University of Wollongong Research Online

University of Wollongong Thesis Collection University of Wollongong Thesis Collections

2000 Boolean functions in Cheng-Xin Qu University of Wollongong

Recommended Citation Qu, Cheng-Xin, Boolean functions in cryptography, Doctor of Philosophy thesis, Department of Science, University of Wollongong, 2000. http://ro.uow.edu.au/theses/1292

Research Online is the open access institutional repository for the University of Wollongong. For further contact the UOW Library: [email protected]

NIVERSITY u OF w OLLONGONG oolean Functions In Cryptography i

A thesis submitted in fulfillment of the requirements for the award of the degree

Doctor of Philosophy

from

UNIVERSITY OF WOLLONGONG

by

Cheng-Xin QU

Computer Science Department November 2000 /

© 2000 by

Cheng-Xin QU

All Rights Reserved

n Dedicated to my mother, wife and son.

iii Declaration

This is to certify that the work reported in this thesis was done •f by the author, unless specified otherwise, and that no part of it has been submitted in a thesis to any other university or similar institution.

Cheng-Xin QU November 29, 2000

iv Abstract

This thesis is about Boolean functions and their cryptographic properties. Two kinds of Boolean functions are discussed - balanced functions and bent functions. In addition to surveying recent activities of research into Boolean functions, a new representation of bent functions - degree-3 homogeneous bent functions are discovered. The complete 7 set of degree-3 homogeneous bent functions on the lowest dimension Boolean spaces V6 is given. By using bent functions, some ways to construct highly nonlinear balanced Boolean functions are shown in this thesis, which yield a new property of bent func­ tions. The structure of degree-3 highly nonlinear homogeneous balanced functions is also discussed. These results are based on computer searching. The theory of sym­ metric groups is applied in the research. In this study symmetric groups are applied

to Boolean functions. Any on Vn has its own symmetric properties

associated with the symmetric Sn. The relations between Boolean functions and symmetric groups are highlighted. This may lead to a new way to design good S-boxes by using an additive group of Boolean functions which is a subset of the function group generated by the symmetric group. Because good symmetric properties have the poten­ tial to be faster for implementation, the applications of homogeneous Boolean functions taken as rotation functions are discussed. Bent-like balanced functions are very good candidates of Boolean functions for good S-box design. In a degree-3 homogeneous bent or balanced Boolean function, each term is considered as a three variety block. Then it is found that the homogeneous Boolean function is tightly related with block designs BIBD and PBIBD. So in this thesis, the method of combinatorial block designs to discuss Boolean functions is also used. The connection of symmetric group theory with Boolean functions is established.

v Publications

During the study, the author, in cooperation with supervisors and colleagues, has published and submitted some papers. There is the list of them showing how much work the author did in these papers.

1. J. Pieprzyk and C. Qu, Rotation-symmetric functions and fast hashing, Infor­ mation Security and - ACISP'98, Lecture Note in , Springer-Verlag, Berlin Heidelberg New York Toyko, 1438:169-180, 1998. — This paper shows the symmetric properties of Boolean functions in fast im­ plementations. The author did about 50 percent of the work.

2. C. Qu and J. Seberry and J. Pieprzyk, On the symmetric properties of homoge­ neous Boolean functions, and Privacy - ACISP'99, Lecture Note in Computer Science, Springer-Verlag, Berlin Heidelberg New York Toyko, 1587:26-35, 1999. — In this paper, the symmetric properties of homogeneous Boolean functions are studied. The author did about 80 percent of the work.

3. J. Pieprzyk and C. Qu, Fast hashing and rotation-symmetric functions, Journal of Universal Computer Science, 5.1:20-31, 1999. — In this paper further study was taken on the symmetric properties of Boolean functions in fast implementations. The author did about 50 percent of the work.

4. C. Qu and J. Seberry and J. Pieprzyk, Homogeneous bent functions, Discrete Applied , 102:133-139, 2000. — In this paper the bent functions that do not contain any quadratic terms were discovered. Block designs were involved to analyze homogeneous bent functions. The author did 80 percent of the work. (Note: The paper wasfinished in 1998 and was accepted in 1999.)

vi 5. C. Qu, J. Seberry and J. Pieprzyk, Construction of highly nonlinear balanced Boolean, functions, (Submit to ASIACRYPT'2000). — This paper gave a new property of bent sequences and shown a few ways to construct highly nonlinear balanced Boolean functions. The author did 80 percent of the work.

6. C. Qu, J. Seberry and J. Pieprzyk, Relationships between Boolean functions and symmetric groups, (Accepted by ICS'2000), Taiwan, 2000. — In this paper symmetric group theory was applied for studying homogeneous Boolean functions and some relations between Boolean functions and symmetric groups were established. The author did about 80 percent of the work.

7. J. Seberry, T. Xia, C. Qu and J. Pieprzyk, Construction of highly non-linearity cubic homogeneous Boolean functions on GF(2)2n+l and their properties, (Sub­ mitted to Designs, Codes, and Cryptography), 1999. — In this paper, The author did about 25 percent of the work.

vn Symbols

Galois with parameter 2

An n entry boolean space

) A vector in Vn

Nonlinearity of the boolean function f(x) on Vn

An affine boolean function on Vn

A sequence of a linear boolean function

Hamming weight, the number of Is in the sequence £

Hamming weight, the number of solutions of f(x) = l over Vn

) A variable vector in the boolean space Vn

A boolean function on Vn

A boolean function on the subspace Vs(c Vn)

The Walsh-Hadamard transform of a boolean function f(x) on

The 2n x 2" Sylvester-Hadamard matrix

n Sequences (binary or ±1) with length 2 on Vn

Boolean addition, 101=0, 100 = 1, 0©0 = 0

S-box, a mapping S(x) : Vn —> Vm

The dual space of a subspace Vm C Vn

Subset of Vn

The dual set of the subset E

The number -of all vectors in the space Vn

Set

The A;-th order propagation criteria

Balanced incomplete block design

Partial balanced incomplete block design

vm Acknowledgements

I wish to acknowledge the help of my supervisor Professor Jennifer Seberry whose knowledge, patience and enthusiasm have been a driving force behind this work. She devoted many hours to my studies not only on academic research but also with English help. I would like to thank Associate,Professor Josef Pieprzyk, Co-supervisor, who gave me many ideas and suggestions which greatly benefited to my studies.

I have also appreciated our talks with Dr M. Zhang, Dr C. Charnes and Mr T. Xia which gave me many hints that enriched the thesis. Here I express my deep appreciation to them. I wish to thank all the staff and students in the Center for Research and School of IT & CS, University of Wollongong for the help, both academic and technical.

