Third-order nonlinearities of some biquadratic monomial Boolean functions

Size: px

Start display at page:

Download "Third-order nonlinearities of some biquadratic monomial Boolean functions"

Jack Paul
5 years ago
Views:

1 Noname manuscript No. (will be inserted by the editor) Third-order nonlinearities of some biquadratic monomial Boolean functions Brajesh Kumar Singh Received: April 01 / Accepted: date Abstract In this paper, we estimate the lower bounds on third-order nonlinearities of some biquadratic monomial Boolean functions of the form Tr n 1 (λxd ) for all x F n, where λ F n, (1) d = i + j + k + 1, i, j,k are integers such that i > j > k 1 and n > i. () d = 3l + l + l + 1, l is a positive integer such that gcd(i,n) = 1 and n > 6. Keywords Boolean functions Walsh-Hadamard spectrum Third-order nonlinearities Linearized polynomial 1 Introduction Let B n be the set of all Boolean functions on n variables and let r be a positive integer smaller than n. Reed Muller code, RM(r,n), of order r and length n is the set of all Boolean functions in B n with algebraic degree less than or equal to r. The rth-order nonlinearity of any function f B n is defined as nl r ( f ) = min h RM(r,n) d( f,h). The sequence of values, nl r ( f ), 1 r n 1, is said to be the nonlinearity profile of f. Since RM(r 1,n) RM(r,n), therefore nl r ( f ) nl r 1 ( f ). The first order nonlinearity of f is nl 1 ( f ), is the nonlinearity of f which we denote by nl( f ). The nonlinearity of a Boolean function f is related to the immunity of f against best affine approximation attacks [9] and fast correlation attacks [14], when f is used as a combiner function or a filter function in a stream cipher. Attacks based on higher-order approximations of Boolean functions are found in Golić [9], Courtois [6]. Computing rth-order nonlinearity is not an easy task (r ). Unlike the first-order nonlinearity there is no efficient algorithms to compute second-order nonlinearities for n 11. Most efficient algorithm due to Fourquet and Tavernier [7] works for n 11 and, up to n = 13 for some special functions. Thus, there is a need to construct Boolean functions with high rth-order nonlinearity. The following is the best known asymptotic upper bound on nl 3 ( f ) due to Carlet and Mesnager [5] nl 3 ( f ) n 1 15 (1 + ) n 1 + O(n). Carlet [3] developed a technique for computing lower bounds of higher-order nonlinearities of Boolean functions recursively and using this approach he has obtained the lower bounds of nonlinearity profiles for functions belonging to several classes of functions such as Kasami functions, Welch functions, inverse functions etc.. The classes of Boolean functions for which the lower bound on third nonlinearity is known are inverse functions [3], Dillon functions [4] and Kasami functions, f (x) = Tr n 1 (λx57 ) [8]. In this paper, we deduce the lower bounds on third-order nonlinearities of some biquadratic monomial Boolean functions of the form Tr n 1 (λxd ) for all x F n, where λ F n, (1) d = i + j + k + 1, i, j,k are integers such that i > j > k 1 and n > i. () d = 3l + l + l + 1, l is a positive integer such that gcd(i,n) = 1 and n > 6. Remainder of the paper is organized as follows: The main results on lower bounds of third-order nonlinearities are presented in Section 3. The numerical compression of our bounds with the previous known results is provided in Section 4. Section 5 is conclusion. Research supported by CSIR, INDIA. B. K. Singh Department of Mathematics, Indian Institute of Technology Roorkee, Roorkee INDIA bksingh0584@gmail.com

