Combinatorics of p-ary Bent Functions

Similar documents
Explorations of edge-weighted Cayley graphs and p-ary bent functions

Critical Groups for Cayley Graphs of Bent Functions

Lecture 10-11: General attacks on LFSR based stream ciphers

Constructions of partial geometric difference sets

Butson-Hadamard matrices in association schemes of class 6 on Galois rings of characteristic 4

Butson-Hadamard matrices in association schemes of class 6 on Galois rings of characteristic 4

Introduction to Association Schemes

4.3 General attacks on LFSR based stream ciphers

RING ELEMENTS AS SUMS OF UNITS

GRE Subject test preparation Spring 2016 Topic: Abstract Algebra, Linear Algebra, Number Theory.

Block vs. Stream cipher

DISTINGUISHING PARTITIONS AND ASYMMETRIC UNIFORM HYPERGRAPHS

Section 3 Isomorphic Binary Structures

Complex Hadamard matrices and 3-class association schemes

Math 210C. The representation ring

Optimizing the placement of tap positions. joint work with Enes Pasalic, Samed Bajrić and Yongzhuang Wei

MATH 433 Applied Algebra Lecture 22: Review for Exam 2.

3.8 MEASURE OF RUNDOMNESS:

MIT Algebraic techniques and semidefinite optimization May 9, Lecture 21. Lecturer: Pablo A. Parrilo Scribe:???

CHAPTER 12 CRYPTOGRAPHY OF A GRAY LEVEL IMAGE USING A MODIFIED HILL CIPHER

The BCH Bound. Background. Parity Check Matrix for BCH Code. Minimum Distance of Cyclic Codes

Discrete Mathematics. Benny George K. September 22, 2011

CSIR - Algebra Problems

Characterization of 2 n -Periodic Binary Sequences with Fixed 2-error or 3-error Linear Complexity

Quasigroups and stream cipher Edon80

A Questionable Distance-Regular Graph

Permutation groups/1. 1 Automorphism groups, permutation groups, abstract

Fast correlation attacks on certain stream ciphers

L9: Galois Fields. Reading material

On some incidence structures constructed from groups and related codes

Sequences, DFT and Resistance against Fast Algebraic Attacks

AUTOMORPHISM GROUPS AND SPECTRA OF CIRCULANT GRAPHS

Group-theoretic approach to Fast Matrix Multiplication

MATH 101: ALGEBRA I WORKSHEET, DAY #1. We review the prerequisites for the course in set theory and beginning a first pass on group. 1.

Math 3121, A Summary of Sections 0,1,2,4,5,6,7,8,9

Pseudo-Random Number Generators

CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux

18.312: Algebraic Combinatorics Lionel Levine. Lecture 19

3-Class Association Schemes and Hadamard Matrices of a Certain Block Form

Analysis of Modern Stream Ciphers

Directed Strongly Regular Graphs. Leif K. Jørgensen Aalborg University Denmark

ACO Comprehensive Exam March 20 and 21, Computability, Complexity and Algorithms

1 Introduction In [2] a method for computing the Walsh spectrum in R-encoding of a completely specified binary-valued function was presented based on

18.312: Algebraic Combinatorics Lionel Levine. Lecture 22. Smith normal form of an integer matrix (linear algebra over Z).

Very few Moore Graphs

Strongly Regular Decompositions of the Complete Graph

Thesis Research Notes

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

Math 121 Homework 5: Notes on Selected Problems

Recommended questions: a-d 4f 5 9a a 27.

The Matrix-Tree Theorem

Elementary maths for GMT

Characterizations of Strongly Regular Graphs: Part II: Bose-Mesner algebras of graphs. Sung Y. Song Iowa State University

TC08 / 6. Hadamard codes SX

Representations. 1 Basic definitions

Supplement. Dr. Bob s Modern Algebra Glossary Based on Fraleigh s A First Course on Abstract Algebra, 7th Edition, Sections 0 through IV.