IX Contents

Abstract j v

Publications vi / Acknowledgements ix

1 Introduction 1 1.1 Contributions to this thesis 1 1.2 Contents of the thesis 2 1.3 Further research problems .....' 4

2 Boolean spaces and Boolean functions 5 2.1 Review of Boolean functions in cryptography 5 2.2 Boolean space and Boolean functions 12 2.3 Cryptographic desirable characteristics of Boolean functions 16 2.4 Hadamard matrix and Walsh-Hadamard transformation 21 2.5 Construction of affine sequences 26

3 Bent Boolean functions and their constructions 29 3.1 Bent functions and their basic properties 29 3.2 Constructions for bent functions 34 3.3 Constructing bent sequences 40 3.4 Notes on the propagation criterion of degree / and order k 43 3.5 Partially-bent functions 45 3.6 Plateaued Boolean functions 49

4 The excess of Boolean functions and Hadamard transform 52

x 5 On the symmetric properties of Boolean functions 60 5.1 Symmetric group and Boolean functions 60 5.2 Homogeneous Boolean functions 67 5.3 Degree-3 homogeneous Bent Functions 73 5.4 Degree-3 homogeneous Balanced Functions 78 5.5 Degree-3 homogeneous Boolean functions 81

6 Balanced Boolean functions 84 6.1 Balanced Boolean functions with high nonlinearity and good propaga­ tion criteria , 84 6.2 Concatenating functions 88 6.3 Constructions for highly nonlinear balanced Boolean functions by bent functions 93 6.4 Constructions for highly nonlinear balanced Boolean functions by highly nonlinear non-balanced Boolean functions 96

7 Block designs and degree-3 homogeneous functions 98 7.1 Introduction of BIBD and PBIBD 98 7.2 Designs for highly nonlinear homogeneous Boolean functions 102

8 The applications of degree-3 homogeneous Boolean functions 108 8.1 Motivation 109 8.2 Definition of Rotation-Symmetric Boolean Functions 110 8.3 Properties of Rotation-Symmetric Functions Ill 8.4 Balanced Rotation-Symmetric Boolean Functions 113 8.5 Evaluation of Functions 115 8.6 Extensions and Further Research 116

A Homogeneous bent functions on 14 118

B Homogeneous balanced functions 121

C Homogeneous functions with the highest nonlinearity 137

Bibliography 139

xi Chapter 1

Introduction

This chapter contains three parts. In the first part, the author's contributions to this thesis are declared. In the second part, the contents in the following chapters are summarized. In the last part, some open problems related to the thesis are listed.

1.1 Contributions to this thesis

In chapter 2 and 3, Boolean functions and bent functions are characterized from the viewpoint of cryptography. We have restated and reproved, giving examples, previously known lemmas and theorems. The author's main research contributions are as follows:

• Chapter 4, which is all the author's own work, establishes the direct relation• ship between the excess of the matrices of a Boolean function and nonlinearity. Higher excess means that the function may have higher nonlinearity, and lower nonlinearity means the function has lower excess.

• In chapter 5, the author studies the relations of symmetric groups and homoge• neous Boolean functions in which he found homogeneous bent functions [77] and highly nonlinear homogeneous balanced functions [75]. Degree-2 and degree-3 homogeneous Boolean functions are studied and some relations are set up which show how they affect cryptographically desirable properties. The author ex­ plored some structured homogeneous Boolean functions, which called bent-like- MM functions in part 5.5, and which have some of the same properties as bent functions. The author uses those functions to construct highly non-linear bal­ anced Boolean functions. In this chapter, about 80 percent is his own work.

• In chapter 6, a few constructions for highly nonlinear balanced functions [76, 75] are explored in which a new property of was discovered. About 80

1 1.2. Contents of the thesis 2

percent of this chapter is author's own work.

• Degree-3 homogeneous functions are tightly related to the parameters oi&PBIBD and covering packing design. The author searched specially for some 3-designs that corresponded to Boolean functions with perfect cryptography properties. This part forms chapter 7. About 80 percent of this chapter is author's own work.

• The relationships between symmetric groups and Boolean functions and the sym• metric property of Boolean functions applied to fast hashing [71, 72] is shown in chapter 8. About 50 percent of this chapter is my own work.

1.2 Contents of the thesis

As computer networks develop, using public channels to transmit secure information from one client to another becomes more and more important. Secure text depends on the encrypting algorithms. The purpose of the study of Boolean functions and their cryptographic properties is to provide resources for the protocol of security algorithms. This thesis is about Boolean functions. We study the cryptographic properties and combinatorial structure of Boolean functions because they have been widely used in cryptography. In particular, balanced Boolean functions, bent functions and highly nonlinear Boolean functions are studied. The thesis is divided into eight chapters and this is the first chapter. We have endeavoured to make the thesis easy to read with a systematic approach. In chapter 2, we generally review the development of the study of Boolean func­ tions in cryptography and introduce the background of Boolean spaces and Boolean functions. Then the general definitions of the properties of Boolean functions on finite Boolean space that are related with cryptography are given, which are called cryp­ tographic properties, such as balance, nonlinearity, correlation immune, propagation criteria etc.. Since Hadamard matrices and Walsh-Hadamard transformations play very important roles, they are briefly introduced and some relations to Boolean functions are given in this chapter. The constructions of affine Boolean functions by polynomi­ als and by binary sequences are also given. Most of the chapter can be found in the literature although the descriptions may vary. In chapter 3 we discuss special Boolean functions - bent functions. In this chapter some structures and properties of bent functions, partial bent functions and plateau 1.2. Contents of the thesis 3

functions are introduced. Since bent functions are maximum nonlinear Boolean func­ tions and each bent function relates to a Hadamard matrix, bent functions play a very important role in and construction of cryptographic Boolean functions. At the end of this part some of this area is observed. Since each Boolean function is related with a binary matrix in the field GF(2), the excesses of Boolean functions reveals the properties of Boolean functions and their Hadamard transform from another perspective. In chapter 4, the excesses of Boolean functions and Hadamard transforms of Boolean functions are explored. Some relations are developed. Chapter 5 shows the relations between Boolean functions and symmetric groups. Homogeneous Boolean functions are studied in this chapter. Before the papers [44, 71, 72, 75, 76, 77] were published, there were few papers considering homogeneous Boolean functions. We first found the bent functions with the form that does not explicitly