2 Preliminaries Let F n be the finite field consisting of n elements. The group of units of F n, denoted by F n, is a cyclic group consisting of n 1 elements. An element α F n is said to be a primitive element if it is a generator of the multiplicative group F n. Any function from F n to F is said to be a Boolean function on n variables. Let Z and Z q, where q is a positive integer, denote the ring of integers and integers modulo q, respectively. A cyclotomic coset modulo n 1 of s Z is defined as [13, pp. 104] C s = s,s,s,...,s n s 1 }, (1) where n s is the smallest positive integer such that s s n s (mod n 1). It is a convention to choose the subscript s to be the smallest integer in C s and refer to it as the coset leader of C s and n s denotes the size of C s. The trace function Tr1 n : F n F is defined as Tr n 1 (x) = x + x + x x n 1, for all x F n. () The functions (x,y) Tr1 n(xy) are inner products on F n. The trace representation [10] of a function f B n is f (x) = Tr n k 1 (A kx k ) + A n 1x n 1, for all x F n, (3) k Γ (n) where Γ (n) is the set of all coset leaders modulo n 1 and A k F n k, A n 1 F, for all k Γ (n). A Boolean function is said to be a monomial trace function (sometimes monomial Boolean function) or said to have monomial trace representation if its trace representation consists of only one trace term. The binary representation of an integer d Z is d = d m 1 m 1 + d m m d 1 + d 0, (4) where d 0,d 1,...,d m 1 0,1}. The Hamming weight of d is w H (d) = m 1 i=0 d i, where the sum is over Z. The algebraic degree, denoted by deg( f ), of f B n, as represented in (3), is the largest positive integer w for which w H (k) = w and A k 0. The support of f B n is supp( f ) = x F n : f (x) 0}. The weight of f is w H ( f ) = x F n : f (x) 0}, where S is the cardinality of any set S. The Hamming distance between two functions f,g B n is defined by d( f,g) = x F n : f (x) g(x)}. The Walsh Hadamard transform of f B n at λ F n is defined as W f (λ) = ( 1) f (x)+trn 1 (λx). x F n The multiset W f (λ) : λ F n} is said to be the Walsh-Hadamard spectrum of f. The frequency distribution of the values in the Walsh-Hadamard spectrum of f is referred to as the weight distribution of the Walsh- Hadamard spectrum of f. The nonlinearity of a Boolean function f B n in terms of its Walsh-Hadamard spectrum is given by By Parseval s identity, nl( f ) = n 1 1 max W f (λ). λ F n W f (λ) = n, λ F n it can be shown that max W f (λ) : λ F n} n which implies that nl( f ) n 1 n 1. Definition 1 [15] A function f B n (for even n) is said to be a bent function if and only if W f (λ) n, n } for all λ F n or equivalently f is bent if and only if nl( f ) = n 1 n 1. Definition The derivative of f B n with respect to a F n is defined as D a f (x) = f (x) + f (x + a) for all x F n. The higher-order derivatives of a Boolean function are defined as follows. Definition 3 Let V be an r-dimensional subspace of F n generated by a 1,...,a r, i.e., V = a 1,...,a r. The rthorder derivative of f B n with respect to V, is the function D V f B n, defined by D V f (x) = D a1...d ar f (x). It is to be noted that rth-order derivative of f depends only on the choice of the r-dimensional subspace V and independent of the choice of the basis of V. The notion of rth-order bent functions have introduced by Iwata, Kurosawa [11] which is defined as follows.

