New Quadratic Bent Functions in Polynomial Forms with Coefficients

1 New Quadratic Bent Functions in Polynomial Forms with Coefﬁcients in Extension Fields Chunming Tang, Yanfeng Qi, Maozhi Xu

n n Abstract—In this paper, we ﬁrst discuss the bentness of a large where n is odd, T r1 (x) is the trace function from GF (2 ) to class of quadratic Boolean functions in polynomial form f(x) = GF (2) and ci ∈ GF (2). They proved that f(x) is semi-bent ∑ n −1 i n/2 2 n 1+2 n/2 1+2 ∈ n i=1 T r1 (cix ) + T r1 (cn/2x ), where ci GF (2 ) if and only if ≤ ≤ n − ∈ n/2 for 1 i 2 1 and cn/2 GF (2 ). The bentness of these functions can be connected with linearized permutation gcd(c(x), xn + 1) = x + 1, polynomials. Hence, methods for constructing quadratic bent ∑ n−1 functions are given. Further, we consider a subclass of quadratic 2 i n−i ∑ m − ei where c(x) = i=1 ci(x + x ). 2 1 n 1+2 Boolean functions of the form f(x) = i=1 T r1 (cix ) + Charpin, Pasalic and Tavernier [6] generalized Khoo et al.’s n/2 1+2n/2 ∈ e T r1 (cm/2x ) , where ci GF (2 ), n = em and m is results to even n and considered quadratic functions of the even. The bentness of these functions are characterized and some form methods for constructing new quadratic bent functions are given. ⌊ n−1 ⌋ 2 v0 r − ∑ Finally, for a special case: m = 2 p and gcd(e, p 1) = 1, we n 1+2i ∈ present the enumeration of quadratic bent functions. f(x) = ciT r1 (x ), ci GF (2). i=1 Index Terms—Bent function, Boolean function, linearized permutation polynomial, cyclotomic polynomial, semi-bent function When n is even, they proved that f(x) is semi-bent if and only if gcd(c(x), xn + 1) = x2 + 1, I.INTRODUCTION ∑ n−2 2 i n−i A bent function, whose Hamming distance to the set where c(x) = i=1 ci(x + x ). For odd n, they investi- n−1 n −1 of all afﬁne Boolean functions equals 2 ± 2 2 , is a gated the conditions for the semi-bent functions of f(x) with Boolean function with even n variables from GF (2n) to three and four trace terms. GF (2). Further, it has maximum nonlinearity and the absolute For further generalization, Ma, Lee and Zhang [17] applied value of its Walsh transform has a constant magnitude [22]. techniques from [14] and considered the quadratic Boolean Nonlinearity is an important property for a boolean function functions of the form in cryptographic applications. Much research has been paid n−2 ∑2 n on bent functions [3], [4], [5], [6], [7], [10], [14], [17], i n/2 2 f(x) = c T rn(x1+2 ) + T r (x1+2 ), (1) [25]. Since bent functions with maximal nonlinearity have i 1 1 i=1 a close relationship with sequences, bent functions are often ∈ n/2 used in the construction of sequences with maximally linear where ci GF (2) and T r1 (x) is the trace function from n complexity and low correlation[2], [8], [9], [15], [16], [21], GF (2 2 ) to GF (2). They proved that f(x) is a bent function [23]. Further, many applications of bent functions can be found if and only if in coding theory [18] and combinatorial design. gcd(c(x), xn + 1) = 1,

As another class of Boolean functions, semi-bent functions ∑ n−2 2 i n−i n/2 are also highly nonlinear. For an even integer n, the Walsh where c(x) = i=1 ci(x + x ) + x . For some spe- n spectra of bent functions with n variables has the value ±2 2 cial cases of n, Yu and Gong [25] considered the concrete while the Walsh spectra of semi-bent functions belongs to constructions of bent functions of the form (1) and presented n+2 {0, ±2 2 }. For an odd integer n, the Walsh spectra of some enumeration results. n+1 semi-bent functions belongs to {0, ±2 2 }. Khoo, Gong and Hu and Feng [10] generalized results of Ma, Lee and Zhang Stinson [13], [14] considered the quadratic Boolean function [17] and studied the quadratic Boolean functions of the form

− of the form − m 2 n 1 ∑2 ∑2 ei n i n 1+2 n/2 1+2 2 n 1+2 f(x) = ciT r (βx ) + T r (βx ), (2) f(x) = ciT r1 (x ), 1 1 i=1 i=1 ∈ ∈ e C. Tang is with School of Mathematics and Information, China West where ci GF (2), n = em, m is even and β GF (2 ). Normal University, Sichuan Nanchong, 637002, China. e-mail: tangchunming- They obtained that f(x) is bent if and only if [email protected] Y. Qi is with LMAM, School of Mathematical Sciences, Peking University, gcd(c(x), xm + 1) = 1, Beijing, 100871, and Aisino corporation Inc., Beijing, 100097, China ∑ m−2 M. Xu are with LMAM, School of Mathematical Sciences, Peking Univer- 2 i m−i m/2 sity, Beijing, 100871, China where c(x) = i=1 ci(x +x )+x . Further, they presented the enumerations of bent functions for some speciﬁed 2