contain any degree 1 and 2 terms on the Boolean space V6n (degree-3 homogeneous form), (see paper [77]). Balanced degree-3 homogeneous Boolean functions are also studied in this chapter. The complete sets of degree-3 homogeneous Boolean functions of both bent and balanced forms on V& (see appendix A, B), and their group symmetric properties are given in this chapter. The degree-3 homogeneous Boolean functions can also reach the upper bound of nonlinearity on their definition space. Appendix C lists some examples of degree-3 homogeneous Boolean functions on V- in which all functions have maximum nonlinearity. For the application of Boolean functions in cryptography, highly nonlinear balanced functions are desirable for encoding/decoding system. In chapter 6, the structures of balanced Boolean functions are discussed and some new methods to construct highly nonlinear balanced functions are given [76, 75]. The propagation criteria and correla­ tion immunity of highly balanced Boolean function are also discussed. By discussing the behaviour of bent functions on the subspaces of the space that bent functions are defined on, a new property of bent functions is discovered. This is that either of the

restrictions, £j = 0 or Xi = 1, of a bent function on the subspace Vn-i is balanced

and both the restrictions of the bent function on Vn-\ have the same nonlinearity -1 2n-2 _ 2T , where Xi is a variable over Vn. These balanced functions on odd size Boolean spaces are easy to construct and have very good cryptographic properties. Block designs and covering designs are a combinatorial method to treatfinite va­ rieties [26, 104]. This thesis considers each variable in afinite Boolean space as a variety, each monomial on the space as a block and the number of appearances of each 1.3. Further research problems 4

variable in a Boolean function (polynomial form) as the repetition of the variety. And then a homogeneous Boolean function is treated as a block design BIBD or PBIBD that also corresponds to a covering design. In chapter 7, the theory of block designs and covering designs is introduced into the study of homogeneous Boolean functions. Some relations of Boolean functions and the results of some designs are given. From appendices A, B, C, each function can be considered as a block design. According to this view, the class of degree-3 homogeneous bent functions, described by lemma 34 in chapter 5, are exactly PBIBD designs [25, 42]. In the last part, chapter 8 introduces one of the applications of Boolean function for cryptography by this study of the rotation functions for the fast hash implementation [71, 72].

/ 1.3 Further research problems

• Boolean functions in the same group have the same cryptographic properties. If some functions that form an additive group can be chosen, then the additive group is a perfect S-box design. Further study of the possible existence of a higher order subset of a function group to form the additive group is required.

• To construct highly nonlinear balanced Boolean functions, bent functions are used. In part 5.5 of this thesis, a bent-like-MM function similar to a bent function which gives good experimental results is given. Bent functions have the highest nonlinearity and perfect propagation criterion, however, further study of bent- like-MM Boolean functions is needed.

• Block designs and covering/packing theorem have been studied for many years. Methods to apply them to construct cryptographically desirable Boolean func­ tions is also a topic for further study.

• Rotation Boolean functions can give faster implementations in each iteration of a hashing . It is claimed that the secure application of rotation Boolean functions is important for fast hashing. This is an open research topic. Chapter 2

Boolean spaces and Boolean functions

This chapter introduces the background for Boolean spaces and Boolean functions which include most terminologies that are used. For the purpose of cryptographic applications of Boolean functions, the properties of balance, nonlinearity, propagation criteria, , symmetric and the algebraic degree are always consid­ ered important. The dimension of a Boolean spaces, Vn that is considered, is always finite. The study of Boolean functions in cryptography is briefly reviewed first.

2.1 Review of Boolean functions in cryptography

The study of Boolean functions has been a branch of cryptography for many decades. In 1949 Shannon [97] established the foundations of modern cryptography by formulat­ ing the notion of product which use two basic cryptographic transformations: and substitutions. Both extensively use Boolean functions with desirable cryptographic properties. Since then Boolean functions have been widely used in cryp­ tography and their use in S-box theory has became an important part of Cryptology. To get secure algorithms, it is enough to design two elementary blocks: a block (P-box) and a substitution block (S-box). P-boxes provide dif­ fusion while S-boxes furnish confusion as introduced by Shannon [97]. Encryption algorithms, according to Shannon's concepts, are nothing but a sequence of iterations. Each iteration uses a layer of S-boxes controlled by a secret . Between two consec­ utive iterations, a single P-box of known structure is used (the P-box may be keyed). The design and evaluation of cryptographically desirable Boolean functions require the definition of design criteria. It is known that the security of schemes, based on a combination of permutations and substitutions, strongly depends on the characteris­ tics of the substitution tables or S-boxes [74]. An example of the study of the design principles of the can be found in [12]. The analysis of key clustering for limited number of rounds of the DES also used intensive properties of the

5 2.1. Review of Boolean functions in cryptography 6

S-boxes when two input are fixed [28]. An attack on the same cipher using linear structures will be thwarted if the S-boxes are perfectly nonlinear [34]. Using highly nonlinear Boolean functions to construct good S-boxes has received considerable at­ tention over recent decades [4, 23, 50, 64, 106, 107, 109, 111, 117]. Confidence in the security of modern and future electronic rests on the belief that the cryptographic algorithms employed are able to resist cryptographic attacks. Since the introduction of the original Data Encryption Standard (DES) by NIST in the 1970's, there has been an increasing research effort devoted to discovering structures and com­ ponents that can be utilized in the design of ciphers to achieve this goal of security. S-boxes are the most widely used method to provide high nonlinearity in: block ciphers [66]. In order to resist modern cryptographic attacks based on linear approximation and differential characteristics [3, 8, 9, 55], highly nonlinear Boolean functions with good propagation criteria and less linear linear structure are needed. Most common running key generators in systems are based on a combination of shift registers and several nonlinear Boolean functions [5, 39]. According to the method of combination, the generators are mainly divided into two categories; feedback type and feedforward type. The feedback generator is an n-stage together with a feedback loop which computes the next term for the first stage of the shift register based on a nonlinear Boolean function using the previous n term. The feedforward generator consists of n driving linear feedback shift registers and a nonlinear function that operates on the n output sequence to generator the key sequence [82]. Boolean functions are universal tools for S-box design [117]. The cryptographic use­ fulness of a given Boolean function is measured by its cryptographic properties. The collection of these basic properties includes balance, strict avalanche criterion (SAC), high nonlinearity [2] and higher-order propagation criteria [74]. To resist various at­ tacks, C. Adams and S. Tavares described what is a good S-box design [2]. A good S-box should possess a design procedure that is guaranteed to produce S-boxes pos­ sessing properties such as bijection, nonlinearity, strict avalanche and independence of output bits. This gives us an insight to the design of good S-boxes. Furthermore, it also allows to generate, quickly and easily, S-boxes which can be used in the development of private-key ; an area of renewed importance since the increasing power and speed of , mainframes, and workstations make early fears about the rel­ atively small key-size of DES increasingly relevant. Shannon's is easy to implement. If building blocks are selected at random (so both P-boxes and S-boxes are random), this will still get a strong cipher with a high , provided "a large 2.1. Review of Boolean functions in cryptography 7

enough" number of iterations [65] is used. The real challenge in the S-box theory is how to design S-boxes to reduce the number of iterations without loss of security. If an S-box (or corresponding collection of Boolean functions) is implemented as a lookup table, then the length or the form of Boolean functions is not important. This is no longer true when the evaluation of the function is done on the fly - this is the case in all MD-type hashing algorithms (MD4, MD5, SHA-1, HAVAL) [80]. It was argued in [71], that symmetric Boolean functions can be very efficiently evaluated. The strict avalanche criteria (SAC) was introduced in 1985 by A. Webster and S. Tavares [106] for the design of the Boolean functions involved in S-boxes. It is related to their dynamic behaviour when their input is modified, and has been later generalized by B. Preneel, W. V. Leelwijck, L. V. Linden, R. Govaerts and J. Vandewalle who defined the important propagation criteria (PC(k)) [74]. The propagation criteria was studied [21] later. To protect against linear attacks, non-linear Boolean functions are involved. Non- linearity is a key parameter to characterize a non-linear Boolean function. Generally, an application of permutations of the maximum nonlinearity does not guarantee that an encryption algorithm based on them generates a "strong" cipher. For example, the well known DES algorithm is built using 32 permutations (each S-box consists of four permutations) and none of them attains the maximum nonlinearity [68]. Cryptographic transformations are usually designed by appropriate composition of nonlinear functions. In stream cipher design such functions have been applied to com­ bine the output of linear feedback shift registers in order to produce the key stream. In this design combining functions should not leak information about the individual linear feedback shift register sequences into the key stream. For this purpose the concept of correlation immunity has been introduced and studied in order to prevent divide and conquer [57, 82, 98]. For a memory-less combiner the output al­ ways has correlation to certain linear functions of the inputs, and the total correlation is independent of the combining functions [58]. The functions used in conventional ciphers must provide both diffusion, for merging several inputs, and confusion, for hid­ ing any structures [20, 97]. These notions are formalized through the properties of correlation-immunity and nonlinearity [7, 13, 14, 15, 58, 61, 92, 98, 110]. Highly nonlinear Boolean functions are required to be balanced and satisfy the prop­ agation criteria [98, 113, 114]. For Boolean functions defined over n binary variables, bent functions have the highest nonlinearity and the best propagation criteria, but they are not balanced. For any n Boolean variables, there are 22" different functions. In 2.1. Review of Boolean functions in cryptography 8

fact, a very high proportion of all functions are balanced. There are balanced \ 2n~l j functions over the Boolean space Vn [76]. For example, out of the 256 functions on V3, 70 are balanced (for more detail see chapter 5). Hashing algorithms are important cryptographic primitives which are indispensable for an efficient generation of both signatures and message codes [103]. They are also widely used as one-way functions in key agreement and key establishment protocols [59]. Hashing can be designed using either block encryption algorithms or computationally hard problems or substitution-permutation networks (S-P networks). Parameters of hashing algorithms based on block encryption algorithms/ are restricted by properties of the underlying encryption algorithms. Assume that an encryption algorithm operates on n- strings. A single, use of the cipher produces n-bit hash value. This means that the n-bit strings have to be at least 128-bit long. Otherwise, the hash algorithm is subject to the . The attackfinds colliding messages in 2n/2 steps with a high probability (larger than 0.5). If the hash algorithm applies more than one encryption, it becomes slower than underlying cipher. The use of a "strong" encryption algorithm does not guarantee a collision-free hash algorithm. There have been many spectacular failures that prove the point [73]. The design of hashing algorithms using intractable problems can be attractive as the security evaluation can sometimes be reduced to the proof that finding a collision is as difficult as solving an instance of a computationally hard problem. Numerous examples have shown that the application of hard problems does not automatically produce sound hash algorithms. The misunderstanding springs from the general characterization of the problem. For example, a problem is considered to be difficult if it belongs to the NP-complete class [36]. Any problem is a collection of instances. Some of them are intractable but some are easy. If a hash algorithm applies easy instances, it is simply insecure. The main shortcoming of this class of hash algorithms is that they are inherently slow. The class of hash algorithms based on S-P networks includes fastest algorithms. They apply . Representatives of this class are MD4 [79], MD5 [78], SHA [80] and many others [86]. Despite demolishing MD4 and weakening MD5 by Dobbertin [31, 32], their structural properties look sound and they are frequently used as benchmarks for efficiency evaluation. In the design of cryptographic functions, there is a need to consider various nonlinear characteristics simultaneously [122]. It is noticed that some characteristics restrict 2.1. Review of Boolean functions in cryptography .9

each other. Bent functions, for example, have maximum nonlinearity and satisfy the propagation criteria with respect to every non-zero vector over the Boolean spaces on which they are defined. However, bent functions are not balanced and exist only on even size Boolean spaces. Furthermore, bent functions are not correlation immune. Partially bent functions are highly nonlinear and can be balanced. However, except for bent functions, partially bent functions have non-zero linear structures that are cryptographically undesirable. For these reasons, people study other classes of Boolean functions to try to overcome the disadvantage of bent functions or partially bent bent functions. The class of plateaued Boolean functions is one candidate that is defined by a series of inequalities and examines the critical case of each inequality. Compared with other functions, plateaued functions may reach the upper bound on nonlinearity given by the inequalities. In the paper [67], J.D. Olsen, R.A. Scholtz and L.R. Welch described the use of bent functions to construct families (OSW) of ±1 sequences with good correlation properties. A major tool in the OSW construction is the conventional discrete transformation as used by Rothaus in [81] by representing the elements of Vn in terms of the a trace- orthogonal basis [47]. A. Lempel and M. Cohn showed that the sequences produced by the OSW construction of bent sequences possess the same correlation properties if and only if the underlying bent functions are pairwise orthogonal [48]. Boolean functions have been studied on some aspects according to their proper­ ties. For their applications some properties need to be considered simultaneously. To produce good stream ciphers, for example, needs at least the Boolean function being highly nonlinear and balanced. To resist various attacks, other properties of Boolean functions must be satisfied. To construct cryptographic Boolean functions incurs much research. In the paper [49], S. Lloyd investigated the connections among the properties, balance, correlation immunity and strict avalanche criterion, of Boolean functions. An important question in design cryptographic functions, including S-boxes, is the rela­ tionships among the various nonlinearity criteria each of which indicates the strength or weakness of a cryptographic function against a particular type of -analysis at­ tacks. J. Seberry, X. Zhang and Y. Zhengfirst revealed the connections among SAC, differential characteristics, linear structures and nonlinearity of quadratic S-boxes [96]. In the paper [15], P. Camion, C. Carlet, P. Charpin and N. Sendrier establish the link between correlation-immune functions and orthogonal arrays. A recursive definition of any correlation-immune function of maximal degree was also given. The relation between the Walsh-Hadamard transforms and the auto-correlation function of Boolean 2.1. Review of Boolean functions in cryptography 10