Cryptanalysis of Achterbahn

Twin bent functions and Clifford algebras

Correcting Codes in Cryptography

Chapter 9: Relations Relations

Introduction to Groups

Spectra of Semidirect Products of Cyclic Groups

Classical Cryptography

ECEN 5682 Theory and Practice of Error Control Codes

USING GRAPHS AND GAMES TO GENERATE CAP SET BOUNDS

Exercises on chapter 1

CONSTRUCTING Boolean functions on odd number of variables n having nonlinearity greater than the bent

AES side channel attacks protection using random isomorphisms

Chapter 6 Reed-Solomon Codes. 6.1 Finite Field Algebra 6.2 Reed-Solomon Codes 6.3 Syndrome Based Decoding 6.4 Curve-Fitting Based Decoding

Constructing a Ternary FCSR with a Given Connection Integer

Designs over the binary field from the complete monomial group

Cryptography and Shift Registers

1.10 Matrix Representation of Graphs

UNPREDICTABLE BINARY STRINGS

MATH 8253 ALGEBRAIC GEOMETRY WEEK 12

Stephen Cohen, University of Glasgow Methods for primitive and normal polynomials

Square 2-designs/1. 1 Definition

Linear algebra and applications to graphs Part 1

Monoids. Definition: A binary operation on a set M is a function : M M M. Examples:

Functions on Finite Fields, Boolean Functions, and S-Boxes

STREAM CIPHER. Chapter - 3

Unpredictable Binary Strings

Constructions for Hadamard matrices using Clifford algebras, and their relation to amicability / anti-amicability graphs

ICALP g Mingji Xia

IEOR SEMINAR SERIES Cryptanalysis: Fast Correlation Attacks on LFSR-based Stream Ciphers

Notes on Freiman s Theorem

LARGE SCHRÖDER PATHS BY TYPES AND SYMMETRIC FUNCTIONS

Permutation decoding for the binary codes from triangular graphs

On The Nonlinearity of Maximum-length NFSR Feedbacks

The rank of connection matrices and the dimension of graph algebras

Representation Theory. Ricky Roy Math 434 University of Puget Sound

Permutation-like matrix groups

Algebra Ph.D. Preliminary Exam

Character tables for some small groups

ALGEBRA QUALIFYING EXAM SPRING 2012

Parity Versions of 2-Connectedness

Scaffolds. A graph-based system for computations in Bose-Mesner algebras. William J. Martin

REPRESENTATION THEORY OF S n

Topic 3. Design of Sequences with Low Correlation

Laplacians of Graphs, Spectra and Laplacian polynomials

Transcription:

Combinatorics of p-ary Bent Functions MIDN 1/C Steven Walsh United States Naval Academy 25 April 2014

Objectives Introduction/Motivation Definitions Important Theorems Main Results: Connecting Bent Functions to Combinatorical Structures Conclusion

Introduction/Motivation Linear feedback shift register: a shift register in which inputs are linear functions of their previous states Can be used to generate pseudo-random sequences that can be used as keystreams in a stream cipher system Example: Fibonacci sequence (mod 2), defined by initial state s 0 = 0, s 1 = 1 and recursive function s n = s n 1 + s n 2 (0,1,1,2,3,5,8,13,21...) (0,1,1,0,1,1,0,1,1...) LFSRs can be broken using the Berlekamp-Massey algorithm

Berlekamp-Massey algorithm For a binary LFSR with key length n and maximal length period 2 n 1, only 2n consecutive terms of the sequence are required to determine the coefficients of the LFSR Example: Fibonacci sequence mod 2, key length is 2 and period is 3, so 4 digits are required to decode the LFSR Example: choose a 4-bit subsequence (say, (0,1,1,0)) and use the equation s n = c 1 s n 1 + c 2 s n 2 to solve for c 1 and c 2 and thus, determine the key (c 1, c 2 ): 1 = c 1 (1) + c 2 (0) c 1 = 1 0 = c 1 (1) + c 2 (1) = 1(1) + c 2 (1) c 2 = 1

Implementing more secure cipher stream systems LFSRs are very susceptible to decryption through various techniques, including Berlekamp-Massey algorithm and brute force attacks To construct more secure keystreams, utilize bent, or perfectly non-linear, functions non-linearity will generate more random sequences resistant to linear cryptanalysis

Definitions and Examples

Walsh-Hadamard transform For f : GF (p) n GF (p), the Walsh-Hadamard transform of f is a complex-valued function on GF (p) n defined by: W f (u) = x GF (p) n ζ f (x) u,x where ζ = e 2πi/p (the pth root of unity). f : GF (p) n GF (p) is bent if W f (u) = p n/2 for all u GF (p) n.