e−1 ei e m. Note that β ∈ GF (2e), then (β2 )1+2 = β2 = β. The When n is odd, f(x) can be represented by function f(x) of the form (2) satisfies that n−1 ∑2 i m−2 n 1+2 2 f(x) = T r (cix ), (6) ∑ − − n 1 e 1 ei n/2 e 1 2 n 2 1+2 2 1+2 i=0 f(x) = ciT r1 ((β x) ) + T r1 ((β x) ), i=1 n where ci ∈ GF (2 ). − n 2e 1 For a Boolean function f(x) over GF (2 ), the Hadamard where ci ∈ GF (2). From the transformation x 7−→ β x, a transform is defined by bent function of the form (2) is changed into a bent function ∑ f(x)+T rn(λx) n of the form (1). Actually, (2) does not introduce new bent fˆ(λ) = (−1) 2 , λ ∈ GF (2 ). functions. x∈GF (2n) In this paper, we first consider quadratic Boolean functions of the form For a quadratic Boolean function f(x) of the form (5) or (6), the distribution of the Hadamard transform can be described n −1 ∑2 n 1+2i n/2 1+2n/2 by the bilinear form f(x) = T r1 (cix ) + T r1 (cn/2x ), (3) i=1 Qf (x, y) = f(x + y) + f(x) + f(y). (7) ∈ n ≤ ≤ n − ∈ n/2 where ci GF (2 ) for 1 i 2 1 and cn/2 GF (2 ). For the bilinear form Qf , define And we study the bentness of these functions from some { ∈ n ∀ ∈ n } specific linearized polynomials. Further, we generalize results Kf = x GF (2 ): Qf (x, y) = 0, y GF (2 ) (8) in [10], [17] and study the bentness of quadratic Boolean and kf = dimGF (2)(Kf ). Then 2|(n − kf ). The distribution functions of the form of the Hadamard transform values of fˆ(λ) is given in the m −1 ∑2 following theorem [11]. n 1+2ei n/2 1+2n/2 f(x) = T r1 (cix ) + T r1 (cm/2x ), (4) Theorem 2.1: Let f(x) be a quadratic Boolean function of i=1 the form (5) or (6) and kf = dimGF (2)(Kf ), where Kf is e defined in (8). The distribution of the Hadamard transform where ci ∈ GF (2 ). Further, we gives some examples of new values of f(x) is given by bent functions. And we construct new quadratic bent functions  from known quadratic bent functions. Finally, we presents  n n−kf 0, 2 − 2 times − enumerations of bent functions of the form (4) for the case n+kf n kf ˆ n−kf −1 −1 v0 r f(λ) = 2 2 , 2 + 2 2 times m = 2 p and gcd(e, p−1) = 1, where v0 > 0, r > 0, p is an   n+k n−k  f n−k −1 f −1 odd prime satisfying ordp(2) = p − 1 or ordp(2) = (p − 1)/2 −2 2 , 2 f − 2 2 times. ((p − 1)/2 is odd). The rest of the paper is organized as follows: Section 2 Bent functions as an important class of Boolean functions are introduces some notations and backgrounds. Section 3 gives defined below. the description of bentness of quadratic Boolean functions Definition Let f(x) be a Boolean function from GF (2n) to considered in this paper and methods of constructing new bent GF (2). Then f(x) is called a bent function if for any λ ∈ n n n functions. Section 4 enumerates the number of quadratic bent GF (2 ), fˆ(λ) ∈ {2 2 , −2 2 }. functions for special n. Finally, Section 5 makes a conclusion Bent functions only exist in the case for even n. From Theorem for this paper. 2.1, the following result on bent functions is given below. Corollary 2.2: Let f(x) be a quadratic function of the form II.PRELIMINARIES n (5) over GF (2 ), then f(x) is bent if and only if Kf = {0}, n In this section, some notations are given first. Let GF (2 ) where Kf is defined in (8). be the finite field with 2n elements. Let GF (2n)∗ be the n multiplicative group of GF (2 ). Let e|n, the trace function III.NEWCONSTRUCTIONOFQUADRATICBENT n n e T re (x) from GF (2 ) to GF (2 ) is defined by FUNCTIONSINPOLYNOMIALFORMS