3 3 Definition 4 [11] For any positive integer r n 3, a function f B n is said to be rth-order bent if and only if nl r ( f ) n r 3 (r + 4), if r = 0 mod, n r 3 (r + 5), if r = 1 mod. Following are some results on recursive lower bounds on third-order nonlinearities due to Carlet [3] which we use to estimate our bounds. Proposition 1 [3, Proposition ] Let f B n. Then nl 3 ( f ) 1 4 Proposition [3, Eq. 1] Let f B n. Then nl 3 ( f ) n 1 1 max nl(d a 1,a F n a D a1 f ). a F n n nl(d a D b f ). b F n The following result known as McEliece s Theorem is useful for improving the bounds of the rth-order nonlinearities. Proposition 3 [13, Chap. 15, Cor. 13] The rth-order nonlinearities of a Boolean function f B n with algebraic degree d, is divisible by n d 1. Following proposition is due to Bracken et al. [1] which provides an information on the zeroes of the linearized polynomials [1,13] of particular type. Proposition 4 [1, Cor. 1] Let L(x) = v i=0 c ix ik be a linearized polynomial over F n, where v,k are positive integers such that gcd(n,k) = 1. Then zeroes of the linearized polynomial L(x) in F n are at most v..1 Quadratic Boolean Functions Suppose f B n be a quadratic Boolean function. The bilinear form [13] associated with f is defined by B(x,y) = f (0) + f (x) + f (y) + f (x + y) and the kernel, E f, of B(x,y) is the subspace of F n defined by E f = x F n : B(x,y) = 0 for all y F n}. Any element c E f is said to be a linear structure of f. Lemma 1 [, Proposition 1] Let V be a vector space over a field F q of characteristic and Q : V F q be a quadratic form. Then the dimension of V and the dimension of the kernel of Q have the same parity. If f B n is a quadratic Boolean function then the weight distribution of the Walsh-Hadamard spectrum to f depends only on the dimension k of E f which is given in Table 1 [,13]. Table 1 Weight distribution of the Walsh-Hadamard spectrum of a quadratic Boolean function f B n W f (α) Number of α 0 n n k (n+k)/ n k 1 + ( 1) f (0) (n k )/ (n+k)/ n k 1 ( 1) f (0) (n k )/

4 4 3 Main results In this section, we deduce the lower bounds of third-order nonlinearities of monomial Boolean functions of degree 4. Theorem 1 Let f λ (x) = Tr1 n(λxi + j + k +1 ), for all x F n, where λ F n, i, j,k are integers such that i > j > k 1 and n > i. Then nl 3 ( f λ ) n 3 n+i 6, if n = 0 mod, n 3 n+i 7 (5), if n = 1 mod. In particular, if gcd( j k, n) = 1, then n 1 1 ( n 1) nl 3 ( f λ ) n 1 1 ( n 1) 3n+i + n+1 n+i+ 3n+i 1 + n+1 n+i+1, if n = 0 mod,, if n = 1 mod. (6) Proof Derivative of f λ with respect to a F n is D a f λ (x) = f λ (x + a) + f λ (x) = Tr n 1 (λ(x + a)i + j + k +1 ) + Tr n 1 (λxi + j + k +1 ) = Tr n 1 (λ(axi + j + k + a i x j + k +1 + a j x i + k +1 + a k x i + j +1 )) + q(x), where q is a quadratic Boolean function. The second derivative D b D a f λ with respect to a,b F n, where a b is D b D a f λ (x) = f λ (x + a + b) + f λ (x + a) + f λ (x + b) + f λ (x) = Tr n 1 (λ(x + a + b)i + j + k +1 ) + Tr n 1 (λ(x + b)i + j + k +1 ) + Tr n 1 (λ(x + a)i + j + k +1 ) + Tr n 1 (λxi + j + k +1 ) = l(x) + Tr n 1 (λ((abk + a k b)x i + j + (ab j + a j b)x i + k + (ab i + a i b)x j + k + (a j b k + a k b j )x i +1 + (a i b k + a k b i )x j +1 + (a i b j + a j b i )x k +1 )), where l is an affine function. If D b D a f λ is quadratic, then the Walsh-Hadamard spectrum of D b D a f λ is equivalent to the Walsh-Hadamard spectrum of the function h λ obtained by removing l from D b D a f λ. h λ (x) = Tr n 1 (λ((abk + a k b)x i + j + (ab j + a j b)x i + k + (a j b k + a k b j )x i +1 +(ab i + a i b)x j + k + (a i b k + a k b i )x j +1 + (a i b j + a j b i )x k +1 )). Since E hλ = x F n : B(x,y) = 0 for all y F n }, where B(x,y) is the bilinear form associated with h λ. Using y n = y and Tr1 n(x)i = Tr1 n(x) for all x,y F n. We compute B(x,y) = h λ (0) + h λ (x) + h λ (y) + h λ (x + y) = Tr n 1 (λ(yi ((ab k + a k b)x j + (ab j + a j b)x k + (a j b k + a k b j )x) +y j ((ab k + a k b)x i + (ab i + a i b)x k + (a i b k + a k b i )x) +y k ((ab j + a j b)x i + (ab i + a i b)x j + (a i b j + a j b i )x) +y((a j b k + a k b j )x i + (a i b k + a k b i )x j + (a i b j + a j b i )x k ))) = Tr1 n (yp(x)), where P(x) = (λ(ab k + a k b)x j + λ(ab j + a j b)x k + λ(a j b k + a k b j )x) n i +(λ(ab j + a j b)x i + λ(ab i + a i b)x j + λ(a i b j + a j b i )x) n j +(λ(ab j + a j b)x i + λ(ab i + a i b)x j + λ(a i b j + a j b i )x) n k +λ(a j b k + a k b j )x i + λ(a i b k + a k b i )x j + λ(a i b j + a j b i )x k. Therefore, E hλ = x F n : P(x) = 0 = P(x) i }. (7)