Partial difference sets Let G be a finite abelian group of order v Let D be a subset of G with cardinality k D is a (v, k, λ)-difference set if the multiset {d 1 d 1 2 d 1, d 2 D} contains every non-identity element of G exactly λ times D is a (v, k, λ, µ)-partial difference set (PDS) if the multiset {d 1 d2 1 d 1, d 2 D} contains every non-identity element of D exactly λ times and every non-identity element of G \ D exactly µ times

Cayley graphs Constructing a Cayley graph: Let G be a group, let D G such that 1 / D Let the vertices of the graph be elements of G Two vertices g 1 and g 2 are connected by a directed edge from g 1 to g 2 if g 2 = dg 1 for some d D For a (v, k, λ, µ)-pds D, the Cayley graph X (G, D) is a srg-(v, k, λ, µ) if: X (G, D) has v vertices such that each vertex is connected to k other vertices Distinct vertices g 1 and g 2 share edges with either λ or µ common vertices

Bent function correspondences Two known ways to determine whether a function is bent (for p = 2) Dillon correspondence: f : GP(2) n GF (2) is bent if and only if the level curve f 1 (1) = {v GF (2) n f (v) = 1} yields a difference set in GF (2) n with parameters (v, k, λ) = (4m 2, 2m 2 ± m, m 2 ± m) for some integer m Bernasconi correspondence: f : GF (2) n GF (2) is bent if and only if the Cayley graph of f is a srg-(2 n, k, λ, µ), where λ = µ and k = {v GF (2) n f (v) 0}

Weighted partial difference sets Let G be a finite abelian multiplicative group of order v and let D be a subset of G of cardinality k. Decompose D into a union of disjoint subsets D = D 1 D 2 D d and assume 1 / D. Let D i = k i.

Weighted partial difference sets D is a weighted partial difference set (PDS) if the following properties hold: The multiset D i D 1 j = {d 1 d 1 2 d 1 D i, d 2 D j } represents every non-identity element of D l exactly λ i,j,l times and every non-identity element of G \ D exactly µ i,j times (1 i, j, l d) For each i {1, 2,..., d}, j {1, 2,..., d} such that D 1 i = D j (if D 1 i = D i for all i, then the weighted PDS is symmetric)

Weighted Cayley Graphs Construction of a weighted Cayley graph X w (G, D) is similar to that of a standard Cayley graph Let G be a group, D a subset of G Decompose D into a union of subsets D 1 D 2 D d The vertices of the graph are the elements of G Two vertices g 1 and g 2 are connected by an edge of weight k if g 1 = dg 2 for some d D k

PDS Example G = GF (3)[x]/(x 2 + 1) = {0, 1, 2, x, x + 1, x + 2, 2x, 2x + 1, 2x + 2} (GF (9), +) D = {1, 2, x, 2x} {d 1 d 1 2 d 1, d 2 D} = {0, 2, 1 + 2x, 1 + x, 0, 1, 2x + 2, x + 2, 0, x + 2, x + 1, 2x, 0, 2x + 2, 2x + 1, x} So D is a (9,4,1,2) partial difference set.

Weighted PDS Example G = GF (3)[x]/(x 2 + 1) = {0, 1, 2, x, x + 1, x + 2, 2x, 2x + 1, 2x + 2} (additive group) D 1 = {1, 2}, D 2 = {x, 2x} {d 1 d 1 2 d 1, d 2 D 1 } = {0, 2, 0, 1} {d 1 d 1 2 d 1 D 1, d 2 D 2 } = {2x + 1, x + 1, x + 2, 2x + 2} {d 1 d 1 2 d 1, d 2 D 2 } = {0, 2x, 0, x} λ 1,1,1 = 1, λ 1,1,2 = 0, µ 1,1 = 0 λ 1,2,1 = 0, λ 1,2,2 = 0, µ 1,2 = 1 λ 2,2,1 = 0, λ 2,2,2 = 1, µ 2,2 = 0

