard dierence set of A gives a function from A to B with optimum nonlinearity. 0

21 Paley-Hadamard dierence sets include the following classes: (1) with parameters ( t ;1 t;1 ;1 t; ;1), for description of dierence sets with these parameters see Dillon [31], Dillon and Dobbertin [3], Gordon, Mills and Welch [4],Pott [7], iang [79], where n = q(q +)andboth q and q + () with parameters n n;1 n;3 4 are prime powers. These are generalizations of the twin-prime dierence sets, and may be dened as f(g h) GF (q) GF (q +):g h 6= 0 and (g)(h) =1g [f(g 0) : g GF (q)g where (x) = +1ifx is a nonzero square in the corresponding eld, and (x) =;1 otherwise [53] (3) with parameters n n;1 n;3 4, where n = q is a prime power congruent to 3 (mod 4). They are Paley dierence sets and just consist of all the squares in GF (q) [53] (4) with parameters n n;1 n;3 4, where n = q is a prime power of the form q = 4s +7.They are cyclotomic dierence sets and can be described as [51] D = D (6 q) 0 [ D (6 q) 1 [ D (6 q) 3 where D (6 q) 0 denotes the multiplicative group generated by 6, D (6 q) i D (6 q) 0 denotes the cosets, and is a primitive element of GF (q). i = 4.3 The case n (mod 4) As before let (A +) be an abelian group of order n. LetC be a k-subset of A. The set C is an (n k t) almost dierence set of A if d C (a) =j(c + a) \ Cj takes on the value altogether t times and the value + 1 altogether n ; 1 ; t times when a ranges over all the nonzero elements of A. Two kinds of almost dierence sets were introduced in [6] and [33,34] (see also [4, p. 140] and [35]). They were generalized and unied in [36]. For (n k t) almost dierence sets of A we have the following basic relation k(k ; 1) = t +(n ; 1 ; t)( +1): (19) The following lemma due to Bruck, Chowla and Ryser will be needed later. 1

22 Lemma 4 Let D be an (n k ) dierence set in a group G. (i) If n is even, then k ; is a square. (ii) If n is odd, then the equation x =(k ; )y +(;1) n;1 z (0) has a solution in integers x, y, z, not all zero. We consider now functions f from A to B with optimum nonlinearity. As before, let S f and k be the support and weight of f respectively. When A is cyclic, the rst part of the following theorem is the function version of the corresponding results about perfect sequences [5]. Theorem 5 The minimum possible value for P f is Furthermore, n P f = if and only if n (a) the support S f is a dierence set with parameters n n p 3n ; n + p 3n ; 4! (1) (b) or the support S f is an almost dierence set with parameters n k k ; n + 4 4nk ; 4k ; (n ; 1)(n ; ) 4! : () PROOF. The minimum discrepancy between n ; (k ; d Sf ()) and (k ; d Sf ()) is, since n (mod 4). By Theorem 18, the nonlinearity measure P f achieves its minimum value if and only if one of the following three cases happens: (A) [n ; (k ; d Sf ())] ; (k ; d Sf ()) takes on only value when ranges over all nonzero elements of A (B) [n ; (k ; d Sf ())] ; (k ; d Sf ()) takes on only value ; when ranges over all nonzero elements of A (C) [n ; (k ; d Sf ())] ; (k ; d Sf ()) takes on both values and ; when ranges over all nonzero elements of A. In all three cases the minimum value for P f is n If (A) happens, then S f is an n k k ; n; 4 dierence set. Hence we obtain k(k ; 1) = (n ; 1) k ; n ; 4 :