e e(n/e−1) T rn(x) = x + x2 + ··· + x2 , x ∈ GF (2n). In this section, let n be even. We present the characterization e of the bentness for quadratic Boolean functions and some The trace function satisfies that methods for constructing bent functions. n 2e n ∈ n (1) T re (x ) = T re (x), where x GF (2 ). n n n ∈ (2) T re (ax + by) = aT re (x) + bT re (y), where x, y A. Bent functions and linearized permutation polynomials GF (2n) and a, b ∈ GF (2e). In this subsection, we discuss the relationship of bentness When n is even, a quadratic Boolean function from GF (2n) of quadratic Boolean function of the form (3) with linearized to GF (2) can be represented by permutation polynomials. n −1 ∑2 Theorem 3.1: The quadratic Boolean function n 1+2i n/2 1+2n/2 f(x) = T r1 (cix ) + T r1 (cn/2x ), (5) n∑−1 i=0 n 1+2i ∈ n f(x) = T r1 (cix ), ci GF (2 ) (9) n n ∈ n ≤ ≤ ∈ 2 i=0 where ci GF (2 ) for 0 i 2 and cn/2 GF (2 ). 3 is bent if and only if From Theorem 3.1, − n∑1 n −1 i i ∑2 2 2 i n−i n−i n/2 Lf (x) = (ci + cn−i)x (10) 2 2 2 2 Lf (x) = (cix + ci x ) + cn/2x . i=1 i=1 is a linearized permutation polynomial, that is, L (x) = 0 f Hence, this theorem follows from the similar discussion of only has a solution 0. Theorem 3.1. Proof: From Theorem 3.2, the bentness of quadratic Boolean func- n∑−1 i tions depends on the corresponding linearized permutation f(x + y) = T rn(c (x + y)1+2 ) 1 i polynomial (12). Hence, many results and techniques on i=0 linearized permutation polynomials, such as theories of non- n∑−1 n 1 2i commutative polynomials [19], [20], can be used to study = T r (ci(x + y) (x + y) ) 1 quadratic bent functions. New results on linearized permuta- i=0 n∑−1 n∑−1 tion polynomials can be found in [24]. So far, bent functions n 1+2i n 1+2i constructed of the form (11) generally satisfy that c ∈ GF (2). = T r1 (cix ) + T r1 (ciy ) i i=0 i=0 We will present some bent functions with the form (11) with n n∑−1 n∑−1 ci ∈ GF (2 )\GF (2) for some i. n 2i n 2i ≤ ≤ n − + T r1 (cix y) + T r1 (ciy x) Theorem 3.3: Let i be an integer satisfying 1 i 2 1. n ∗ v0 i=0 i=0 Let α ∈ GF (2 ) and n = 2 n0, where n0 is odd. Let f(x) n∑−1 n∑−1 be a quadratic Boolean function of the form n 2i n 2i 2n−i =f(x) + f(y) + T r1 (cix y) + T r1 ((ciy x) ) n 1+2i i=0 i=0 f(x) = T r1 (αx ). n∑−1 n 2i 2i Then =f(x) + f(y) + T r ((ci + c − )x y). 1 n i ∈ n i=1 (1) There exists α GF (2 ) making f(x) bent if and only v0 - Then we have if 2 i. (2) Let 2v0 - i. Then f(x) is bent if and only if α satisfies Qf (x, y) =f(x + y) + f(x) + f(y) n− gcd(i,n)− gcd(2i,n)− n− gcd(i,n) n∑−1 α(2 1)(2 1)/(2 1) = α(2 1)/(2 +1) ≠ 1. n 2i 2i = T r ((c + c − )x y). 1 i n i n i=1 In particular, let α be a primitive element in GF (2 ), then ∑ n−1 f(x) is bent. From Corollary 2.2, f(x) is bent if and only if (ci + − i=1 Proof: f(x) 2n i 2i From the definition of , c )x = 0 has only a solution 0. Since Lf (x) = ∑i − − n−1 2n−i 2i 2i 2n i 2n i i=1 (ci + ci )x is a linearized polynomial and can Lf (x) = αx + α x . be seen as a linear transformation of GF (2n) over GF (2), From Theorem 3.2, we just consider the sufficient and neces- Lf (x) = 0 has only a solution 0 if and only if Lf (x) is a linearized permutation polynomial. This theorem follows. sary condition for The following theorem characterizes the bentness of n Kf = {x ∈ GF (2 ): Lf (x) = 0} = {0}. quadratic Boolean functions of the form (3). 2i n Theorem 3.2: Let f(x) be a quadratic Boolean function Since x 7→ x is an isomorphism for GF (2 ), then Kf = {0} defined by 2i { } if and only if Kf = 0 . Further, n − 2 1 ∑ i i 2i n 1+2i n/2 1+2n/2 K2 ={x ∈ GF (2n): α2 x2 + αx = 0} f(x) = T r1 (cix ) + T r1 (cn/2x ), (11) f i=1 2i 1 i ={0} ∪ {x ∈ GF (2n): x2 −1 = ( )2 −1} ∈ n ≤ ≤ n − ∈ n/2 α where ci GF (2 ) for 1 i 2 1 and cn/2 GF (2 ). ′ Then f(x) is bent if and only if ={0} ∪ K ,

n − ′ 2 1 2i− i− i ∑ − − { ∈ n 2 1 1 2 1} 2 2i 2n i 2n i 2n/2 where K = x GF (2 ): x = ( α ) . Then Kf = L (x) = (c x + c x ) + c x (12) ′ f i i n/2 {0} if and only if K = ∅, that is, i=1 2i 1 i is a linearized permutation polynomial, that is, Lf (x) = 0 has x2 −1 = ( )2 −1, x ∈ GF (2n) only a solution 0. α n · n Proof: Since T rn/2( ) is a surjective map from GF (2 ) has no solution. Equivalently, n ′ n to GF (2 2 ), there exists c ∈ GF (2 ) satisfying cn/2 = n/2 i 2i n/2 1 2 −1 2 −1 n ∗ T rn (c′ ) = c′ + c′2 ( ) ∈{/ x : x ∈ GF (2 ) } n/2 n/2 n/2 n/2 . Then α 2i− n− ∗ n −1 gcd(2 1,2 1) n ∑2 ={x : x ∈ GF (2 ) } n 1+2i n ′ 1+2n/2 f(x) = T r (c x ) + T r (c x ) gcd(2i,n)− ∗ 1 i 1 n/2 ={x2 1 : x ∈ GF (2n) }. i=1 4