functions is used to study propagation characteristics of these functions. The strict avalanche criterion and the perfect nonlinearity criterion are generalized in a propa­ gation criterion of degree k. In the paper [74], B. Preneel, W. V. Leekwijck, L. V. Linden, R. Govaerts and J. Vandewalle gave some new properties and constructions for Boolean bent functions and discussed the extension of the definition to odd values of n space size. To evaluate a Boolean function, its Hamming weight, nonlinearity, propagation criterion and correlation immunity are the basic parameters. In the paper [81], O.S. Rothaus revealed a class of Boolean functions with the highest nonlinearity and named these functions as bent functions. Bent functions have Hamming weight 2n_1 ± 2n/2_1 and nonlinearity 2n_1 -2n/2_1. He also discovered basic properties of bent functions. J. Dillon gave the connection between Boolean functions and Hadamard different sets [29]. Later, P. V. Kumar, R. A. Scholtz and L. R. Welch [46] generalized the concept of bent function on thefields J™ that is m-tuple set over the integers modulo . Since bent functions have the highest nonlinearity and are perfect nonlinear Boolean functions over their Boolean space, they are widely used in nonlinear ciphers and constructing highly nonlinear balanced Boolean functions. In addition to the work of O.S. Rothaus and J.D. Olsen, R.A. Scholtz and L.R. Welch [67] on bent functions and bent sequences, Kaisa Nyberg [60] discussed the relations of different sets and bent functions and gave a condition under which McFarland's construction gives a binary bent function with maximum nonlinear degree. To form bent sequences, C. Adams and S. Tavares gave two general classes of binary bent sequences, bent based and linear based [1]. A group Hadamard matrix is used to construct a k-set of bent functions on V-ik such that any nonzero linear combination of bent functions in this set is still a bent function on V^k- Such a k-set bent function can be used to construct perfect nonlinear S-boxes. In the paper [69], J. Pieprzyk discussed the application of bent functions to bent permutations. C. Carlet gave two new classes of bent functions [17]. Since bent functions exist on even size Boolean spaces only, C. Carlet generalized the concept of bent function and defined partially-bent Boolean functions [18] which exist on both even and odd size Boolean spaces. Partially-bent functions can be divided into bal­ anced and non-balanced (bent functions are non-balanced). To extend the concepts of bent function and partially bent function, X. Zhang described a large class of Boolean functions named plateaued functions [122], which contains both bent and partially bent functions. Perfect nonlinear functions werefirstly introduce d by W. Meier and 0. Staffelbach [58] and are Boolean functions that satisfy PC(n) over the Boolean space .1. Review of Boolean functions in cryptography 11

Vn. Bent functions are perfect nonlinear functions. However, other perfect nonlinear Boolean functions have not been found yet. In the paper [94], the relation of the nonlinearity and propagation criteria of bal­ anced Boolean functions was discussed. In that paper some methods to construct balanced Boolean functions with high nonlinearity and good propagation criteria are presented. It also noted the algebraic degree of the balanced Boolean functions. K. Nyberg-[61, 63] gave two methods to construct perfect nonlinear S-boxes, one is based on Maiorana-McFaland construction of bent functions which is easy and efficient to implement, and the another one is based on Dillon's construction of different sets. Differential crypt-analysis and linear crypt-analysis are known as the~most effective attacks applicable to various block ciphers [55, 63]. The paper [56] deals with the correlation between the order of S-boxes and the strength of DES. Differential crypt­ analysis is a method that analyzes the effect of particular differences in pairs of the differences of the resulting pairs, which was first explained by Biham and Shamir [8, 9]. The concept of nonhomomorphicity of Boolean functions was introduced in the paper [116, 121] as an alternative criterion that forecasts nonlinear characteristics of Boolean functions. Although both nonhomomorphicity and nonlinearity of a Boolean function reflect a difference between a Boolean function to affine functions, they mea­ sure the function from different perspectives. The fc-th order nonhomomorphicity of S-boxes is an alternative indicator which forecasts nonlinearity of an S-box, where k > 4 is even [119]. In stream cipher design, pseudo random generators have been proposed which com­ bine the output of one or several linear feedback shift registers (LFSRs) in order to produce the key stream. If correlation are conditioned on side informa­ tion, e.g., on on known output digits, it is known that stronger correlations may be needed [57]. The paper [118] shows the restriction of a Boolean function on a coset has significant influence on cryptographic properties of the function, identifies relationships between the nonlinearity of the function and the distribution of terms in the polynomial repre­ sentation of the function. The cycles of odd length in the terms and quadratic terms in a function play an important role in determining the nonlinearity of the function. In the paper [37], correlation properties of a general binary combiner with an ar­ bitrary number of memory bits were analyzed. It is shown that there exists a pair of certain linear functions of the output and input respectively that produce correlated Boolean space and Boolean functions 12

binary sequences. An efficient procedure, based on a linear sequential circuit approxi­ mation, was studied to find such pair of linear functions. Boolean functions satisfying a higher order strict avalanche criterion were explored in the paper [27]. Many prac­ tical information authentication techniques are based on such cryptographic means as data encryption algorithms and one-way hash functions. A core component of such algorithms and functions are nonlinear functions. The relation of a Boolean function with the criterion of propagation of degree I and order k is also an interesting topic for Boolean functions [21, 115]. The propagation criterion was introduced by B. Preneel et. al. [40, 74], they also defined the concept of the criterion of propagation of degree I and order k which are the functions that satisfy PC (I) when a certain number k of

coordinates, Xi, • • •, xn of x are kept. Recently, Palash Sarkar and Subhamoy Maitra presented a new proof of the Walsh transform characterization of correlation immune Boolean functions. Also they provide a simpler proof of the fundamental relation between the order of correlation immunity and algebraic degree of a Boolean function [85]. They gives a new construction method, using a small set of recursive operations, for a large class of highly nonlinear, resilient Boolean functions optimizing Siegenthaler's inequality [53, 84].

2.2 Boolean space and Boolean functions

Let a = fa, • • -, an) be an element in an n-tuple set. If all entries of a are 0 or 1 (in GF(2)) and the following arithmetic rules are obeyed 1 + 1 = 0, 1 + 0 = 1, 1x0 = 0, 1x1 = 1,

then the set is called a Boolean space denoted by Vn [99]. All elements in Vn are called vectors. Since 1 + 1 = 1 - 1 = 0, the notation '0' is used instead of the sign '+' or '-' for binary computations '(XOR) to distinguish the usual signs + and -. It is clear n that a Boolean space Vn contains 2 distinct vectors that correspond to the natural n numbers from 0 to 2 - 1. An n-tuple variable x = (xx, • • •, xn) is defined on a Boolean

space Vn which varies from a0 = (0, • • •, 0) to a2"-i = (1, •••,!)• By convention, when

x varies from a0 to a2n_i, each entry of x varies in its appropriate column:

Vn: x (X\ X2 • • • Xn-l %n) ao = (0 0 ••• 0 0)

ax = (0 0 ••• 0 1) (2-1)

(1 1 ••• 1 1). Ci2n-l — 2.2. Boolean space and Boolean functions 13

So the values' of xx on Vn are always (CV^O, T~~~l) and the values of x{ are n n i n-i 2n-. 2 -> 2 ~ 2 (0, • • •, 0,1, • • •, 1,0~^70,T~^T, • • •), where i = 1, • • •, n. Since these binary sequences will be frequently used, The arithmetic rules for binary sequences are given as follows.

Definition 1 Let £ = (ax,---,as) and n = (bx,---,bs) be two sequences with same length s. Then their multiplication (x), binary addition (©), dot-product (•), and inner product are defined as follows,

£ x 77 = (oliiI---lo5i,))

£©77 = (al®bl),---,(as@bs), (2.2)

£•77 = axbx 0 • • - 0 asbs respectively. If ^ andn are the ±1 sequences, their inner product are denoted as follows.

< £,77 >= axbx H r-asbs.

Now £ x 77 and £ © 77 are still binary sequences. However, £ • 77 is a real integer value in GF(2) and < £, 77 > is a real integer value (0 << < s).

A Boolean function on Vn is defined by the mapping

/: Vn^Vx which means that for each vector in Vn f takes the values 0 or 1. There are several ways to represent a Boolean function. Normally polynomials, binary sequences or (±1) sequences are used to represent Boolean functions. Let a = (ax,---,an) be a vector a 1 2 in Vn and x = x" ^ • • • x°£ denote a single term in polynomial form in Vn . Then a

Boolean function in Vn is represented by the polynomial form

a f(x) = © cax ca = 0 or 1. (2.3) aevn The binary sequence and ± sequence forms for the function (2.3) are,

Cn = ( /(ao) fM • • • f(a2n_x) ) (2.4)

a £n = ( (_l)/( °) (-i)f(^) ... (_i)/(*2"-n ), (2.5) respectively. The sequence (2.5) can also produced by the polynomial f(x) = 1-2f(x). Now for a function f(x), one knows how to produce the sequences (2.4) and (2.5). To transform a (0,1) sequence, f, to its polynomial form, equivalent function f(x), one 2.2. Boolean space and Boolean functions 14

uses the 2» x 2» nratrix Gn over GF(2) and a 1 x 2» matnx, Xn, to convert. The Gn is denned by the recursive formula as follows-

G -i G _ Gn = n n x 1 1 and Gx = 0 G„_! 0 1

and the matrix -Xn is ao ai 2 1 Xn = [x x ••• x" "- ]. Then a binary sequence representation of a function can be converted to its polynomial

by f(x) - £ x Gn x X*n where X*n is the transpose of matrix Xn. In fact, the i-th row of G is the binary sequence of xai.

Let g0(y),..., ^(y) be functions on ^ and ^ ... ^ ^ ^ sequences ^^ k tively. Let a, = (aix,ai2, • • •, a*) be a vector on Vk, i = 0,1, • • •, 2 - 1. Then the

function obtained by concatenating the sequence 77 = (f0> •.. ^J on yk+h is

2*-l /(*,?) = ®Di(x)gi(y) (26) j=0

where £>(*) = (DQ(x), Dx(x), •••, D2,_x(x)) is the combining function defined by [94]

Di(x) = (xx®aix@l)(x2@ai2@l)...(Xk@alk@l) k = H(xj®aijQl), ;=i

where a{j is the j'-th entry of vector a{ e Vk. In fact,

0 for x ^ ct{, Dt(x) = i = 0, ...,2*-l. 1 for x = ai}

Thus the values of the sequence 77 from thefirst entr y to (2h - l)-th entry are the A h l values of g0(y) over Vh, fromthe (2 )-th entry to the {2 + - l)-th entry are the values /l+A; 1 h k of gx(y), • • •, and from the (2 - )-th entry to the (2 + - l)-th entry are the values of 92«-i(y). If k = 0, then f(x,y) = «?(T/); if h = 0 there is no any function on V0.

Suppose go = c0,gx = cx,---, g2k_x = c2k_x, where a = 0, 2 = 0, - - •, 2* — 1. Then

2*-l /(*,y) = /(*) = ©£><(*)<* (2.7) i=0

Formula (2.7) can be used to convert a sequence on Vn to its polynomial form, if the sequence on Vn is formed by the concatenation of the constant functions g{ = c% on 2.2. Boolean space and Boolean functions 15

VQ = {0}. Thus each entry of the sequence 77 is a constant c,. Therefore the sequence

77 = (c0 cx • • • c2"_i) corresponds the function

2fc

f(x) = © Ci(xx © aix © l)(x2 © ai2 © 1) • • • (xk © a** © 1) i=0 on Vn, which is another way to transform a sequence to the polynomial representation.

Let 77 = (0100 1010), for example, be sequence on Vz. Then the polynomial form of the function is

f(x) = (xx@l)(x2®l)xz@xx(x2®l)(xz@l)xxx2(xx@l)

= XX © XiX2X3 © x2x3 © x3.

Definition 2 Let f(x) be a function on Vn . Then the (-1,1) matrix of the function is defined by M = [(-1)'(Q'®Q7)]. Similarly, its (0,1) matrix is defined by M = [/(a*©^)].

The first row of M is just the sequence of the function. n When a sequence of a function on Vn is considered, the length of the sequence is 2 .

Now the sub-sequences of the sequence of a function on Vn is defined by the following definition.

Definition 3 Let £, xi = (bQ bx ••• b2n_x), be the sequence of f(x) on Vn . The sub-sequences, &, of £ with length 2h are defined by

£1 = (b0 • • -b2h_x), £2 = (b2h • • -b2h+i_x), •••, £,<= = (b2h+k-i • • -b2h+k_x),

where h, k < n and h + k = n.

Let the polynomial form of & on 14 be gi(y), where i = 1,2,---, 2*. Then the func­

tion (2.6) is the polynomial form of the sequence £ on Vh+k.

n h Lemma 1 Let f(x) be a Boolean function on Vn and £ its sequence. Let £x, • • • ,£2 - denote the sub-sequences o/£ of length 2h. Suppose that the longest sub-sequence of £ has the length 2h and an odd Hamming weight, then the algebraic degree of the function f(x) is greater than or equal to h.