Corresponding Cayley Graph

Using Level Curves as Weighted Partial Difference Sets Let f : GF (p) n GF (p) be a function. One possible way to generate a weighted partial difference set is as follows: G = GF (p) n D 0 = {0} D i = f 1 (i) for i = 1, 2,..., p 1 D p = f 1 (0) {0}

Association schemes S is a finite set R 0, R 1,..., R d binary relations on S R 0 = {(x, x) S S x S} R i = {(x, y) S S (y, x) R i } Then (S, R 0, R 1,..., R d ) is a d-class association scheme if: S S = R 0 R 1 R d, with R i R j = for all i j. For each i, j such that Ri = R j For all i, j and all (x, y) S S, define p ij (x, y) = {z S (x, z) R i, (z, y) R j }. For all k and for all (x, y) R k, p ij (x, y) is a constant, denoted p k ij.

Corresponding Weighted Partial Difference Sets to Association Schemes Let G be a group with a weighted partial difference set D = D 1 D 2 D d Construct an association scheme as follows: S = G R 0 = {(g, g) G G g G} R i = {(g, h) G G gh 1 D i, g h} (for i = 1, 2,..., d) R d+1 = {(g, h) G G gh 1 / D, g h}

Schur rings G a finite abelian group C 0, C 1,..., C d finite subsets of G identify each C i as a formal sum of its elements in C[G] The subalgebra of C[G] generated by C 0, C 1,..., C d is a Schur ring if: C 0 = {1}, the singleton containing the identity G = C 0 C 1 C d, with C i C j = for all i j for each i, j such that C 1 i for all i, j, for some integers p k ij C i C j = = C j d pij k C k, k=0

Schur ring example Let G = {ζ k k Z, 0 k 5}, where ζ = e 2πi/6 D 0 = {ζ 0 } = {1}, D 1 = {ζ 2, ζ 4 }, D 2 = {ζ, ζ 3, ζ 5 } By this same process, D 1 D 2 = (ζ 2 + ζ 4 ) (ζ + ζ 3 + ζ 5 ) = ζ 3 + ζ 5 + ζ 7 + ζ 5 + ζ 7 + ζ 9 = 2ζ + 2ζ 3 + 2ζ 5 = 2D 2 D 1 D 1 = 2D 0 + D 1 D 2 D 2 = 3D 0 + 3D 1 Therefore, the intersection numbers for this Schur ring are: p 0 11 = 2, p1 11 = 1, p2 11 = 0 p 0 12 = 0, p1 12 = 0, p2 12 = 2 p 0 22 = 3, p1 22 = 3, p2 22 = 0

Adjacency matrices S a finite set {s 1, s 2,, s m } R 0, R 1,, R d defined as above The adjacency matrix of R l is the m m matrix A l whose (i, j)th entry is 1 if (s i, s j ) R l or 0 otherwise We say that a subring A 1,..., A d of C[M m m (Z)] is an adjacency ring or Bose-Mesner algebra if: for each i {0,..., d}, A i is a (0, 1)-matrix, d i=0 A i = J (the all 1 s matrix), for each i {0,..., d}, t A i = A j, for some j {0,..., d}, there is a subset J {0,..., d} such that j J A j = I, and there is a set of non-negative integers {p k ij i, j, k {0,..., d}} such that for all such i, j. d A i A j = pij k A k, k=0

Constructing Adjacency Matrices Constructing an adjacency matrix A k from a weighted partial difference set Let G be a group of order v, D = D 1 D d a weighted PDS A k is a v v matrix (i, j)th entry = 1 if i j D k, 0 otherwise Constructing an adjacency matrix A k from a weighted Cayley graph X w (G, D): A k is a v v matrix, where v = G (i, j)th entry = 1 if vertices g i and g j are connected by an edge of weight k