5 5 Let L (λ,a,b) (x) = P(x) i. Using x n = x, y n = y, a n = a, b n = b and λ n = λ, for all x,y,a,b,λ F n, we have ( ) L (λ,a,b) (x) = (P(x)) i = λ (ab j + a j b)x k + (ab k + a k b)x j + (a j b k + a k b j )x + λ i ( (a i+ j b i+k + a i+k b i+ j )x i + (a i+k b i + a i b i+k )x i+ j + (a i b i+ j + a i+ j b i )x i+k) + λ i j ( (a i j b i + a i b i j )x i j + (a i j b i j + a i j b i j )x i + (a i j b i + a i b i j )x i j) + λ i k ( (a i k b i+ j k + a i+ j k b i k )x i k + (a i k b i k + a i k b i k )x i+ j k + (a i k b i+ j k + a i+ j k b i k )x i k). (8) The coefficient of x in L (λ,a,b) (x) is zero if and only if a j b k + a k b j = 0, i.e., a j k b + ab j k = 0 which implies that b af j k. Therefore, for every 0 a,b F n such that b af j k, the degree of linearized polynomial, L (λ,a,b) in x is at most i, this implies that k(a,b) i if n is even otherwise k(a,b) i 1. The Walsh-Hadamard transform of D b D a f λ at µ F n is W Db D a f λ (µ) n+i, if n = 0 mod, n+i 1, if n = 1 mod. Therefore, nl(d b D a f λ ) = n 1 n+i, if n = 0 mod, n 1 n+i 3, if n = 1 mod. (9) Using Proposition 1, we have nl 3 ( f λ ) n 3 n+i 6, if n = 0 mod, n 3 n+i 7, if n = 1 mod. In particular, if gcd( j k,n) = 1, we have k(a,b) i if n is even otherwise k(a,b) i 1 for all a,b F n such that a 0 and b af. Therefore, Eq. (9) holds for all a,b F n such that a 0 and b af. Using Proposition, we have When n = 0 mod nl 3 (g λ ) n 1 1 ( n 1) n ( n )( n 1 n+i ) = n 1 1 ( n 1) 3n+i + n+1 n+i+. (10) When n = 1 mod nl 3 (g λ ) n 1 1 ( n 1) n ( n )( n 1 n+i 3 ) = n 1 1 ( n 1) 3n+i 1 + n+1 n+i+1. (11) Theorem Let g λ (x) = Tr1 n(λx3l + l + l +1 ), for all x F n and λ F n, where l is a positive integer such that gcd(l,n) = 1 and n > 6. Then n 1 1 ( n 1) nl 3 (g λ ) n 1 1 ( n 1) 3n+6 + n+1 n+8 3n+5 + n+1 n+7, if n = 0 mod,, if n = 1 mod.