Proof. Let £ be the sequence of the function f(x). Suppose the longest subsequence £ of £ with odd Hamming weight has length 2h. Then the polynomial form function of & has algebraic degree h on Vh. Let gj(xx, • • • ,xh) correspond the subsequence £,, j = 0,l,---,2n-/l. Then

2n-/i

f{x) = © Dj(xh+x,---,xn)gJ(xx,---,xh), j=Q 2.3. Cryptographic desirable characteristics of Boolean functions

in which n—h Dj{xh+U • • ••, xn) = J[ (xk+h © ajk © 1) jt=i

where ajk is thefc-th entr y of a7- € Vn-h. In the function f(x), the algebraic degree of

the term Di(xh+X, •••, xn)gi(x1, • • •, xh) is greater than or equal to h.

Case 1. If all subsequences have odd Hamming weight.

Case 2. Some of the subsequences have odd Hamming weight.

Therefore the lemma is proved. •

2.3 Cryptographic desirable characteristics of Boolean functions

Since the research is desired to be useful to cryptography, the functions studied must satisfy some cryptographically desirable properties. This section gives the definitions of cryptographic properties for Boolean functions which can be found in the literature.

Definition 4 (Affine and linear functions) A Boolean function

a f{x) = © cax ca = 0 or 1 aevn

on Vn is called an affine function if ca = 0 for all wt(a) > 1, where a £ Vn. For an

affine function, if CQ = 0; it is called linear function.

Using the definition of dot-product, an affine function can also be expressed as

In the above function, if c = 0, the function is linear. A linear function is an affine n function. The total number of distinct vectors a in Vn is 2 . Therefore, over Vn, there are 2n distinct linear functions which include the constant function 0 and 2n+1 distinct affine functions which include the constant function 0 and 1. For later use, the following statement is given as a lemma. The proof of the lemma is directly from definition 4.

Lemma 2 Let tpi(x) and

Definition 5 (Hamming weight and Hamming distance) Let £ and n be (0 1) se­ quences. The Hamming weight of £ denoted by wt(0, is the number of Is m the sequence. The Hamming distance between the two sequences £ and n is defined by the Hamming weight of the sequence £ © rj, and denoted by d(£, n), i.e.

d(£,r]) =wt{£®ri).

Let f(x) be a function on Vn and £ its binary sequence. The Hamming weight of fix) is the number of Is in its sequence £ i.e. the number of solutions of f(x) = 1. For

two functions f(x) and g(x) over Vn, the Hamming distance is the Hamming weight of the function f(x)®g(x) denoted by d(f, g). Notice that for f(a) = g(a) it contributes a zero for the binary sequence of f(x) © g(x), and for f(a) # g(a) it contributes a 1. Therefore, the Hamming distance of the function f(x) and g(x) is also equal to the number of vectors such that f(a) # g(a). The Hamming weight of the function x" on n wt Vn depends on the Hamming weight, wt(a), which equals 2 ~ ^.

Lemma 3 Let f(x) and g(x) be two functions on Vn . Then

d(f,g) = \(2n-)

where £ and n are the ± sequences off and g respectively.

+ Proof. Let f = (a0, • • •, a2n_1) and 77 = (bor • • ,b2n_x). Let N and N~ denote the + n numbers of a{ = b{ and ax / bi respectively. It is obvious that N + N~ = 2 and < f, 77 >= N+ - N~ = 2n - 2N~. The Hamming distance of f and 77 is the number N~. Therefore 1 n d(f,g)=N-= -(2 -)

Definition 6 (Balanced functions) A function f(x) on Vn is said to be balanced if the number of solutions of f(x) = 0 (or f(x) = 1) is 2n_1.

By definition 5 a balanced function has Hamming weight 2n_1. Any non-constant affine function is balanced. From lemma 2 it can be seen that the Hamming distance between any two distinct affine functions (at least one is non constant) is 2n_1. The following equation gives a relationship between a function and a set of linear functions. 2.3. Cryptographic desirable characteristics of Boolean functions 18

Lemma 4 (Paseval's equation [52]) Let f(x) be a function on Vn and £ be its ± se­ quence. Then' 2JC < £, /, >2= 22" i=0 where U are ±1 linear sequences.

Proof. Let £ be the sequence of the function f(x) on Vn . Then

f{x)mi{x) = J2 (-l) x6Vn and 2 f{xm{x) /(x )e/i(i,) <^,i{> = Y, (-i) E (-i) ' xevn x'evn The linear functions k(x) and ^(x') can be written as o^ - x and a,- • x' respectively. Thus summing the above formulae with the variable x gives

E* < f.'t >2= *E ( E (-l)/(x)e'l(x) E (-l)/(x')0/'(x/)

i=0 i=0 \xeVn x'£Vn

2n-l / y y (_I)/(^)©Q.-I y /_1j/(i')ea,-i'

i=0 \xevn x'&Vn

2"-l / = y [ V (_X)/(i)e/(x')©ar(xei')

2n-l _ y / IJ/(I)®/(I') y (_i)a<-(xei') x,x'eVn. Z=0

It is seen that Zllol(-l)ai'{xex,) = 0 for x ^ x' and E^^-l)^*®1') = 2n for x = x'. Furthermore Ex.x'gvJ-l)7^1®7^0 = 2n for x = x'• Therefore we have y < £ i >2= y (-^/(^©/^^E^o-^-1)^-^®^) = 22n.

i=0 x,x'€Vn D

Definition 7 (Nonlinearity) The nonlinearity of a function f(x), denoted by Nj, is the minimum Hamming distance between f and all affine functions i.e.

Nf = min{d(f,(fi) | V

Nonlinearity is one of important parameters for a function to assess its value in the cryptographic applications. According to the definition of nonlinearity, all affine functions have zero nonlinearity. In the other hand, a Boolean function having non­ zero nonlinearity implies the function is not affine. According to the definition of nonlinearity, the nonlinearity of a non-linear Boolean function on Vn can not exceed 2n-1. On an even size Boolean space, there is a class of Boolean functions, called bent functions, that have maximum nonlinearity, 2n_1 — 22-1, over the space. Also bent functions have Hamming distances either 2n_1 - 2 2_1 or 2n_1 + 2 2~x to any affine function over the Boolean space. The chapter will introduce more detail about bent functions.

Lemma 5 Let B be a nonsingular n x n matrix over GF(2). Let f(x) be a function

on Vn . Then the function,

g(x) = f(xB@a), aeVn

and f(x) has same nonlinearity, Ng = Nf.

Proof. By the definition of nonlinearity, there exists at least one affine function

such that d{f,ip) = Nf. Let 4>(x) =

and d(g, ) = d(f,

Ng < d(g,(j>) = Nf. Similarly, one can get another inequality Nf < Ng. Therefore

D Nf = Ng.