Adjacency Matrices for GF (9) Example A 1 = A 2 = 0 1 1 0 0 0 0 0 0 1 0 1 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 1 0 1 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 1 0 1 0 0 0 0 0 0 1 1 0 0 0 0 1 0 0 1 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 1 0 0 1 1 0 0 0 0 0 1 0 0 0 1 0 0 0 0 0 1 0 0 0 1 0 0 0 0 0 1 1 0 0 1 0 0 0 0 0 0 1 0 0 1 0 0 0 0 0 0 1 0 0 1 0 0 0

Important Theorems

Intersection number-matrix theorem G a finite abelian group, D 0,, D d G such that D i D j = if i j, and G is the disjoint union of D 0 D d for each i there is a j such that D 1 = D j, and D i D j = l k=0 p k ij D k for some positive integer p k ij. Then the matrices P k = (p k ij ) 0 i,j d satisfy the following properties: P 0 is a diagonal matrix with entries D 0,, D d For each k, the jth column of P k has sum D j (j = 0,, d). Likewise, the ith row of P k has sum D i (i = 0,, d). i

Intersection number-trace theorem Let f : GF (p) n GF (p) be a function, Γ be its Cayley graph. Assume Γ is a weighted strongly regular graph. Let A = (a k,l ) be the adjacency matrix of Γ. Let A i = (ak,l i ) be the (0, 1)-matrix where { 1 if a k,l = i a i k,l = 0 otherwise for each i = 1, 2,..., p 1. Let A 0 = I. Let A p be the (0, 1)-matrix such that A 0 + A 1 + + A p 1 + A p = J. The intersection numbers p k ij defined by satisfy the formula for all i, j, k = 1, 2,..., p. A i A j = p pij ka k k=0 ( ) 1 pij k = p n Tr(A i A j A k ) D k

Connections between intersection numbers Let G = GF (p) n. Let D 0,, D d G such that D i D j = if i j, and G is the disjoint union D 0 D d for each i there is a j such that D 1 D i D j = l k=0 i = D j, and p k ij D k for some positive integer p k ij. Then, for all i, j, k, D k p k ij = D i p i kj.

Main Results

First result: even bent functions f : GF (3) 2 GF (3) If f is an even, bent function such that f (0) = 0 and the level curves f 1 (i) yield a weighted PDS then one of the following occurs: We have D 1 = D 2 = 2, and the intersection numbers p k ij are given as follows: pij 0 0 1 2 3 0 1 0 0 0 1 0 2 0 0 2 0 0 2 0 3 0 0 0 4 pij 2 0 1 2 3 0 0 0 1 0 1 0 0 0 2 2 1 0 1 0 3 0 2 0 2 pij 1 0 1 2 3 0 0 1 0 0 1 1 1 0 0 2 0 0 0 2 3 0 0 2 2 pij 3 0 1 2 3 0 0 0 0 1 1 0 0 1 1 2 0 1 0 1 3 1 1 1 1

We have D 1 = D 2 = 4, D 3 =, and the intersection numbers p k ij are given as follows: pij 0 0 1 2 0 1 0 0 1 0 4 0 2 0 0 4 pij 2 0 1 2 0 0 0 1 1 0 2 2 2 1 2 1 pij 1 0 1 2 0 0 1 0 1 1 1 2 2 0 2 2 no p 3 ij Since D 3 =, there are no i, j such that D i D j will produce elements of D 3.

Chart of even bent functions GF (3) 2 (0, 0) (1, 0) (2, 0) (0, 1) (1, 1) (2, 1) (0, 2) (1, 2) (2, 2) b 1 0 1 1 1 2 2 1 2 2 b 2 0 2 2 1 0 0 1 0 0 b 3 0 1 1 2 0 0 2 0 0 b 4 0 2 2 0 1 0 0 0 1 b 5 0 0 0 2 1 0 2 0 1 b 6 0 1 1 0 2 0 0 0 2 b 7 0 0 0 1 2 0 1 0 2 b 8 0 2 2 0 0 1 0 1 0 b 9 0 0 0 2 0 1 2 1 0 b 10 0 2 2 2 1 1 2 1 1 b 11 0 0 0 0 2 1 0 1 2 b 12 0 2 2 1 2 1 1 1 2 b 13 0 1 1 2 2 1 2 1 2 b 14 0 1 1 0 0 2 0 2 0 b 15 0 0 0 1 0 2 1 2 0 b 16 0 0 0 0 1 2 0 2 1 b 17 0 2 2 1 1 2 1 2 1 b 18 0 1 1 2 1 2 2 2 1