That equals that B. A subclass of quadratic bent functions

1 n i gcd(2i,n) ( )(2 −1)(2 −1)/(2 −1) ≠ 1, In this subsection, we will consider a special subclass of α Boolean functions in (11). This subclass can be seen as a or generalization of functions in [10], [17]. Let m be even and 1 n gcd(i,n) gcd(2i,n) ( )(2 −1)(2 −1)/(2 −1) ≠ 1. (13) n = me for this subsection. α Theorem 3.5: Let f(x) be a Boolean function defined by Note that m −1 ∑2 (2gcd(i,n) − 1) | (2gcd(2i,n) − 1) | (2n − 1). n 1+2ei n/2 1+2n/2 f(x) = T r1 (cix ) + T r1 (cm/2x ) (17) There exists α satisfying (13) if and only if (2gcd(i,n) − 1) < i=1 gcd(2i,n) − e (2 1), that is, gcd(i, n) < gcd(2i, n). Equivalently, where ci ∈ GF (2 ), then f(x) is bent if and only if v0 - v0 - m 2 i. Hence, Result (1) follows. If 2 i, f(x) is bent if gcd(cf (x), x + 1) = 1, where and only if α satisfies (13). From 2v0 - i, m −1 ∑2 gcd(2i, n) = 2 · gcd(i, n). m−i m/2 cf (x) = ci(x + x ) + cm/2x . (18) Hence, Result (2) follows. i=1 α ∈ GF (2n)∗ (α + α−4) ∈ Theorem 3.4: Let and In particular, if f(x) is bent, then cm/2 ≠ 0. n/2 GF (2 ), the Boolean function Proof: Since m is even and e = n divides n , then n m 2 n/2−2 n n/2 e n n 1+2 2 −4 1+2 c m ∈ GF (2 ) ⊆ GF (2 2 ). Note that T r (·) is surjective f(x) = T r1 (x ) + T r ((α + α )x ) 2 n/2 1 n n ′ n n from GF (2 ) to GF (2 2 ). Then there exists c ∈ GF (2 ) is bent if and only if α(2 −1)/3 ≠ 1. m/2 n ′ ′ ′2n/2 Proof: From the Boolean function f(x), satisfying cm/2 = T rn/2(cm/2) = cm/2 + cm/2 . Hence, − 2n/2 2 −4 2n/2 2n/2+2 m −1 ∑2 Lf (x) = x + (α + α )x + x , ei n/2 f(x) = T rn(c x1+2 ) + T rn(c′ x1+2 ). After some transformation, the factorization of the linear 1 i 1 m/2 i=1 transform Lf (x) is From the similar proof of Theorem 3.1, 2n/2−2 Lf (x) = Tα−4 (Tα(x )), m −1 ∑2 m∑−1 2 − 2 ei e(m−i) em/2 ei 2 − 4 2 2 2 2 2 where Tα(x) = x + αx ,Tα 4 (x) = x + α x . Since Lf (x) = ci(x +x )+cm/2x = aix , 2n/2−2 x 7→ x is an invertible linear transformation, Lf (x) is i=1 i=1 invertible if and only if both Tα(x) and Tα−4 (x) are invertible. where { It is easily verified that both Tα(x) and Tα−4 (x) are invertible c , 1 ≤ i ≤ m/2, (2n−1)/3 i if and only if α ≠ 1. From Theorem 3.2, this theorem ai = c − , m/2 < i ≤ m − 1. follows. m i n n ∈ n e n | 2 − - 2 Let α GF (2 ) be a regular element in GF (2 ), that Remark (i) If 2 is even, then 3 (2 1) and 3 (2 + 1). e e·2 e(m−1) w n { 2 2 2 } n Let w be the largest integer satisfying 3 |(2 2 − 1) and ζ3w is, α, α , α , . . . , α is a basis of GF (2 ) over e be a primitive 3w-th root of unity. Take GF (2 ), then the matrix associated with the linear transfor- i mation Lf (x) under this basis is α = βζ3w (14)   n −4 0 a1 a2 ··· am−1 where β ∈ GF (2 2 ), 3 - ord(β) and 3 - i. Then (α + α ) ∈ n  ···  n/2 (2 −1)/3  am−1 0 a1 am−2  GF (2 ). It is easily verified that α ≠ 1. Hence,   a − a − 0 ··· a − α satisfies Theorem 3.4 and f(x) in Theorem 3.4 is a bent A =  m 2 m 1 m 3   . . . .  function.  . . . ··· .  n n n | 2 - 2 − (ii) If 2 is odd, then 3 (2 + 1) and 3 (2 1). Let w a1 a2 a3 ··· 0 w n be the largest integer satisfying 3 |(2 2 + 1). Take Hence L (x) is a linearized permutation polynomial if and n 3/5 f α = (T rn/2u) u (15) only if A is non-singular. From the theory of cyclic codes in n 1+ n w − where u ∈ GF (2 ), u 2 = 1 and 3 |ord(u). Note that [1], A is non-sigular if and only if the dimension m gcd(0+ n 2 ··· m−1 m − - 2 − n n 3/5 a1x + a2x , , am−1x , x 1) of the cyclic code over 5 2 1 and gcd(5, ord(T rn/2u)) = 1. Then (T rn/2u) is n m e m w| ∈ 2 2 GF (2 ), generated by rows of A, is m, i.e. gcd(cf , x +1) = well defined. Since 3 ord(u), u / GF (2 ). Let λ = u+u , 2 m−1 m n gcd(0 + a x + a x , ··· , a − x , x − 1) = 1. Finally, then the minimal polynomial of u over GF (2 2 ) is 1 2 m 1 if c = 0, then (x + 1)|cf (x). 2 m/2 u + λu + 1 = 0. (16) Hence, this theorem follows. n n n v0 ∈ 2 - 2 − Theorem 3.6: Let m = 2 , where v0 ≥ 1. The Boolean Since λ = T rn/2u GF (2 ) and 3 (2 1), then α n satisfies that α(2 −1)/3 ≠ 1. From Identity (16), function m −1 − − 12 n ∑2 4 5 4 2 ∈ 2 α + α = λ (λ + λ + 1) GF (2 ). n 1+2ei n/2 1+2n/2 f(x) = T r1 (cix ) + T r1 (cm/2x ) (19) Hence, f(x) defined in Theorem 3.4 is bent. i=1 5

is bent if and only if cm/2 ≠ 0. Further, the number of bent Since β ≠ 0, then e e m−2 functions with this form over GF (n) is (2 − 1)2 2 . m m v0 gcd(cf (x), x + 1) = gcd(cfβ (x), x + 1). Proof: Since m = 2v0 , xm + 1 = (x + 1)2 . Then m gcd(cf (x), x + 1) = 1 if and only if (x + 1) - cf (x), that is, From Theorem 3.5, this theorem follows. ̸ cf (1) = 0. Note that cf (1) = cm/2. From Theorm 3.5, f(x) Remark This theorem can explain the relationship of bent ̸ is bent if and only if cm/2 = 0. From the random choice of functions presented by Hu and Feng[10] and bent functions ∈ e ≤ ≤ m−2 ci GF (2 ) (1 i 2 ) , the number of bent functions constructed by Ma, Lee and Zhang [17]. e e m−2 is (2 − 1)2 2 . This theorem follows. Theorem 3.9: Let c ∈ GF (2e) for 1 ≤ i ≤ m/2 and Theorem 3.7: Let n = 2v0 m , where m is odd. Let λ ∈ i 0 0 ∈ e 2e ∗ 1 ∈ e ∗ β GF (2 ). Then GF (2 ) satisfying λ + λ GF (2 ) . Then the Boolean m −1 function ∑2 n 1+2ei n/2 1+2n/2 ei n 1 n/2 f(x) = T r1 (cix ) + T r1 (cm/2x ) f(x) = T rn(x1+2 ) + T r 2 ((λ + )x1+2 ) 1 1 λ i=1 is bent if and only if is bent if and only if λm0/gcd(i,m0) ≠ 1. m −1 Proof: From the deﬁnition of f(x), ∑2 n 1+2ei f+(x) = f(x) + T r (βx ) 1 1 i m−i m/2 i=1 cf (x) =(x + x ) + (λ + )x λ is bent. 1 ≡(xi + x−i) + (λ + ) Proof: We have λ m −1 x2i + (λ + 1 )xi + 1 ∑2 ≡ λ c (x) =c (x) + β (xi + xm−i) xi f+ f (xi + λ)(xi + 1 ) i=1 λ m0 m −1 ≡ mod x + 1, ∑2 xi m/2 i =cf (x) + β(x + 1) x m i m0 Then gcd(cf (x), x +1) = 1 if and only if gcd(x +λ, x + i=1 i 1 m0 i m0 m 1) = gcd(x + λ , x +1) = 1. From gcd(x +λ, x +1) = 1, For any polynomial g(x), gcd(g(x), x + 1) = 1 if and only we have equivalently if gcd(g(x), xm/2 + 1) = 1. Then λ∈{ / xi : x ∈ GF (2), xm0 = 1} m/2 gcd(cf+ (x), x + 1) m0/gcd(i,m0) m −1 ={x : x ∈ GF (2), x = 1}, ∑2 m/2 i m/2 =gcd(cf (x) + β(x + 1) x , x + 1) that is, i=1 m0/gcd(i,m0) λ ≠ 1. m/2 =gcd(cf , x + 1) i 1 m0 Similarly, gcd(x + λ , x + 1) = 1 if and only if − Hence, this theorem follows. λ m0/gcd(i,m0) ≠ 1. Note that λm0/gcd(i,m0) ≠ 1 if and only − From Theorem 3.9, we have a generalization of Theorem 5 in m0/gcd(i,m0) ̸ if λ = 1. Hence, this theorem follows. [10]. We will consider how to construct new quadratic bent Corollary 3.10: Let m0 be the largest odd integer dividing e ∗ functions from known quadratic bent functions. m. Let 1 ≤ k ≤ m/2 − 1, d ≥ 1, β1 ∈ GF (2 ) and β2 ∈ ∈ e ≤ ≤ Theorem 3.8: Let ci GF (2 ) for 1 i m/2 and GF (2e). The Boolean function β ∈ GF (2e)∗, then m/∑2−1 ei m −1 n 1+2 ∑2 f(x) = T r1 (β2x ) n 1+2ei n/2 1+2n/2 f(x) = T r1 (cix ) + T r1 (cm/2x ) i=1 i=1 ∑k n n/2 edi 2 1+2 n 1+2 is bent if and only if + T r1 (β1x ) + T r1 (β1x ) i=1 m −1 ∑2 n 1+2ei n/2 1+2n/2 is bent if and only if gcd((2k + 1)d, m0) = gcd(d, m0). fβ(x) = T r1 (βcix ) + T r1 (βcm/2x ) Proof: From Theorem 3.9 and Theorem 4 in [10], this i=1 theorem follows. e is bent. Theorem 3.11: Let ai, bi ∈ GF (2 ) for 1 ≤ i ≤ m/2. Two Proof: We have Boolean functions f1(x) and f2(x) are deﬁned by m −1 m −1 ∑2 ∑2 m−i m/2 n 1+2ei n/2 1+2n/2 cf (x) = ci(x + x ) + cm/2x , f1(x) = T r1 (aix ) + T r1 (am/2x ), i=1 i=1 m −1 m −1 ∑2 ∑2 m−i m/2 n 1+2ei n/2 1+2n/2 cfβ (x) =β( ci(x + x ) + cm/2x ) = βcf (x). f2(x) = T r1 (bix ) + T r1 (bm/2x ), i=1 i=1 6

∑ m − ∑ m − 2 1 m−i m/2 2 1 m−i Let ( i=1 ai(x+x ∑ )+am/2x )( i=1 bi(x+x )+ Proof: From Theorem 3.11 and Theorem 4 in [10], this m/2 m/2 ≡ m−1 i m ∈ bm/2x )x i=0 cix mod x + 1, where ci corollary follows. e GF (2 ). Let a0 = b0 = 0. Let am−j = aj, bm−k = bk for ≤ ≤ m/2 + 1 j, k m. Then IV. THEENUMERATIONFORBENTFUNCTIONSINCASE ∑ m = 2v0 pr AND gcd(e, p − 1) = 1 ci = ajbk. j + k ≡ i + m/2 mod m In this section, we will consider the enumeration of bent 0 ≤ j, k ≤ m − 1 functions in (17). In [10], [25], cyclotomic polynomials and Further, their factorization are used in the enumeration. Our method (1) c0 = 0 and cm−i = ci for 1 ≤ i ≤ m − 1; ∑ m − ei can be generalized for general cases. Before the enumeration, 2 1 n 1+2 (2) f1∗2(x) = i=1 T r1 (cix ) + some knowledge on monic self-reciprocal polynomials is given n/2 1+2n/2 T r1 (cm/2x ) is bent if and only if both f1(x) first. and f2(x) are bent. ∗ Proof: We have Definition The reciprocal polynomial g (x) of a polynomial ∑ g(x) of degree n is defined by g∗(x) = xng(1/x).A c0 = ajbk polynomial is called self-reciprocal if it coincides with its j + k ≡ m/2 mod m reciprocal polynomial. 0 ≤ j, k ≤ m − 1 ∑ ··· n1 i =a1bm/2−1 + + am/2−1b1 + am/2b0 Lemma 4.1: Let A(x) = i=0 aix be a monic∑ self- n B(x) = n b xi + am/2+1bm−1 + ··· + am−1bm/2+1 reciprocal polynomial of degree 1 and i=0 i be a polynomial of degree n2. Then A(x)B(x) is a monic =a1bm/2−1 + ··· + am/2−1b1 + am/2 · 0 self-reciprocal polynomial of degree n1 + n2 if and only if + a − b + ··· + a b − m/2 1 1 1 m/2 1 B(x) is a monic self-reciprocal polynomial.∑ n1+n2 i =0. Proof: Let C(x) = A(x)B(x) = i=0 cix . Suppose B(x) is a monic self-reciprocal polynomial, then c = a b = For 1 ≤ i ≤ m − 1, 0 0 0 ∑ an1 bn2 = cn1+n2 = 1. For 0 < k < n1 + n2, cm−i = ajbk ∑ j + k ≡ m/2 − i mod m cn1+n2−k = aibj 0 ≤ j, k ≤ m − 1 − ∑ i+j=n∑1+n2 k = am−jbm−k = an1−ibn2−j ≡ − j + k m/2 i mod m i+j=n +n −k 0 ≤ j, k ≤ m∑− 1 1∑2 − − = am−jbm−k = an1 ibn2 j − − (m − j) + (m − k) ≡ m/2 + i mod m (n∑1 i)+(n2 j)=k ∑0 ≤ j, k ≤ m − 1 = aibj = a b j k i+j=k j + k ≡ m/2 + i mod m 0 ≤ j, k ≤ m − 1 =ck. =ci. Hence C(x) is a monic self-reciprocal polynomial of degree Hence, Result (1) follows. From the definition of f1∗2(x), n1 + n2. m∑−1 On the other hand, suppose that C(x) is a monic self- i c ∗ (x) = c x . f1 2 i reciprocal polynomial. From a0b0 = c0 = 1 and an1 bn2 = i=0 cn1+n2 = 1, b0 = 1 and bn2 = 1. If B(x) is not monic self- Further, reciprocal, there exists an integer k satisfying that 0 < k < n2, b ≠ b − and b − = b − − ,··· ,b = b . Then ≡ · m k n2 k k 1 n2 (k 1) 0 n2 cf1∗2 (x) cf1 (x) cf2 (x) mod x + 1. 0 =c − c − Then k n1+n2 k =(a0bk + a1bk−1 + ··· + akb0) gcd(c (x), xm + 1) = gcd(c (x) · c (x), xm + 1). f1∗2 f1 f2 − ··· (an1 bn2−k + an1−1bn2−(k−1) + + an1−kbn2 ) gcd(c (x), xm + 1) = 1 Hence, f1∗2 if and only if =(a b + a b − + ··· + a b ) m · m 0 k 1 k 1 k 0 gcd(cf1 (x), x + 1) = gcd(cf1 cf2 (x), x + 1) = 1. From − (a b − + a b − + ··· + a b ) Theorem 3.5, Result (2) follows. 0 n2 k 1 k 1 k 0 − − Corollary 3.12: Let m0 be the largest integer dividing m, =bk bn2 k, then the Boolean function The result bk = bn2−k contradicts the supposition of k. Hence, n 1+2ed1 n 1+2ed2 n 1+2e(d1+d2+m/2) f(x) =T r1 (x ) + T r1 (x ) + T r1 (x ) B(x) is a monic self-reciprocal polynomial. n e(d1−d2+m/2) n/2 This theorem follows. + T rn(x1+2 ) + T r 2 (x1+2 ) 1 1 Lemma 4.2: Let A(x), g(x) ∈ GF (2e)[x] and A(x) be is bent if and only if gcd(3d1, m0) = gcd(d1, m0) and monic self-reciprocal. Let g(x) be irreducible and g(x)|A(x), ∗ ∗ gcd(3d2, m0) = gcd(d2, m0). then g (x)|A(x), where g (x) is the reciprocal polynomial of 7

g(x). Further, if g(x) is not self-reciprocal, then ge(x)|A(x), To enumerate Ph(A(x)), we introduce the auxiliary set e ∗ where g(x) = g(x)g (x). ∏k Proof: If g(x) is self-reciprocal, g∗(x) = g(x), the results ··· { ∈ e | } Mh(i1, i2, , ik) = C(x) Rh : gij (x) C(x) , obviously hold. j=1 | Suppose that g(x) is not self-reciprocal. From g(x) A(x), ≤ ≤ ≤ ··· ≤ ∗ | ∗ ∗ | where 1 k s + t and 1 i1 < i2 < < ik s + t. g (x) A (x) = A(x). Then g (x) A(x). Since g(x) is irre- ∈ ··· ∗ ∗ | From Lemma 4.1, for any C(x) Mh(i1, i2, ∏, ik), C(x) ducible, gcd(g(x), g (x)) = 1 and g(x)g (x) A(x). Hence, ′ k e can be uniquely represented by C(x) = C (x) j=1 gij (x), this lemma follows. ′ where C (x) ∈ Rh−n −···−n . Then Corollary 4.3: Let A(x) ∈ GF (2e)[x] be a monic self- i1 ik reciprocal polynomial. Then A(x) has the following factor- #(M (i , i , ··· , i )) = #(R − −···− ). h 1 2 k h ni1 nik ization. Since A(x) has no duplicate factors, gcd(gei(x), gej(x)) = ∗ ··· ∗ ··· 1 (i ≠ j) and deg(gei(x)) is even. Then gcd(gei(x), x+1) = 1. A(x) =g1(x)g1 (x) gs(x)gs (x)gs+1(x) gs+t(x) From the inclusion-exclusion principle, =ge1(x) ··· ges(x)ges+1(x) ··· ges+t(x), (20) #(Ph(A(x))) ∗ ≤ ≤ ≤ ≤ ∑ ∑ where gi(x), gj (x) (1 i s + t, 1 j s) are =#(Rh) − #(Mh(i1)) + #(Mh(i1, i2)) irreducible. gi(x) is not self-reciprocal for 1 ≤ i ≤ s and ≤ ≤ ≤ ≤ e ∗ ∗ 1 i1 s+t 1 i1 deg(A(x)), define Ph(A(x)) as a v0 r − set m = 2 p and gcd(e, p 1) = 1, where v0 > 0, r > 0 and p is an odd prime satisfying ordp(2) = p − 1 or P (A(x)) = {C(x) ∈ R : gcd(C(x),A(x)) = 1}. (22) ordp(2) = (p − 1)/2((p − 1)/2 is odd). We first discuss the h h r factorization of xp +1 over GF (2e), which is connected with Then we have the enumeration for #(Rk) and #(Ph(A(x))). cyclotomic polynomials [12]. The d-th cyclotomic polynomial Lemma 4.4: Let notations be defined above, then Qd(x), whose roots are primitive d-th roots of unity, is a monic polynomial of order d and degree ϕ(d), where ϕ(·) is Euler- e k #(Rk) =2 2 , totient function. s∏+t Lemma 4.5: Let notations be defined above. h 1 ni e 2 − 2 e #(Ph(A(x))) =2 (1 ( e ) ). (1) If gcd(e, p − 1) = 1, then ordp(2 ) = ordp(2). 2 r i=1 (2) )xp + 1 has no duplicate factors. ≥ Proof: Note that the monic self-reciprocal polynomial (3) For any i 1, Qpi (x) is a monic self-reciprocal 2i 2i−1 i 1 polynomial of even degree. x + a − x + ··· + a x + ··· + a x + 1 of even degree 2i 1 i 1 ≥ − x + 1 a ≠ 0 (4) Let i 1. If ordp(2) = p 1, Qpi (x) is irreducible over is coprime to if and only if i . From the definition e p−1 ∗ GF (2 ) ord (2) = Q i (x) = g (x)g (x) of R , the numbers of polynomials of degree 0, 2, 4, 6, ··· , k . If p 2 is odd, then p i i , k ∗ ∈ e e − e − e 1 e − e 2 ··· e − where gi(x), gi (x) GF (2 ) are monic irreducible polyno- in Rk are 1, (2 1), (2 1)(2 ) , (2 1)(2 ) , , (2 ∗ e k −1 mials and g (x) is the reciprocal polynomial of gi(x). 1)(2 ) 2 respectively. Hence, i r pr ··· xp +1 (5) x +1 = (x+1)Qp(x) Qpr (x) and x+1 is a monic e e e 1 e e 2 #(Rk) =1 + (2 − 1) + (2 − 1)(2 ) + (2 − 1)(2 ) self-reciprocal polynomial. e e k −1 (6) If ordp(2) = p − 1 or ordp(2) = (p − 1)/2 + ··· + (2 − 1)(2 ) 2 r xp +1 ((p − 1)/2 ) = Q (x) ··· Q r (x) e k is odd , then x+1 p p is a =2 2 . factorization in the form of (20) or (21). 8

∗ Proof: (1) This can be obtained by the fact that GF (p) V. CONCLUSION − is a cylic group of order p 1. In this paper, we present the relationship of quadratic pr pr ′ pr pr −1 (2) Since gcd(x + 1, (x + 1) ) = gcd(x + 1, x ) = Boolean functions with linearized permutation polynomials. A pr 1, then x + 1 has no duplicate factors. large class of quadratic bent functions is discussed and studied. (3) From its definition, Qpi (x) is monic and of even degree Some quadratic bent functions are constructed. Further, new i i−1 − ϕ(p ) = p (p 1). Qpi (x) is self-reciprocal, which can be quadratic bent functions can be constructed from known found in [1]. quadratic bent functions. Finally, for special n, we present (4) This can be obtained in [6]. r the construction and enumeration of quadratic bent functions. pr xp +1 (5) The factorization of x + 1 can be found in [1]. x+1 Our technique can be used in the study of semi-bent functions. r xp +1 is obviously monic. The self-reciprocal property of x+1 can be obtained from Lemma 4.1. ACKNOWLEDGMENT (6) From Result (5) and (4), this result can be obtained. This work was supported by the Natural Science Foundation From Theorem 3.5, the Boolean function in (17) is bent if of China (Grant No.10990011 & No. 61272499). Yanfeng Qi c (x) xm +1 and only if the polynomial f in (18) is coprime to . also acknowledges support from Aisino Corporation Inc. There exists an integer k satisfying that 1 ≤ k ≤ m/2, ck ≠ 0 and ck−1 = ··· = c1 = 0. Then we have REFERENCES k m−2k ck+1 m−2k−1 cm/2 m/2−k cf (x) =ckx (x + x + ··· + x [1] E. R. Berlekamp, Algebraic Coding Theory , revised ed. Laguna Hills, ck ck c CA: Aegean Park, 1984. + ··· + k+1 x1 + 1) [2] S. Boztas and P. V. Kumar, “Binary sequences with Gold-like cor- ck relation but larger linear span,” IEEE Trans. Inf. Theory , vol. 40, pp. k 532-537, 1994. =ckx C(x). [3] A. Canteaut and P. Charpin, “Decomposing bent functions,”IEEE Trans. m m Inf. Theory, vol. 49, no. 8, pp. 2004-2019, Aug. 2003. Hence gcd(cf (x), x + 1) = 1 if and only if gcd(C(x), x + [4] C. Carlet, “A larger class of cryptographic Boolean functions via a study r v0 1) = 1. Note that xm + 1 = (xp + 1)2 . Equivalently, of the Maiorana-McFarland construction,”in Advances in Cryp- tology- r pr xp +1 CRYPTO 2002 . Berlin, Germany: Springer-Verlag, 