23 Whence k = n p 3n ; : Hence S f is an n np 3n; n+p 3n; 4 dierence set. We now prove that (B) cannot happen. Suppose that (B) happens. Then S f is an n k k ; n+ 4 dierence set. Hence we obtain Whence k(k ; 1) = (n ; 1) k ; n n ; + =0: 4 This is impossible. k ; n + 4 : By denition, (C) happens if and only if d Sf () =k ; n 4 which is equivalent to S f being an n k k ; n+ 4 t almost dierence set of A. It then follows from (19) that t = 4nk ; 4k ; (n ; 1)(n ; ) : (3) 4 Remarks: (I) Note that 1 t n ;. It follows from (3) that n ; q 3(n ; ) k n + q 3(n ; ) (4) if f has optimum nonlinearity. This means that in the case n (mod 4) the weight k of functions with optimum nonlinearity is more exible, compared with the two cases n 0 (mod 4) and n 3 (mod 4). 3

24 (II) The condition of (17) and Lemma 4 cannot be used to rule out the existence of dierence sets with parameters of (1). For examples, ( ) and ( ) are such parameters. However, it is known that no difference sets with parameters ( ) exist [51]. No dierence set with the parameters of (1) is known. In the cyclic case, more information on the existence can be found in [5]. Open Problem 6 Construct dierence sets with the parameters of (1) or show that dierence sets with such parameters do not exist. We describe now the classes of binary functions with optimum nonlinearity which correspond to the known almost dierence sets with the parameters of (). To this end, we need to dene cyclotomic classes and numbers. Let GF (q) be a nite eld, and let d divide q ; 1. For a primitive element of GF (q), dene D (d q) 0 =( d ), the multiplicative group generated by d,and D (d q) h = h D (d q) 0 for h =1 ::: d; 1: These D (d q) h are called cyclotomic classes of order d. Thecyclotomic numbers of order d with respect to GF (q) are dened as (h j) = D (d q) h +1 \ D (d q) j : Clearly, there are at most d dierent cyclotomic numbers of order d. The cyclotomic classes of order 4 can be used to describe several classes of binary functions with optimum nonlinearity. Consider the nite eld GF (q), where q 5 (mod 8). It is known that q has a quadratic partition q = s +4t, with s 1 (mod 4). Let D (4 q) h be the cyclotomic classes of order 4. Theorem 7 Let h j l f0 1 3g be three pairwise distinct integers, and dene C = h f0g D (4 q) h Then C is an n n; n;6 3n;6 4 4 if i h [ D (4 q) j [ f1g D (4 q) l (1) t =1and (h j l) f(0 1 3) (0 1)g or () s =1and (h j l) f(1 0 3) (0 1 )g: i [ D (4 q) j : almost dierence setofa = GF () GF (q) Theorem 7 is a generalization of two results in [36]. The proof given in [36] can be slightly modied to give a proof of Theorem 7 by using cyclotomic numbers of order 4 for general nite elds [74]. 4

25 It follows from Theorems 5 and 7 that the characteristic functions f C of the several classes of almost dierence sets C described in Theorem 7 have optimum nonlinearity. Furthermore these functions have weight n;, where n =q. So we say that they are almost balanced. Theorem 8 Let h j l f0 1 3g be three pairwise distinct integers, and dene C = h f0g D (4 q) h i h [ D (4 q) j [ f1g D (4 q) l i [ D (4 q) j [f0 0g: Then C is an n n n; 3n; 4 4 almost dierence set of A = GF () GF (q) if (1) t =1and (h j l) f(0 1 3) (0 3) (1 0) (1 3 0)g or () s =1and (h j l) f(0 1 ) (0 3 ) (1 0 3) (1 3)g: Theorem 8 is also a generalization of two results in [36]. The proof given in [36] can also be slightly modied to give a proof of Theorem 8 by using cyclotomic numbers of order 4 for general nite elds [74]. It follows from Theorems 5 and 8 that the characteristic functions f C of the two classes of almost dierence sets C described in Theorem 8 have optimum nonlinearity. Furthermore these functions have weight n, where n =q. Hence they are balanced. We now describe another class of functions with optimum nonlinearity. Let q 3 (mod 4). Let D ( q) h denote the cyclotomic classes of order with respect to GF (q) and let be the primitive element employed to dene the cyclotomic classes of order. Theorem 9 Dene a function from (Z q;1 +) to (GF () +) as f(h) = 8 >< >: 1 if h (D ( q) 1 ; 1) 0 otherwise. Then f has optimum nonlinearity. Theorem 9 is the function-oriented version of a result about binary sequences with optimum autocorrelation given in [60]. The support of the function f dened in Theorem 9 is of course an almost dierence set by Theorem 5. 5