Second result: even bent functions f : GF (3) 3 GF (3) If f is an even, bent function such that f (0) = 0 and the level curves f 1 (i) yield a weighted PDS then one of the following occurs: We have D 1 = 6, D 2 = 12, and the intersection numbers p k ij are given as follows: pij 0 0 1 2 3 0 1 0 0 0 1 0 6 0 0 2 0 0 12 0 3 0 0 0 8 pij 2 0 1 2 3 0 0 0 1 0 1 0 2 2 2 2 1 2 5 4 3 0 2 4 2 pij 1 0 1 2 3 0 0 1 0 0 1 1 1 4 0 2 0 4 4 4 3 0 0 4 4 pij 3 0 1 2 3 0 0 0 0 1 1 0 0 3 3 2 0 3 6 3 3 1 3 3 1

We have D 1 = 12, D 2 = 6, and the intersection numbers p k ij are given as follows: pij 0 0 1 2 3 0 1 0 0 0 1 0 12 0 0 2 0 0 6 0 3 0 0 0 8 pij 2 0 1 2 3 0 0 0 1 0 1 0 4 4 4 2 1 4 1 0 3 0 4 0 4 pij 1 0 1 2 3 0 0 1 0 0 1 1 5 2 4 2 0 2 2 2 3 0 4 2 2 pij 3 0 1 2 3 0 0 0 0 1 1 0 6 3 3 2 0 3 0 3 3 1 3 3 1

Preserving structures under function composition Suppose: f : GF (p) n GF (p) is an even function such that f (0) = 0 D i = f 1 (i) for i GF (p) φ : GF (p) n GF (p) n is a linear map that is invertible (i.e., det φ 0 mod p) g = f φ If the collection of sets D 1, D 2,, D p 1 forms a weighted partial difference set for GF (p) n then so does its image under the function φ. Additionally, the Schur ring associated to the weighted partial difference set of f is isomorphic to the Schur ring associated to the weighted partial difference set of g.

Group action Let G be a multiplicative group and let X be a set. G acts on X (on the left) if there exists a map ρ : G X X such that: ρ(1 G, x) = x for all x X ρ(g, ρ(h, x)) = ρ(gh, x) for all g, h G, x X An orbit is any set of the form {ρ(g, x) g G}; we call this the orbit of x.

Proof of second result Consider the set E of all functions f : GF (3) 3 GF (3) such that f is even f (0) = 0 the degree of the algebraic normal form of f is at most 4 There are 3 12 = 531, 441 such functions Let B E be the subset of bent functions Let G = GL(3, GF (3)) be the set of linear automorphisms φ : GF (3) 3 GF (3) 3. f E is equivalent to g E if and only if f is sent to g under some element of G.

Proof (cont.) signature of f : sequence of cardinalities of the level curves f 1 (1) and f 1 (2). All of the functions in each equivalence class have the same signature. 35 unique signatures across all functions on GF (3) 3 Mathematica was used to find all equivalence classes of functions in E; 281 total equivalence classes, but only 4 classes consist of bent functions. Call these classes B 1, B 2, B 3, B 4 ; then B = B 1 B 2 B 3 B 4

Two equivalence classes had signature (6,12) and two classes had signature (12,6) x 2 1 + x 2 2 + x 2 3 represents B 1, a class of 234 functions of signature (6,12) x 1 x 3 + 2x 2 2 + 2x 2 1 x 2 2 represents B 2, a class of 936 functions of signature (6,12) B 3 = B 1, B 4 = B 2 We conclude through calculation that B 1 corresponds with the first condition of the theorem, while B 3 corresponds to the second condition. B 2 and B 4 do not yield weighted partial difference sets.

Conclusions/Further Research Main result is only a partial characterization Certain constraints on the functions Reverse claim? Characterization in GF (5) n Developing non-linear cryptanalysis

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback