Construction of Rotation Symmetric Bent Functions with Maximum Algebraic Degree

SCIENCE CHINA Information Sciences

. HIGHLIGHT . March 2018, Vol. 61 038101:1–038101:3 doi: 10.1007/s11432-017-9123-2

Construction of rotation symmetric bent functions with maximum algebraic degree

Wenying ZHANG1* & Guoyong HAN1,2

1School of Information Science and Engineering, Shandong Normal University, Jinan 250014, China; 2School of Management Engineering, Shandong Jianzhu University, Jinan 250101, China

Received 22 May 2017/Accepted 2 June 2017/Published online 16 August 2017

Citation Zhang W Y, Han G Y. Construction of rotation symmetric bent functions with maximum algebraic degree. Sci China Inf Sci, 2018, 61(3): 038101, doi: 10.1007/s11432-017-9123-2

Boolean functions that are invariant under the ac- m−1 and the subscript of x is modulo 2m. This is tion of cyclic rotation on the inputs are called ro- the first theoretical construction of rotation sym- tation symmetric functions [1]. Aside from their metric bent functions with algebraic degree larger simple algebraic descriptions, rotation symmetric than 2. Later on, 2m-variable rotation symmet- functions have implementation advantages in ei- ric bent functions with algebraic degree 4, where ther hardware or software employing the bit-slicing 2m is not divisible by 4, were constructed from technique, since they produce a shallow circuit two known semi-bent rotation symmetric functions with high parallelism, and hence high clock fre- in m variables with complementary Walsh sup- quencies, without expending too many resources ports [8]. [2]. They have been widely applied in the design of Our result. We present a new construction of symmetric ciphers. For example, both the S-box of 2m =6k, 8k, 14k-variable rotation symmetric bent block cipher AES and the round functions of hash functions by modifying fo(x). We restrict the functions MD4, MD5 and HAVAL are rotation flipped vectors to be related with some affine sub- symmetric functions. Moreover the round func- spaces of GF (2)m, hence the constructed functions tion in stream cipher Grain is the modification of are from the Miorana-McFarland bent Boolean a rotation symmetric bent function. The quadratic functions. More significantly, the proposed 2m- Boolean function fo(x)= x1xm+1 +x2xm+2 +···+ variable rotation symmetric bent functions can xmx2m is the first class of rotation symmetric bent reach the maximum algebraic degree m, and our functions [3]. construction method can be generalized to construct many other rotation symmetric bent func- Throughout this article, for n = 2m we study tions. the n-variable rotation symmetric bent functions. An n-variable Boolean function f(x ,...,x ) is In the public literature, the main method of con- 1 n a mapping from GF (2)n to GF (2), which can be structing new rotation symmetric bent functions represented in a unique way as an n-variable poly- is to modify f (x)[4–6]. Up to now, only few con- o nomial whose degree relative to each variable is at structions of rotation symmetric bent functions are most 1, called its algebraic normal form (ANF): known. In [7], Gao et al. proved that the cubic rotation symmetric function ft(x0,...,x2m−1) = n 2m−1 m−1 i=1 (xixt+ixm+i + xixt+i)+ i=0 xixm+i is a0 + aixi + aij xixj +···+a1···nx1 ··· xn. m bent if and only if is odd, where 1 6 t 6 i=1 6i

c Science China Press and Springer-Verlag Berlin Heidelberg 2017 info.scichina.com link.springer.com Zhang W Y, et al. Sci China Inf Sci March 2018 Vol. 61 038101:2

Let Bn denote the set of n-variable Boolean func- 0110 ··· 0110) | t ∈ A}, S3 = {(t,t+1100 ···1100) | tions. The support of f ∈ Bn is defined as t ∈ A}, S4 = {(t,t + 1001 ··· 1001) | t ∈ B}. Let supp(f)= {(x1,...,xn): f(x1,...,xn)=1}. For Ω= S1 ∪ S2 ∪ S3 ∪ S4. Then n a vector x = (x1,...,xn) ∈ GF (2) , and an inte- ger l > 0, we define the left l-cyclic shift operator fo(x, y)+1, (x, y) ∈ Ω; l f(x, y)= 8k ρn as l-cyclic rotation on x: ( fo(x, y), (x, y) ∈ GF (2) \Ω l l l l ρn(x) = (ρ (x1),ρ (x2),...,ρ (xn)), is a rotation symmetric bent function. l l Theorem 2. Let A,B,δ be defined as in where ρ (xi) = xi+l, if i + l 6 n and ρ (xi) = xi+l−n, if i + l > n. The orbit generated by Theorem 1. Let T1 = {(x, x + δ) | x ∈ n B},T = {(x, x + 0110 ··· 0110) | x ∈ B},T = x = (x1, x2,...,xn) ∈ GF (2) is defined as 2 3 n−1 Cn(x) = {x, ρ(x),...,ρ (x)}. In other words, {(x, x + 1100 ··· 1100) | x ∈ B},T4 = {(x, x + each orbit consists of all cyclic shifts of one vector 1001 ··· 1001) | x ∈ A}. LetΥ= T1 ∪ T2 ∪ T3 ∪ T4. in GF (2)n. Define l Definition 1 ([9]). For f ∈ Bn, if f(ρn(x)) = n fo(x, y)+1, (x, y) ∈ Υ; f(x) holds for all x = (x1,...,xn) ∈ GF (2) and f(x, y)= 8k 1 6 l

f(x)+w·x C(Z) = z∈Z C6k(z), C(U) = u∈U C6k(u), Γ = Wf (w)= (−1) , n C(Z) ∪ C(U). Then x∈GFX(2) S S where w = (w ,...,w ) and w · x = w x + ··· + fo(x, y)+1, (x, y) ∈ Γ; 1 n 1 1 f(x, y)= wnxn. Let n = 2m be even, f(x) ∈ Bn is called ( fo(x, y), otherwise m bent if its Walsh spectrum satisﬁes: |Wf (w)| =2 for all w ∈ GF (2)2m. is a rotation symmetric bent function. Let s,t,u,v,w,x,y,z,δ, ∆ be the binary vectors, Theorem 4. Let n = 14k, δ = 0000111 ··· and A, B, Ω, Γ, Λ, Υ, Φ be the sets of binary vec- 0000111, △ = 0001111 ···0001111 ∈ GF (2)7k be tors. vectors with period 7, s = (s1,s2,...,s7k), s1 + Theorem 1. Let t = (t1,t2,...,t4k), δ = s8 + ··· + s7k−6 = 0, t = (t1,t2,...,t7k) ∈ 4k 7k (0011 ··· 0011) ∈ GF (2) . Denote the solutions GF (2) , t1 + t2 + ··· + t7k = 0. Construct 4k 14k of t1 + t2 + ··· + t4k =0 by A, let B = GF (2) \ Z = {z|z = (s,s + δ) ∈ GF (2) },U = {u|u = 14k A, S1 = {(t,t + δ) | t ∈ A}, S2 = {(t,t + (t,t + ∆) ∈ GF (2) }, and get all vectors of their Zhang W Y, et al. Sci China Inf Sci March 2018 Vol. 61 038101:3

left rotation. Let C(Z) = C14k(z), C(U) = first halves of the flipped vectors form an affine z∈Z n 2 u∈U C14k(u), Φ= C(Z) ∪ C(U). Define subspace of GF (2) . The number of such func- S tions can be enumerated by counting the number S f (x, y)+1, (x, y) ∈ Φ; of δ, we skip it to make this article more com- f(x, y)= o 14k pact. It must be pointed out that the functions ( fo(x, y), (x, y) ∈ GF (2) \ Φ. constructed in [4] only by using the subspace of n GF (2) 2 , in this article, we use affine subspace of Then f(x, y) is a rotation symmetric bent func- n tion. GF (2) 2 . It is well known that the amount of affine subspace is much larger than that of subspace, so The proofs of the proceeding theorems are we can construct more bent functions than that skipped to make this article more compact. In Theorems 1–4 we constructed several rota- in [4]. tion symmetric bent functions by flipping some From the cryptography designer’s perspective, this approach is very intuitive and practical. The vectors in supp(fo). In the design of cryptographic transformations such as block ciphers, hash func- method is flexible, simple to use, and easy to be tions and stream ciphers, the algebraic degrees extended to the construction of rotation symmet- play important roles. A Boolean function may pro- ric bent functions with larger number of variables. vide low security by high order differential attack if For example, when n = 42, we can use either The- it has low algebraic degree. So the algebraic degree orem 3 for multiple of 6 or Theorem 4 for multiple of a Boolean function in a cipher system should be of 7 to construct rotation symmetric bent func- as high as possible. Since the algebraic degree of tions. 2m any bent function on GF (2) is upper bounded Acknowledgements This work was supported by by m, the bent function with algebraic degree of National Natural Science Foundation of China (Grant m is an excellent option. Now we consider the Nos. 61272434, 61672330, 61602887). algebraic degrees of functions constructed in the foregoing theorems. We will show that the ANF has the term xm+1 ··· x2m, so the algebraic degree References is m, which is the maximum for a bent function. 1 Kavut S, Maitra S, Yücel M D. Search for Boolean Lemma 1. functions with excellent profiles in the rotation sym- If the truth table of b(x) ∈ Bn metric class. IEEE Trans Inf Theory, 2007, 53: 1743– includes odd number of vectors from which 1751 i1,i2,...,is positions are zeros, then the ANF of 2 Rijmen V, Barreto P S L M, Filho D L G. Ro- n tation symmetry in algebraically generated crypto- b(x) has xi/xi1 xi2 ··· xis as one of its mono- i=1 graphic substitution tables. Inf Process Lett, 2008, mial term. Q 106: 246–250 Theorem 5. Let f(x) be 2m-variable Boolean 3 Rothaus O S. On bent functions. J Comb Theory, function defined as in Theorems 1–4, then 1976, 20: 300–305 4 Su S H, Tang X H. On the systematic constructions of xm+1 ··· x2m must be present in the ANF of f(x), rotation symmetric bent functions with any possible that is the algebraic degree of f(x) is m. algebraic degrees. Cryptology ePrint Archive, Report It should be pointed out that, a close scrutiny 2015/451, 2015. https://eprint.iacr.org/2015/451 5 Su S H, Tang X H. Systematic constructions of rota- shows that the construction does not apply to the tion symmetric bent functions, 2-rotation symmetric condition when n =2m,m (mod 4) = 1. bent functions, and bent idempotent functions. IEEE In this article, concrete constructions for a large Trans Inf Theory, 2017, 63: 4658–4667 number of rotation symmetric bent functions with 6 Carlet C, Gao G P, Liu W F. Results on constructions of rotation symmetric bent and semi-bent func- maximum algebraic degree are given. We can tions. In: Sequences and Their Applications-SETA see that for even number n,n = 6k, 7k, 8k, the 2014. Berlin: Springer, 2014. 21–33 rotation symmetric bent functions can be given. 7 Gao G P, Zhang X Y, Liu W F, et al. Constructions This is a large proportion of even natural number. of quadratic and cubic rotation symmetric bent functions. IEEE Trans Inf Theory, 2012, 58: 4908–4913 Therefore, in terms of practical applications, our 8 Carlet C, Gao G P, Liu W F. A secondary construction constructions provide a sufficient source of such and a transformation on rotation symmetric functions, functions. Our method is based on that we can flip and their action on bent and semi-bent functions. J the vectors with the difference of the first halves Comb Theory, 2014, 127: 161–175 9 Cusick T W, StˇanicˇaP. Cryptographic Boolean Func- and the second halves which are periodical such tions and Applications. Oxford: Elsevier, 2017. 124– as δ = 0011 ··· 0011, 011 ···011 in fo(x). And the 125