26 4.4 The case n 1 (mod 4) and n>1 In this section we assume that n 1 (mod 4) and consider binary functions f from A to B with optimum nonlinearity. As before, let S f and k be the support and weight of f respectively. Theorem 30 The possible minimum value for P f is Furthermore, n P f = if and only if the support n S f is a dierence set with parameters n n p n ; 1 n +1p! n ; 1 : (5) 4 PROOF. The proof is similar to that of Theorem 5 and is omitted. Remarks: (a) For any dierence set with parameters of (5), the number np n;1 must be a square. (b) The parameters of (5) satisfy the conditions of both (17) and Lemma 4. Note that s n p n ; A is a solution to (0). Examples of parameters are (13 9 6) ( ) ( ) ( ) ( ): But it is known that among the parameters above only dierence sets with parameters (13 9 6) exist [51]. The set D = f g is a (13 9 6) dierence set in Z 13.Itisknown that no cyclic abelian dierence set of this type exists for 13 <n 001 [5]. Open Problem 31 Construct new dierence sets with parameters of (5) or show that dierence sets with such parameters do not exist for n > 001. (We are interested only in the case n>001 because of Remark (b) above.) Theorem 3 P f = n if and only if the support S f is an almost dierence set with parameters 6

27 n k k ; n +3 4nk ;! 4k ; (n ; 1) : 4 4 PROOF. The proof is similar to that of Theorem 5 and is omitted. Similarly, we have the following bounds for the weight of f n ; p n ; 5 k n + p n ; 5 (6) if f has nonlinearity P f = n. Theorem 33 Let q 1 (mod 4) and let D ( q) h denote the cyclotomic classes of order. Then the function from (GF (q), +) to (GF (), +) dened by f(x) = 8 >< >: 1 if x D ( q) 0 0 otherwise has nonlinearity P f = n. PROOF. It can be proved with the help of Theorem 18 and the cyclotomic numbers of order [74]. Theorem 34 Let q = 4q 0 +1 = x +4y be a power of an odd prime with x 1 (mod 4). Then D (4 q) h [ D (4 q) j is an q q;1 q;5 q;1 4 almost dierence set if and only if q 0 is odd, y = 1, and (h j) f(0 1) (1 ) ( 3) (3 0)g. Theorem 34 is a slight generalization of a class of almost dierence sets in [35]. The proof given in [35] can be slightly modied to give a proof of Theorem 34 by using cyclotomic numbers of order 4 for general nite elds [74]. It follows from Theorems 5 and 34 that the characteristic functions f C of the class of almost dierence sets C described in Theorem 34 have nonlinearity P f = q;1. Furthermore these functions have weight, and thus are n balanced. 7

28 4.5 Minimum distance from ane functions In Sections 4.1 and 4.3, we have described binary functions from A to B with optimum nonlinearity constructed from dierence sets in the two cases n 0 (mod 4) and n (mod 4), where n is the order of A. In this section we are concerned with the minimum distance of such a function with all ane functions from A to B. We call the two constant functions 0 and 1 trivial ane functions. Theorem 35 Suppose D is an (n k ) dierence set of A, and f D (x) is the characteristic function of D. Assume that l(x) is any nontrivial ane function from A to B. Then Pr(f D (x) =l(x)) = 1 p 1 ; c p n where Pr(f D (x) = l(x)) denotes the probability of agreement between f D (x) and l(x), and c = n;4(k;). Hence the distance between f n D (x) and l(x) is p d(f D (x) l(x)) = n 1 ; c p n: PROOF. This is a generalization of Theorem 4.8 in [34], see also Theorem in [4]. The proof is essentially the same as the one given in [34] and [4], and is omitted. If D is a Hadamard dierence set, then c = 0 and d(f D (x) l(x)) = n p n : Hence the minimum distance N f between f D (x) and all ane functions is n; p n (and is optimal, according to Parseval's relation). This was known for bent functions. It is shown here that this is also true for the characteristic function of any Hadamard dierence sets. 8

