Constructions of Quadratic Bent Functions in Polynomial Forms

Transcription

1 1 Constructions of Quadratic Bent Functions in Polynomial Forms Nam Yul Yu and Guang Gong Member IEEE Department of Electrical and Computer Engineering University of Waterloo CANADA Abstract In this correspondence the constructions and enumerations of all bent functions represented by a polynomial form of "! # $ % &$)( * are presented for special cases of / Using an iterative approach the construction of bent functions of / degree is also provided using the constructed quadratic bent functions variables with Index Terms Bent functions Boolean functions Maximum nonlinearity Semibent functions I INTRODUCTION A bent function is a Boolean function with even number of variables whose Walsh transform has a constant magnitude [1] In the coding context it is a coset of the first order ReedMuller code with the largest minimum weight [19] In other words a bent function has a maximum distance from a linear function so it is maximally nonlinear For the maximum nonlinearity bent functions have been paid a lot of attention to by researchers for cryptographic applications [] [9] Moreover the maximum nonlinearity of bent functions corresponds to a minimized maximum correlation between the functions and a trace function Thus bent functions also have many applications in algebraic coding and sequence design [19] [22] In [1] and [1] Khoo Gong and Stinson investigated the following sum of monomial trace terms with quadratic exponents where the exponent of variables has the Hamming weight For

2 1 odd where "!"#!"# $ # is the trace function from # to % The spectrum of Hadamard transform of (which will be formally defined in next section) belongs to the integer ring & If the spectrum only takes three values of )( * / % then is called a semibent function for odd [1] Khoo Gong and Stinson derived a necessary and sufficient Let condition for a semibent function ie is semibent if and only if 8:9<; = Following this work Charpin Pasalic and Tavernier [] considered % DFEC 1 G!"# odd G!"# even A (1) For even is called a semibent function in [] if the spectrum of belongs to )( * H % They showed that for even is semibent if and only if 8:9<; =I5 J K L For odd on the other hand they derived some conditions that with three or four trace terms is semibent Then they derived the construction of semibent functions of odd with higher degree from semibent functions of even in (1) and also derived the construction of bent functions with higher degree from semibent functions of odd Applying the techniques developed in [1] Ma Lee and Zhang [18] showed that a necessary condition for the bent functions with such a representation is as follows 5<M % N$ 5OM = "!Q# GP!"# (2) $ 5OM where is even and # is the trace function from to P # Or equivalently the 5OM monomial trace term P has to be presented in the representation Furthermore a necessary and sufficient condition for given by (2) to be bent is 8R9O; =I5 S [18] where 5<M LT 5V 5OM A () U For the quadratic bent functions represented by a polynomial form (2) the known cases are: W all s are zero corresponding to the Kasami (small) signal set [12] or all 2 s are one

3 giving the Udaya s construction [2] or ones of the Kim and No s signal set [15] respectively; < all choices of s are distributed by equal distance of giving s for [18] For the polynomial construction of nonquadratic bent functions on the other hand the known cases are monomial trace functions with the Kasami [8] exponents and the Dillon exponents [7] and a sum of trace functions with the Niho exponents [9] It is worthwhile to point out that all quadratic bent functions of Boolean forms are known [19] which can be obtained by applying the affine transform to O 5V in 1 5OM The MaioranaMcFarland s construction [21] for quadratic bent functions also belongs to this class In this paper we consider how to construct quadratic bent functions in polynomial forms Precisely we present the construction of all quadratic bent functions represented by a polynomial form (2) by giving a necessary and sufficient condition on s for special cases of The paper is organized as follows In Section II we introduce some concepts and definitions which will be used throughout the paper In Sections III and IV we derive their respective constructions for and with and order of modulo is or functions for the case respectively where is odd prime and the with odd An enumeration of such quadratic bent is also given in Section III For we list the result of the enumeration without proof in Section IV since the proof is similar to that of but rather lengthy In Section V we demonstrate a way to apply the iterative method of Charpin Pasalic and Tavernier for constructing bent functions of variables with degree 5 using the quadratic bent functions constructed in this paper Concluding remarks and discussion will be given in Section VI II PRELIMINARIES The following notation will be used throughout the paper is odd prime with ; is the order of modulo ie the smallest integer such that! #" & represents the integer ring #%$ &)( *R is the finite field with * elements and # $ the multiplicative group of #$ #5 is a vector space over # )( with a set of all binary tuples ;