6 6 Proof The proof is similar to that of Theorem 1 upto Eq. (8). Here the kernel of B(x,y) associated with D b D a g λ is E = x F n : P(x) = 0 = L (λ,a,b) (x)}, where L (λ,a,b) (x) is obtained by replacing i, j and k in (8) by 3l,l and l respectively L (λ,a,b) (x) = P(x) 3l = λ 3l ( (a 5l b 4l + a 4l b 5l )x 6l + (a 4l b 6l + a 6l b 4l )x 5l + (a 6l b 5l + a 5l b 6l )x 4l) + λ l ( (a l b 3l + a 3l b l )x 4l + (a l b 4l + a 4l b l )x 3l + (a 4l b 3l + a 3l b 4l )x l) + λ l ( (a l b 4l + a 4l b l )x 5l + (a l b 5l + a 5l b l )x 4l + (a 5l b 4l + a 4l b 5l )x l) + λ(ab l + a l b)x l + λ(ab l + a l b)x l + λ(a l b l + a l b l )x. (1) The coefficient of x in L (λ,a,b) (x) is zero if and only if a l b l + a l b l = 0, i.e., a l b + ab l = 0. But gcd(l,n) = 1, therefore, by Proposition 4, we have b af. Moreover, L (λ,a,b) (x) is of the form 6 i=0 c ix il, therefore by Proposition 4, the equation L (λ,a,b) (x) = 0 has at most 6 roots for all a,b F n such that a 0 and b af, this implies that k(a,b) 6 if n is even otherwise k(a,b) 5. The Walsh-Hadamard transform of D b D a g λ at µ F n is n+6, if n = 0 mod, W Db D a g λ (µ) n+5, if n = 1 mod. Therefore, Using Proposition 1, we have Using Proposition, we have nl(d b D a g λ ) n 1 n+4, if n = 0 mod, n 1 n+3, if n = 1 mod. n 3 n, if n = 0 mod, nl 3 (g λ ) n 3 n 1, if n = 1 mod. When n = 0 mod nl 3 (g λ ) n 1 1 ( n 1) n ( n )( n 1 n+4 ) = n 1 1 ( n 1) 3n+6 + n+1 n+8. (13) When n = 1 mod nl 3 (g λ ) n 1 1 ( n 1) n ( n )( n 1 n+3 ) = n 1 1 ( n 1) 3n+5 + n+1 n+7. (14) Remark 1 Let f B n a biquadratic Boolean function. If there exists at least elements a,b F n such that D b D a f is quadratic, then the lower bound of third-order nonlinearity of f B n is at least n 4. This result is follows from Proposition 1 and the fact that the nonlinearity of any quadratic function in B n is at least n [3,16]. 4 Comparison In Table and Table 3, we present the computational results of lower bounds of third-order nonlinearities obtained by Theorem 1 for i = 3,4,5 and j,k are taken in such a way that gcd( j k,n) = 1. We compare these bounds with the general bounds on third-order nonlinearity for any biquadratic Boolean function, i.e., nl 3 ( f ) n 4. It is observed that the bounds for i = 3,4 are efficiently large and decreases with increasing the value of i. It is claimed that class (1) is more general class of biquadratic monomial Boolean functions