29 5 Nonbinary functions with optimum nonlinearity 5.1 The case jbj =3 Since the abelian group of order 3 is unique up to isomorphism, in the case m = 3 we assume that (B +) = (Z 3 +). In this case if fc 0 C 1 C g is an (n 3 n=3) dierence partition of A with respect to B, then the conditions of (7) reduce to k 0 + k 1 + k = n +n 3 k 0 + k 1 + k = n since these two equalities imply k 0 k 1 + k 1 k + k k 0 = n ;n 3. For example, (k 0 k 1 k )= n + p n 3 n + p n n ; p! n 3 3 and (k 0 k 1 k )= n ; p n 3 n ; p n n +p! n 3 3 are solutions to the two equations above. In fact, (n 3 n=3) dierence partitions of some A with respect to B, or equivalently, functions from some A to B with perfect nonlinearity, do exit. When q = 3 Theorem 39 below gives a large class of perfect nonlinear functions with jbj = The case jbj=4 When B = Z 4, we have the following constraints: Theorem 36 Let (A +) be an abelian group of order n and let (B +) = (Z 4 +), where n is a multiple of 4. Ifan(n 4 n=4) dierence partition fc b jb Bg of A with respect to B exists, then 8 >< >: k 0 + k = np n k 1 + k 3 = np n (7) 9

30 where k z = jc z j for each z B. PROOF. If fc b jb Bg is an (n 4 n=4) dierence partition, then the conditions of (7) reduce to n(n ; 1) k 0 k + k 1 k 3 = 8 k 0 + k 1 + k + k 3 = n k 0 + k 1 + k + k 3 = n +3n 4 since k 0 k 1 + k 1 k + k k 3 + k 3 k 0 = k 0 k 3 + k 1 k 0 + k k 1 + k 3 k =(k 0 + k 1 + k + k 3 ) ; (k 0 + k 1 + k + k 3) ; (k 0 k + k 1 k 3 ). It then follows that (k 0 + k ) +(k 1 + k 3 ) = n +n (k 0 + k )+(k 1 + k 3 )=n: (8) Solving the set of equations proves the conclusion. We shall see at Subsection 6.5 that there exist perfect nonlinear functions from A = Z n 4 to B = Z 4, where n is any positive integer greater than 1. Theorem 37 Let (A +) be an abelian group of order n and let (B +) be either (Z Z +) or (GF ( ) +), where n is a multiple of 4. Ifan(n 4 n=4) dierence partition fc b jb Bg of A with respect to B exists, then the vector (k (0 0) k (0 1) k (1 0) k (1 1) ) must take on one of the following: p n+3 n n;p n n;p n p n; n n;p n n+3p n n;p n p n;3 n n+ p n n+ p n n+ p n p n+ n n+p n n;3p n n+p n n;p n 4 p n; n n;p n n;p n p n; n n+3p n n;p n p n+ n n+ p n n+ p n n;3 p n p n+ n n;3p n n+p n n+3p n 4 ( n;p n ( n+p n 4 (9) where k (i j) = jc (i j) j for each (i j) B. PROOF. Note that (GF ( ) +) is isomorphic to (Z Z +). We need to consider B = Z Z only. IffC b jb Bg is an (n 4 n=4) dierence partition of A with respect to B, then the conditions of (7) reduce to 30