4 5 A Let be positive integers and F ie is a divisor of The trace function from # $ # 5 L to is denoted by $ $ 5 is simply denoted as if the context is clear Q!"# A Boolean and polynomial functions V = Let 5V # 5 be a vector in!"# with # 5 A function from # to which takes on values ( or is called a Boolean function A Boolean function consists of a sum of all possible products of s with coefficients ( or ie V % 57 5!"# where maximum value of with nonzero is called the degree of the Boolean function L # A function from # to can be represented as % 5 =!Q# where is a coset leader ofo 5 a cyclotomic coset modulo cyclotomic coset containing () is called a polynomial $ % representation of is also referred 5 to as an exponent of the monomial trace term If the Hamming weight of is equal to then we also say is a quadratic exponent < because the degree of the Boolean 5 form of is equal # to the Hamming weight of In terms of a basis of # a polynomial function of a sum of trace functions from to # # 5 is equivalent to a Boolean function from # to For example a sum of monomial trace () and is a size < of the terms with quadratic exponents corresponds to a quadratic Boolean function For the theory of Boolean functions and their polynomial representations readers are referred to [1] [11] and [19] B Bent functions A Boolean function of variables is called a bent function if its Walsh transform has a constant magnitude [1] [19] where the Walsh transform of a Boolean function % is defined

5 A 5 by In the equivalent polynomial function % from #!"# 5 A to # its Hadamard transform is defined by!"# %! Then is bent if *! where is even For odd is semibent if )( * H L S! For even on the other hand is semibent if )( * Bent functions exist only for even C Cyclotomic polynomials A polynomial whose roots are the field elements of order is called the dth cyclotomic polynomial [17] denoted by is a monic polynomial of order and degree where is the Eulertotient function defined as the number of integers of 8R9O; [17] has the following basic properties [1] [2] Property 1: Let be the th cyclotomic polynomial W In particular " " " L where prime For # L L $ In other words % is selfreciprocal (A polynomial & L with degree is called selfreciprocal if & & L ) 1 For For prime A cyclotomic polynomial is irreducible over the integer ring & but it may not be irreducible over # Throughout this paper we consider cyclotomic polynomials over # We list several useful properties on the factorization of over # without proofs For more details see [1] [17] and [2] Property 2: L is irreducible over # if and only if ; is with is

6 Property : For # prime let irreducible over Then the degree and the order of each & # and respectively L & & L & L where & for for is are given by Property # : For prime let = be distinct monic irreducible polynomials over of degree # and order and let # Then = =% are distinct monic irreducible polynomials over of degree # and order D A criterion of bent functions with quadratic exponents For odd Khoo Gong and Stinson showed a necessary and sufficient condition for a semibent function with quadratic exponents [1] [1] Similarly a necessary and sufficient condition for a bent function with quadratic exponents can be directly resulted from the techniques developed in [1] and [1] The following fact appears in [18] Fact 1: For even let 5OM % 5OM 5<M = Q!"# GP!"# A Then is bent if and only if 8:9<; L= 5? where 5<M L 5V 5OM 5OM A (5) U 5<M % if is bent In addition Corollary 1: For 8R9O; =? Proof: From 5 Hence Corollary 1 is true with and odd L given by (2) is bent if and only if 8:9<; L=5 if and only if 8R9<; From Fact 1 and Corollary # L 1 it is immediate that for with given by (2) is a bent function from # to for any choices of s [18] Thus the total number of such bent functions for is equal to