7 7 Table The lower bounds on the third-order nonlinearities obtained by Theorem 1 for odd n and i = 3,4,5 n i = i = i = general bounds Table 3 The lower bounds on the third-order nonlinearities obtained by Theorem 1 for for even n and i = 3,4,5 n i = i = i = general bounds containing several classes of highly nonlinear Boolean functions. For example, Kasami functions of degree 4 coincide with class (1) when i = 5, j = 4,k = 3. In Table 4 and Table 5, we present the computational results on lower bounds of third-order nonlinearities obtained by Theorem on applying Proposition 3 and compare these values with known classes of functions [8,3,11]. It is observed from Table 4 and Table 5 that the bound obtained by Theorem is better than the bounds obtained by Gode et al. [8] for Kasami functions: Tr(λx 57 ), Iwata and Kurosawa s general bound [11] for all n > 8. These bounds are also improved upon Carlet s [3] bound for inverse function when n is odd (see Table 4) or n = 8,1, and equal for the rest values of even n (see Table 5). Table 4 Comparison of the value of lower bounds on third-order nonlinearities obtained by Theorem with the bound obtained in [8], [11] and [3] for odd n n Bounds in Theorem Bounds in [8] Bounds in [11] Carlet s bound [3] Table 5 Comparison of the value of lower bounds on third-order nonlinearities obtained by Theorem with the bound obtained in [8], [11] and [3] for even n n Bounds in Theorem Bounds in [8] Bounds in [11] Carlet s bound [3] Conclusion In this paper, we obtained the lower bounds of third-order nonlinearities of two more general classes of biquadratic monomial Boolean functions. It is demonstrated that in some cases our bounds are better than the bounds obtained previously. 6 Acknowledgement The author would like to thanks the Council of Scientific and Industrial Research India for supporting his research. References 1. Bracken, C., Byrne, E., Markin, N., MacGuire, G.: Determining the Nonlinearity a New Family of APN Functions. AAECC, LNCS, 4851, Springer Verlag, 7-79 (007).

8 8. Canteaut, A., Charpin, P., Kyureghyan, G. M.: A New Class of Monomial Bent Functions. Finite Fields and Their Applications, 14, 1-41 (008). 3. Carlet, C.: Recursive Lower Bounds on the Nonlinearity Profile of Boolean Functions and Their Applications. IEEE Trans. Inform. Theory, 54(3), (008). 4. Carlet, C.: More vectorial Boolean functions with unbounded nonlinearity profile, Int l J. of Found. of Comp. Sci., (6), , Carlet, C., Mesnager, S.: Improving the Upper Bounds on the Covering Radii of Binary Reed-Muller Codes. IEEE Trans. Inform. Theory, 53 (1), (007). 6. Courtois, N.: Higher Order Correlation Attacks, XL Algorithm and Cryptanalysis of Toyocrypt. In Proc. of the ICISC 0, LNCS, 587, , Springer Verlag (00). 7. Fourquet, R., Tavernier, C.: An Improved List Decoding Algorithm for the Second Order Reed-Muller Codes and its Applications. Designs, Codes and Cryptography, 49, (008). 8. Gode, R., Gangopadhyay, S.: Third-Order Nonlinearities of a Subclass of Kasami Functions. Crypt. Communi.-Discrete Structures, Boolean Functions and Sequences,, (010). 9. Golic, J.: Fast Low Order Approximation of Cryptographic Functions. In Proc. of the EUROCRYPT 96, LNCS, Springer Verlag, 1070, 68-8 (1996). 10. S. W. Golomb and G. Gong, Signal design for good correlation: for wireless communication, cryptography and radar, Cambridge University Press, ISBN , Iwata, T., Kurosawa, K.: Probabilistic Higher Order Differential Attack and Higher Order Bent Functions. In Proc. of the ASIACRYPT 99, LNCS, Springer Verlag, 1716, 6-74, (1999). 1. Lidl, R., H. Niederreiter, H.: Introduction to Finite Fields and Their Applications, Cambridge University Press (1983). 13. MacWilliams, F. J., Sloane, N. J. A.: The Theory of Error Correcting Codes. North-Holland, Amsterdam (1977). 14. Meier, W., Staffelbach O.: Nonlinearity criteria for cryptographic functions. Adv. in Crypto. EUROCRYPT 89, LNCS, Springer Verlag, 434, (1990). 15. Rothaus, O. S.: On bent functions. J. Combin. Theory (A), 0, (1976). 16. Seberry, J., Zhang, X. M. and Zheng, Y.: Relationships among nonlinearity criteria. Advances in Crypto. EUROCRYPT 94, LNCS, Springer-Verlag, 950, , (1995).

A New Class of Bent Negabent Boolean Functions

A New Class of Bent Negabent Boolean Functions Sugata Gangopadhyay and Ankita Chaturvedi Department of Mathematics, Indian Institute of Technology Roorkee Roorkee 247667 INDIA, {gsugata, ankitac17}@gmail.com