31 8 >< >: k (0 0) k (0 1) + k (1 0) k (1 1) = n(n;1) 8 k (0 0) k (1 0) + k (0 1) k (1 1) = n(n;1) 8 k (0 0) k (1 1) + k (1 0) k (0 1) = n(n;1) 8 k + (0 0) k + (0 1) k + (1 0) k = n +3n (1 1) : 4 (30) Solving the set of equations above gives 8 >< >: 8 >< >: 8 >< >: k (0 0) + k (0 1) = np n k (1 0) + k (1 1) = np n k (0 0) + k (1 0) = np n k (0 1) + k (1 1) = np n k (0 0) + k (1 1) = np n k (1 0) + k (0 1) = np n : So there are eight cases. In each case, we obtain two solutions (k (0 0), k (0 1), k (1 0), k (1 1) ). Altogether we get the eight solutions of (9). It is checked that they are indeed solutions of (30). This completes the proof. Theorem 38 Let (A +) be an abelian group of order n and let (B +) be either (Z Z +) or (GF ( ) +), where n is a multiple of 4. If f is a function from A to B with perfect nonlinearity P f = 1 4, then N f = 3n ; 3p n 4 or 3n ; p n : 4 PROOF. We consider only the case B = Z Z. For any ane function l(x), g(x) = f(x) ; l(x) must have perfect nonlinearity P g = 1 as f(x) has 4 perfect nonlinearity.letk (i j) = jfx Ajg(x) =(i j)g. By Theorem 37, (k (0 0), k (0 1), k (1 0), k (1 1) )must take ononeoftheeightvectors listed in Theorem 37. The conclusion of this theorem then follows. Remarks: (1) The nonlinearity N f measures the minimum distance between f and all ane functions from A to B. Theorem 37 means that the best ane approximation of any function from A to B with perfect nonlinearity is very poor. 31

32 () The conditions of (8), those of (7), and Theorem 38 may suggest that functions with optimum nonlinearity P f may not have optimum nonlinearity N f. In other words the two kinds of measures of nonlinearity are not consistent for nonbinary functions. This is not strange, as sometimes the nonlinearity measure N f makes little sense. (3) When q = 4, Theorem 39 below willgive a large class of perfect nonlinear functions with jbj = 4. 6 Constructions of functions with optimum nonlinearity We give the basic constructions. They can be modied and combined by using the results of Section Functions from (GF (q) n +) to (GF (q) +) Let p be a prime and q = p l. We have seen at Subsection 3.6 of Section 3 that for every GF (q), f equals! p Tr(f) where Tr is the trace function from GF (q) to GF (p) and where! p = exp(i=p). Thus, c f () equals P agf (q) n! p Tr(f(a)+a). We extend now the known constructions of perfect nonlinear Boolean functions (cf. [30]) to this more general framework. Let (A +) = (GF (q) n +), where n is even. Then the following function f from (A +) to (GF (q) +) f(x 1 x ::: x n )=x 1 x n=+1 + x x n=+ + :::+ x n= x n has perfect nonlinearity P f = 1 q. Hence fc b(f)jb GF (q)g is a (q n q q n;1 ) dierence partition, where C b (f) =fx Ajf(x) =bg. More generally, we have the following result. Theorem 39 Let n be any even positive integer and let be a bijective mapping from GF (q) n= to GF (q) n=. We denote its coordinate functions by 1 ::: n=. Let g be a function from GF (q) n= to GF (q). Then f(x 1 x ::: x n )=x 1 1 (x n=+1 ::: x n )+x (x n=+1 ::: x n )+:::+ x n= n= (x n=+1 ::: x n )+g(x n=+1 ::: x n ) 3