7 1 7 III CONSTRUCTION AND ENUMERATION FOR In this section we construct and enumerate all bent functions given by 5<M % N$ 5OM = "!Q# GP!"# () for with where is odd prime with ; or ; with odd Before we present the construction and enumeration we need some preparations on the greatest L common divisor of given by () ie 57 5OM and the th cyclotomic polynomial In the following when L 1 5<M we talk about a root of a polynomial over # we always mean that the root belongs to some # extension field of Lemma 1: Let be Then W " ;? where 1 Let be odd prime with ; or ; 8:9<; if and only reduced modulo and be a root of with (7) where is odd Then which is equivalent to for all A (8) W Proof: can be rewritten as L 5V 5V 57 5V 57 A? Hence we obtain (7) from (9) modulo For the prime where We may write? Then 8:9<; L= LH (9)

8 If ; L # is irreducible over Hence 8:9<; L=? 8R9O; = (1) L and we obtain The last equivalence is from the Euclidean algorithm By comparing (8) If ; where is odd on the other hand & & where & and & L are irreducible over # with & [] Note that if is a root of & L then is a root of & and vice versa (Note that if is a root of & then cannot be its root []) Since is a root of the order of is ie 5 From () therefore 5OM 57 5OM 5OM R5OM and thus is a root of if is its root If has the irreducible factor & therefore it simultaneously has the other irreducible factor & L and vice versa Hence (1) is also true in this case Similar to the case of ; we obtain (8) Theorem 1: Let with and be odd prime with ; or ; where % is odd Then given by () is bent if and only if there exists at least one for where 1 such that % The number of bent functions of denoted by is given by A Note that 5 L is the number of nonbent % functions of Proof: From Fact 1 and Corollary 1 is nonbent if and only if 8R9O; 8 (11) S < % Applying Lemma 1 is nonbent if and only if (8) is achieved Therefore is bent if and only if there exists at least one for the proof for the first part of the result such that (11) is true which completes

9 5 that we can arrange the elements of into an matrix as follows where ( Then is equal to the sum of the entries in the th column of for Thus we see that all s occurring in and in (11) are distinct In the following we will count the number of nonbent functions ie the number of vectors satisfying (8) Note that Next we consider the enumeration of vectors the condition of (8) is equivalent to ie 5 For each there are for all 5<M which satisfy (11) Note for all! s in (12) where % 9 A (12) % For (12) the number of s which take on the value should be odd for each Therefore there are 1 choices of such s for each Since there are choices of the number of s satisfying (12) is given by? A! s for < 5 in Thus the Meanwhile there are no conditions on number of choices of such s is given by Consequently the number of vectors which satisfy (8) is given by 5 which is equal to the number vectors producing the nonbent functions Therefore the number A of vectors producing the bent functions is given by

10 1 TABLE I CONSTRUCTION OF BENT FUNCTIONS WITH QUADRATIC EXPONENTS FOR (5 CORRESPONDS TO ) Trace exponents Trace exponents Remark 1: The first few primes R B! of Theorem 1 are "#: $ Note that the matrix is useful for understanding the construction in Theorem 1 In other words in the proof of Theorem 1 let &%(V ) ) for ( is the th column vector of % Then is bent if and only if there exists at least a pair of column vectors and for such that the sum of elements in the pair is equal to ( Example 1: For % 1 Thus * where the matrix representation of each coefficients is given by ( is bent if and only if and can be free to choose Also the number of bent functions is given by $ $ A $ All possible bent functions are listed in Table I Note For we have such that % Thus is bent if and only if there exists at least one with In Theorem 2 of [18] the authors attempted to state the sufficient condition of this result However the assertion appeared there is not in a clear way (

11 A IV CONSTRUCTION FOR In this section we present a necessary and sufficient condition on s that % given by () is where is odd prime with ; or ; with odd We start from the following definition and lemma bent for with and Definition 1: Let 1 circular symmetric with if where!?# and is even Then is called Lemma 2: Let for odd prime and an integer and be circular symmetric with Assume that there exists a polynomial L!"# % * such that L where is the th cyclotomic polynomial Then W is circular symmetric with degree ;<8 If we write 1!"# then LT A In other words contains all monomial terms of property Proof: W The circular symmetric polynomial with From L and the selfreciprocity of V From (1) and (1) we have #? # # 11 has the following BA (1) (Property 1 in Section II) V # (1) A #!!??BA A L (15)