2002, vol. 2442, gcd(C(x), x +1) = 1 C(x) ∈ P − ( ) , that is, m 2 x+1 . Since Lecture Notes in Computer Science, pp. 549-564. e ∗ ck ∈ GF (2 ) , the number of bent function of the form (17) [5] C. Carlet, P. Charpin, and V. A. Zinoviev, “Codes, bent functions and is permutations suitable for DES-like cryptosystem, ”Des. Codes. Cryp- togr. , vol. 15, pp. 125-156, 1998. pr e ∗ x + 1 [6] P. Charpin, E. Pasalic, and C. Tavernier, “On bent and semi-bent #(GF (2 ) )#(P − ( )). (23) m 2 x + 1 quadratic Boolean functions, ”IEEE Trans. Inf. Theory, vol. 51, no. 12, pp. 4286-4298, Dec. 2005. Hence, we have the following theorem. [7] H. Dobbertin, G. Leander, A. Canteaut, C. Carlet, P. Felke, and P. Ga- v0 r borit,“Construction of bent functions via Niho power functions,”J. Comb. Theorem 4.6: Let m = 2 p , where v0 ≥ 1, r ≥ 1 and p − p−1 p−1 Theory , ser. A, vol. 113, pp. 779-798, 2006. satisfies that ordp(2) = p 1 or ordp(2) = 2 ( 2 is odd). [8] R. Gold, “Maximal recursive sequences with 3-valued recursive cross- Let gcd(e, p − 1) = 1. Define the Boolean function correlation functions, ”IEEE Trans. Inf. Theory, vol. 14, no. 1, pp. 154- 156, Jan. 1968. m −1 ∑2 [9] S. W. Golomb and G. Gong, “Signal design for good correlation-for ei n/2 n 1+2 n/2 1+2 wireless communication,”in Cryptography and Radar. Cambridge, U.K.: f(x) = T r1 (cix ) + T r1 (cm/2x ) (24) Cambridge Univ. Press, 2005. i=1 [10] H. Hu, D. Feng, “On quadratic bent functions in polynomial forms,” e where ci ∈ GF (2 ). The number of bent functions of this IEEE Trans. Inform. Theory 53(2007) 2610-2615. [11] T. Helleseth and P. V. Kumar, “Sequences with low correlation,” in form is Handbook of Coding Theory, V. S. Pless and W. C. Huffman, Eds. r ∏ i− i−1 Amsterdam, The Netherlands: North-Holland, 1998, vol. II, pp. 1765- e e m−2 1 p p (2 − 1)2 2 (1 − ( ) 2 ). 1853. 2e [12] R. Lidl and H. Niederreiter, “Finite fields, ”in Encyclopedia of Math- i=1 ematics and its Applications. Reading, MA: Addison-Wesley, 1983, vol. Proof: From Result (6) in Lemma 4.5, 20. r [13] K. Khoo, G. Gong, and D. R. Stinson, “A new family of Gold-like xp + 1 sequences,”in Proc. IEEE Int. Symp. Inf. Theory, Lausanne, Switzer- = Q (x) ··· Q r (x) x + 1 p p land,Jun./Jul. 2002, p. 181. [14] K. Khoo, G. Gong, and D. R. Stinson, “A new characterization of semi- r xp +1 i bent and bent functions on finite fields, ”Des. Codes. Cryptogr. , vol. is the factorization of x+1 in the form (21) and ni = ϕ(p ) = − 38, no. 2, pp. 279-295, Feb. 2006. pi − pi 1 (1 ≤ i ≤ r). From Lemma 4.4 [15] S. H. Kim and J. S. No, ”New families of binary sequences with low correlation, ”IEEE Trans. Inf. Theory , vol. 49, no. 11, pp. 3059-3065, r r p ∏ i− i−1 x + 1 e m−2 1 p p Nov. 2003. #(P − ( )) = 2 2 (1 − ( ) 2 ). (25) m 2 x + 1 2e [16] A. Lempel and M. Cohn, “Maximal families of bent sequences,”IEEE i=1 Trans. Inf. Theory, vol. 28, pp. 865-868, Nov. 1982. [17] W. Ma, M. Lee, and F. Zhang, “A new class of bent functions,”IEICE From Identity (23), the number of bent functions defined in Trans. Fundamentals, vol. E88-A, no. 7, pp. 2039-2040, Jul. 2005. (24) is [18] F. J. MacWilliams and N. J. A. Sloane, The Theory of Error-Correcting r ∏ i− i−1 Codes. Amsterdam, The Netherlands: North-Holland, 1977. e e m−2 1 p p (2 − 1)2 2 (1 − ( ) 2 ). [19] O. Ore, ”Theory of non-commutative polynomials,” Ann. of Math. 34 2e i=1 (1933) 480C508. [20] O. Ore, ”On a special class of polynomials,” Trans. Amer. Math. Soc. Hence, this theorem follows. 35 (1933) 559C584. 9

[21] J. D. Olsen, R. A. Scholtz, and L. R. Welch,“Bent-function sequences,” IEEE Trans. Inf. Theory , vol. 28, no. 6, pp. 858-864, Nov. 1982. [22] O. S. Rothaus, “On bent functions,”J. Combin. Theory A, vol. 20, pp. 300-305, 1976. [23] P. Udaya,“Polyphase and frequency hopping sequences obtained from finite rings, ”Ph.D. dissertation, Indian Inst. Technol., Dep. Elect. Eng., Kanpur, India, 1992. [24] B. Wu, Z. Liu, “Linearized polynomials over finite fields revisited,” Finite Fields Appl. 22 (2013) 79-100. [25] N. Y. Yu and G. Gong, “Constructions of quadratic bent functions in polynomial forms, ”IEEE Trans. Inf. Theory, vol. 52, no. 7, pp. 3291- 3299, Jul. 2006.