33 has perfect nonlinearity P f = 1 q PROOF. Denote (x 1 x ::: x n= ) by x and (x n=+1 x n=+ ::: x n ) by x 0. We have f(x x 0 ) = x (x 0 )+g(x 0 ). For every 0 6= GF (q) and every 0 GF (q) n=, we have cf ( 0 )=! Tr([x(x0 )+g(x 0 )]+x+ 0 x 0 ) p x x 0 GF (q) n= where Tr is the trace function from GF (q) to GF (p). The partial sum P )+g(x 0 )]+x+ 0 x 0 xgf (q) n=!tr([x(x0 ) p is null if (x 0 )+ 6= 0. Thus cf ( 0 )=q n=! Tr(g(x0 )+ 0 x 0 ) p x 0 ;1 (;=) and, since ;1 (;=) is a singleton, f has perfect nonlinearity according to Theorem 16. This class of functions is often called Maiorana-McFarland's class. The functions f in the class of Maiorana-McFarland functions with constant g can be modied using Theorem 17: take E = f0ggf (q) n= in this theorem denote by 0 the Dirac symbol ( 0 (x) = 1 if x = 0, 0 (x) = 0 otherwise) we have that, for every GF (q), the function f(x 1 x ::: x n )= x 1 1 (x n=+1 ::: x n )+x (x n=+1 ::: x n )+:::+ x n= n= (x n=+1 ::: x n )+ 0 (x)+ is perfect nonlinear. Remark: Let q be an odd prime, then every polynomial function of degree from GF (q) to GF (q) is bent [57] and therefore perfect nonlinear. Let q be a power of and let b 0 ::: b 4 be elements of GF (q). Then, as shown by Ambrosimov in [1], the function from GF (q) to GF (q): f(x 1 x )= b 0 + b 1 x 1 + b x + b 3 x 1 + b 4 x + x 1 x has also perfect nonlinearity. Another adaptation of a classical construction is the following: Theorem 40 Let p be a prime and q = p l. Let (A +) = (GF (q) n +), where n is even. We identify GF (q) n= with the eld GF (q n= ).Let g be anybalanced function from GF (q n= ) to GF (q). Then the following function f from (A +) to (GF (q) +) f(x x 0 )=g(xx 0qn= ; ) x x 0 GF (q n= ) has perfect nonlinearity P f = 1 q. 33

34 PROOF. For every 0 6= GF (q) andevery 0 GF (q n= ), we have cf ( 0 )= x x 0 GF (q n= )! Tr(g(xx0qn= ; ))+Tr 0 (x+ 0 x 0 ) p where Tr is the trace function from GF (q) to GF (p) and Tr 0 is the trace function from GF (q n= ) to GF (p). Writing x = x 0 z for every x 0 6=0,we have xgf (q n= ) x 0 GF (q n= ) zgf (q n= ) x 0 GF (q n= ) z x 0 GF (q n= )! Tr(g(xx0qn= ; ))+Tr 0 (x+ 0 x 0 ) p =! Tr(g(z))+Tr0 ((z+ 0 )x 0 ) p ;! Tr(g(z))+Tr0 ((z+ 0 )x 0 ) p = zgf (q n= )! Tr(g(z)) p : = 0,according to Proposi- Since g is balanced, we have P zgf (q n= )!Tr(g(z)) p tion 14. Thus cf ( 0 )= xgf (q n= )! Tr(g(0))+Tr0 (x) p + z x 0 GF (q n= )! Tr(g(z))+Tr0 ((z+ 0 )x 0 ) p : The partial sum P x 0 GF (q n= )!Tr(g(z))+Tr0 ((z+ 0 )x 0 ) p is null if z+ 0 6=0. If 6= 0, since the sum is null, we deduce that xgf (q n= )! Tr(g(0))+Tr0 (x) p cf ( 0 ) has magnitude q n=. And if = 0 and 0 6= 0, then f c ( 0 ) = q n=! Tr(g(0)) p has also magnitude q n=.we deduce that f c (0 0) has magnitude q n= as well, thanks to Parseval's relation. Thus, f has perfect nonlinearity according to Theorem 16. This class of functions is often called Dillon's class or Partial Spreads class (when q =, the support of the function is a partial spread). 6. Functions from (GF (q) n +) to (GF (q) n +): perfect and almost perfect nonlinear mappings We consider now the case of mappings f from GF (q) n to GF (q) n where q = p l. Since GF (q) n can be identied, as a vector space over GF (p) withgf (q n )= GF (p ln ), this case reduces to that of mappings f from GF (p m ) to GF (p m ). If p =, the minimum possible value of P f is, because the characteristic p m of the eld being equal to, any solution x of the equation D a f(x) = b 34