12 A Since ;<8 we have ; <8 H where Furthermore ( from ( ( Thus can be written as 1 where!"# Hence we have # (1) to Applying this to where the last equality is from the change of a variable from (15) we get the requirement of coefficient ie or equivalently From Definition 1 is circular symmetric < We may write 1 we get ( 1 From where is the double summation of the second term Note that an exponent of a monomial term in has a form where and ( ) and an exponent of a monomial term of has a form where ( Thus all monomial terms in are distinct from the monomials in Therefore all terms of remain in Similar to the case of we need to investigate for each with for the case of with following two lemmas on Lemma : Let be reduced modulo K for each with is given by () for with and Then L #" ;? L reduced modulo 12 In order to do so we need the where (17)

13 & where With 1 Furthermore L Proof: Similar to (9) can be rewritten as 5V 57 L is circular symmetric A 1 is given by (17) which shows is circular symmetric Lemma : With the notation of Lemma W 8:9<; H if and only if 8R9O; Let be odd prime with ; or ; where is odd Then 8:9<; H if and only if 8R9O; LH W Proof: From the definition of L L V= 7 L 7L where is a quotient of divided by S Hence if has a common factor with L then it also has the common factor with and vice versa < If ; # from Property in Section II is irreducible over for a W given From the irreducibility of and Lemma we have 8R9<; 8R9<; L= LH (18) 8R9<; L= LH A If ; where is odd on the other hand we have T & & = & = A where & and & are the irreducible factors of such that & & and &? & [] From Property & L and & # are irreducible over and reciprocal to each other ie & Let be a root of Then If is a root of & then is a root of & and vice versa (Note that if is a root of & then cannot be its root If it were true then this holds for any other roots of & and thus the 1

14 1 number of valid roots of & should be even which is impossible because the degree of & is odd) Since is a root of we have 5 Thus from (17) we have? BA Hence is a root of if is its root Therefore if has the irreducible factor & L then it simultaneously has the other irreducible factor & and vice versa Similar to the case of ; we have (18) for a given In (17) we denote for each with where we set Let be a We write (19) matrix whose entries are given by ie (2) where is the th column vector of From (19) we have Using the matrix we give the construction of all bent functions represented by () for with and or ; Theorem 2: With the above notation let be odd prime with ; where is odd and with and bent if and only if for each with there exists at least one for ( such that given by (2) is not a constant vector In other words! )( for at least one with where % Then given by () is or

15 Proof: Similar to the proof of Theorem 1 we will derive the conditions on given by () to be nonbent for % L From Fact 1 and Corollary 1 is bent if and only if 8:9<; L= 5 8R9<; = " Since s for are all factors of " we have 8R9<; 5 if and only if 8R9<; for every Therefore is nonbent if and only if there exists at least one for such that 8:9<; = From Lemma we see that if ; or ; with odd then 8:9<; = H if and only if 8R9<; Thus can be represented by L (21) where 1!"# From Lemma is circular symmetric with ;O8 Hence is also circular symmetric with ;<8 from Lemma 2 Thus together with (21) and noticing that is circular symmetric we can rewrite as follows L (22)? A From Lemma on the other hand we have LT? =??? = % A 15 (2)

16 "! 1 column index row index Fig 1 Submatrix structure of By comparing (22) and (2) we have DFE C ( and and ( Thus for the nonbent case the entries of This is equivalently saying that each column of nonbent This completes the proof for Theorem 2 A (2) are determined by (2) is a constant vector if and only if is with In the following we write entries of in detail in order to better understand Theorem 2 We see that consists of several submatrices in Fig 1 which are defined as follows Each of is an matrix where and Also each of and is a matrix and each of and is an matrix From for if % * then % * We denote this relation by Similarly we have Also if % * then % )* denoted by Thus each element in is determined by each element in respectively In other words column vectors of for are determined by column vectors Example 2: For and for For we consider ie! "

17 " "! " A! 17 From Theorem 2! " ( (25) at for defined by () to be bent If on the other hand "!! "! " Hence! " ( or the vector! is not constant (2) % % at for defined by () to be bent Both (25) and (2) must be achieved so that L is bent Hence we see that is bent at the following two exclusive cases W! " ( and ( $ " cases or J! ( = < ( O ( and " cases In is required to distinguish W from For example with " ( B) ( (B(! = is bent Finally we have in total of $ " " B % bent functions of whose s satisfy either W < or It is also verified by the results of computer experiments Remark 2: If the number of the bent functions in Theorem 2 is given by 5 G R where the second term is the number of nonbent functions denoted by 5 The proof of (27) is similar to those of the enumeration part of Theorem 1 but one needs to consider the condition for This makes the proof rather lengthy so we omit it here If in order to obtain the exact formula for the enumeration of the bent functions constructed in Theorem 2 one has to carefully distinguish a number of cases because the conditions imposed on with (27) s in for bent (or nonbent) functions are not independent for each

18 18 V ITERATIVE CONSTRUCTION OF HIGH DEGREE BENT FUNCTIONS USING QUADRATIC BENT FUNCTIONS In [] Charpin Pasalic and Tavernier proposed a recursive construction of bent functions with high degree using bent functions with low degree In this section we apply this iterative method to construct bent functions with high degree using bent functions with quadratic exponents As an example we give the case of bent functions of variables with degree 5 using quadratic bent functions in polynomial forms In [] Charpin Pasalic and Tavernier established the following fact to obtain bent functions with higher degree Fact 2: For even and V % 57 with!"# let and be distinct # 5 bent functions from # to Then 5 and 5 defined by = 5 < 5 5 = = 5 < # # are semibent functions from to V Also 5 5 defined by < 5 = 5 5 = is a bent function from # 5 by to # The degree of 5 5 and V 5 5 is given ;<8 5 ;O8 5 H ;O8 V 5 5 " ; <8 ;O8 BA Using Fact 2 Charpin Pasalic and Tavernier showed that a bent function with high degree can be recursively constructed by concatenating known bent functions with low degree In Sections III and IV we constructed a large number of quadratic polynomial bent functions Using these bent functions and Fact 2 therefore we can recursively construct bent functions with higher degree In the following we demonstrate a general procedure for applying the iterative method of Charpin Pasalic and Tavernier for the construction of bent functions of with degree using the quadratic bent functions constructed in Sections III and IV Procedure: From ( to variables Step 1) Initialization: Select as a quadratic bent function of variables In each iteration " is a bent function of variables with degree constructed from a previous iteration

19 Step 2) Quadratic bent function: Select * " as a quadratic bent function of Make sure that * Step ) Intermediate semibent functions: Compute semibent functions * of variables with degree Step ) Higher degree bent function: Compute a bent function variables with degree Step 5) Iteration: If and iterate Step 2) 5) In the above procedure is the bent function of 19 variables * and of $ stop iterations Otherwise increase by 1 go back to Step 2) is an example which illustrates the above iterative construction variables with degree The following Example : Following the above iterative procedure we obtain a bent function of 12 variables $ with degree 1) ( : At Steps 1 and 2 we consider quadratic bent functions whose trace representations are given by $ VLT = * V A # Using a basis of # where is a primitive element of defined by ( 1 and we convert V and * V into their Boolean representations which are given by V * V O * O < = = where the computation is performed in # At Step concatenating and * two semibent functions of 5 variables with degree can be constructed ie < * * = = < * V O% H * O V = A At Step a new bent function of variables with degree can be constructed by concatenating and ie O%? V V = A

20 " 2) : At Step 2 we select a quadratic bent function * # from # $! $ to given by * $ L # where is defined by ( / 1 and From the similar approach to 1) its Boolean representation * V is given by * < # where the computation is performed in At Steps and we compute semibent functions V = * and O% * and a bent function %! of 8 variables $ with degree respectively ) : At Step 2 *! # " where is defined by ( 1! and Then the Boolean representation of * is given by * V!!!! #! where the computation is performed in At Steps and we obtain a new bent function of 1 variables with degree 5 defined by defined by ) 2 where and are semibent functions * and $ * respectively : At Step 2 * whose Boolean representation is given by * V "! "! "! "! # where is defined by ( 1 and the computation is performed! " where! and " are semibent functions defined by iterations stop is a # in At Steps and! * and " * respectively Since bent function with degree We summarize the Boolean representations of and in Table II VI CONCLUSION AND DISCUSSION We have constructed all bent functions represented by a polynomial form (2) by giving a s for with and S or ; S with odd The enumeration for such bent functions has also been given for with and Applying the necessary and sufficient condition on odd prime with ; where is

21 * 21 TABLE II BENT FUNCTIONS OF VARIABLES WITH DEGREE 5 Bent functions Degree " recursive method of Charpin Pasalic and Tavernier we have demonstrated an iterative procedure to construct bent functions with maximum degree using the polynomial quadratic bent functions constructed in this paper In this correspondence however we did not study the case for general In the light of the constructions for for general we need to know the complete factorization over # of the th cyclotomic polynomials where is a factor of Unfortunately this is unknown in the literature even for the case [1] where both and * are primes ACKNOWLEDGMENT The authors would like to thank Dr Pascale Charpin for sending the preprint of [] REFERENCES [1] E R Berlekamp Algebraic Coding Theory Aegean Park Press CA Revised ed 198 [2] A Canteaut C Carlet P Charpin and C Fontaine On cryptographic properties of the cosets of IEEE Trans Inform Theory vol 7 no pp [] A Canteaut and P Charpin Decomposing bent functions IEEE Trans Inform Theory vol 9 no 8 pp

22 22 [] C Carlet A larger class of cryptographic Boolean functions via a study of the MaioranaMcFarland construction Advances in Cryptology CRYPTO 22 no 22 in Lecture Notes in Computer Science pp [5] C Carlet P Charpin and V A Zinoviev Codes bent functions and permutations suitable for DESlike cryptosystem Designs Codes and Cryptography vol 15 pp [] P Charpin E Pasalic and C Tavernier On bent and semibent quadratic Boolean functions IEEE Trans Inform Theory vol 51 no 12 pp Dec 25 [7] J F Dillon Elementary Hadamard difference set Ph D Thesis University of Maryland 197 [8] J F Dillon New cyclic difference sets with Singer parameters Finite Fields and Their Applications pp [9] H Dobbertin G Leander A Canteaut C Carlet P Felke and P Gaborit Construction of bent functions via Niho power functions Journal of Combinatorial Theory Series A to appear [1] S W Golomb and G Gong Signal Design for Good Correlation for Wireless Communication Cryptography and Radar Cambridge University Press 25 [11] T Helleseth and P V Kumar Sequences with Low Correlation a chapter in Handbook of Coding Theory Edited by V Pless and C Huffman Elsevier Science Publishers 1998 [12] T Kasami Weight enumerators for several classes of subcodes of the 2ndorder ReedMuller codes Information and Control vol 18 pp [1] K Khoo G Gong and D R Stinson A new characterization of semibent and bent functions on finite fields Designs Codes and Cryptography to appear [1] K Khoo G Gong and D R Stinson A new family of Goldlike sequences in Proc of IEEE International Symposium on Information Theory (ISIT) p 181 Lausanne Switzerland 22 [15] S H Kim and J S No New families of binary sequences with low correlation IEEE Trans Inform Theory vol 9 no 11 pp 595 Nov 2 [1] T Y Lam and K H Leung On the cyclotomic polynomial Amer Math Monthly 1 pp [17] R Lidl and H Niederreiter Finite Fields Encyclopedia of Mathematics and Its Applications vol 2 AddisonWesley 198 [18] W Ma M Lee and F Zhang A new class of bent functions IEICE Trans Fundamentals vol E88A no 7 pp 29 2 July 25 [19] F J MacWilliams and N J Sloane The Theory of ErrorCorrecting Codes Amsterdam: NorthHolland 1977 [2] R J McEliece Finite Fields for Computer Scientists and Engineers Kluwer Academic Publishers vol [21] R L McFarland A new family of noncyclic difference sets Journal of Combinatorial Theory Series A 15 pp [22] J D Olsen R A Scholtz and L R Welch Bentfunction sequences IEEE Trans Inform Theory vol 28 pp [2] P Udaya Polyphase and frequency hopping sequences obtained from finite rings Ph D dissertation Dept Elec Eng Indian Inst Technol Kanpur 1992