Definition 8 (Propagation criteria PC(k)) Let f(x) be function on Vn . If the dif­ ference, f(x)® f(x@a), of the function f(x) is balanced, then the function f(x) is said to have the propagation criteria with respect to the vector a. If f(x) © f(x 0 a) is

balanced for all vectors with 0 < wt(a) < k in Vn, then the function f(x) satisfies the k-th order propagation criteria and is denoted by PC(k)

Definition 9 (Strict avalanche criteria (SAC)) If the function f(x) © f(x 0 a) is

balanced for all vectors with wt(a) = 1 in Vn, then the function f(x) is said to have strict avalanche criteria (SAC).

The strict avalanche criteria was introduced in 1985 by A. Webster and S. Tavares [106] for the Boolean functions involved in S-boxes. It is related to their dynamic behaviour (when their input is modified) and was later generalized by B. Preneel, W. V. LeelWijck, L. V. Linden, R. Govaerts and J. Vandewalle [74] who defined the 2.3. Cryptographic desirable characteristics of Boolean functions 20

important cryptographic property of. Boolean function - propagation criteria. Boolean

functions are called perfect nonlinear functions on Vn if they satisfy PC(n), which was introduced by W. Meier and 0. Staffelbach [58]. The strict avalanche criteria is

the first order propagation criteria for a function on Vn . The definition of the strict avalanche criteria is extracted from those of propagation criteria since it is so important in cryptography.

Lemma 6 Let g(x) be a function on Vn and A be a nonsingular n x n matrix with entries from GF(2). Let 7 stand for a row of A. If g(x) © g(x © 7), for any 7, is balanced, then the function f(x) = g(xA) satisfies the strict avalanche criteria (SAC).

Proof. Since the matrix A is nonsingular, the reverse transform is used to get g(x) = f(xA~l). Therefore the function

l l 1 l _1 f(xA~ ) © f((x © j)A~ ) = f(xA- ) © f(xA~ © 7A )

is balanced. On the right hand side of the above formula, 7A-1 is a non-zero vector 1 l -1 in Vn . If one uses x' = xA" and a = jA~ to take place of x and 7A respectively, and notices that the matrix is defined on thefield GF(2), the right hand side of the above formula becomes f(x') © f(x' © a) and is balanced with wt(a) # 1. Therefore the function f(x) satisfies SAC. a

Lemma 7 Let gx(x), • • • ,gm(x) be functions on Vn . Let the set 3ft be defined by

SR = {7 \g{(x) © gi(x@ 7) is not balanced for ai, 1 < i < m).

If 13ft| < 2n_1 then there exists a nonsingular nxn matrix A over GF(2) such that each function gj(xA) satisfies the SAC.

For the function (2.3) onVn , the algebraic degree, denoted by d, of the function is defined by

d = max{wt(a)\a e Vn with ca / 0}

Lemma 8 The Hamming weight of a Boolean function f(x) over Vn is a odd number if and only if d = n. 2.4. Hadamard matrix and Walsh-Hadamard transformation 21

Proof. Suppose that f(x) has even- Hamming weight. Then the multiplication of the

sequence of f(x) and the last row of Gn is zero. Therefore f(x) does not contain the

term xx---xn and its algebraic degree is less than n. If the Hamming weight of f(x) is odd, the multiplication of the sequence of f(x)

and the last column of Gn is 1. Then the function f(x) contains the term x, • • • xn and its algebraic degree is n. •

Corollary 1 Let f(x) be a function on Vn . If the algebraic degree d of the function is less than n, then its Hamming weight is even.

Definition 10 (Linear structure.) Let f(x) be a function on Vn . The function is said to have linear structure with respect to the vector a if its propagation

/(z)©/(x©a) is constant (0 or 1). The vector a is called linear structure vector.

Every function has at least one linear structure vector. The more linear structure vectors the function has, the worse it is for the cryptographic applications. So crypto- graphically desirable Boolean functions are those with few linear structure vectors.

2.4 Hadamard matrix and Walsh-Hadamard trans­ formation

The Walsh-Hadamard transform is important in discussing Boolean functions. Many properties of Boolean functions relate to the transform. This section gives the definition

of Walsh-Hadamard transform and some properties of Boolean functions on Vn . It also introduces some other concepts in this section which will be mentioned later.

Definition 11 (Hadamard matrix [52]) A n x n matrix H is defined as Hadamard matrix if it satisfies the equation H x Hl = nl, where I is a n x n unit matrix. The Sylvester-Hadamard matrix is a 2n x 2n matrix and is recursively defined as follows,

Hn-X Hn-X Hn — and HQ = [1] Hn-X —Hn-i

denoted by Hn. On the Boolean space Vn , the Sylvester type Hadamard matrix can be represented by [( — l)ai'aj]. 2.4. Hadamard matrix and Walsh-Hadamard transformati on 22

From the definition, the ith row of the Sylvester-Hadamard matrix is a ±1 sequence of the linear function a{ • x. The first row of Hz, for example, is (1 1 1 1 1 1 1 1) for a0 • x = 0, the second row is (1 -11 -11 _n - 1) for ax-x = x3, the third row is

(11 - 1 - 1 1 1 - 1 - l)for a 2 • x = x2, the fourth row is (1 - 1 - 1 1 1 - l - l i) for a2 • x = x2 © x3 and so on. The last row is (1 - 1 - l l -ill - l) for a2 • x = xx ©x2 ©x3.

Definition 12 (Walsh-Hadamard transform) Let f(x) be a function on Vn and £ its sequence. Then the Walsh-Hadamard transform of the function f(x) is defined by a 1 x 2n matrix C(Cl and represented as follows;

C'(0 = SHn = Hne-, in which the i-th entry is 1

F(*i)= E(-l)/(l)earI= (2.8) xevn n where k is the ± sequence of a{- x and i = 0,1, 2, • • •, 2 - 1.

It is obvious that the sequence £(fn) is not a ±1 sequence. For an affine function, the Walsh-Hadamard transform, C, has only one entry equal to ±2n and all others are zero. From the definition of nonlinearity, there is

1 Nf = I2"- - max{F(a)|a e Vn}\.

By using the Hadamard transform, one can get the upper-bound for nonlinearity as follows.

Lemma 9 Let f(x) be a function on V2n. Then the nonlinearity of f satisfies

2n l n_1 Nf < 2 ~ - 2 .

Proof. Let f be the sequence of f(x) on Vn and k the i-th row (or column) of Hn. Then

£Hn = (,). Hence, by Paserval's equation,

2 2 ZHnHn?= E =2 " i=Q

n 2 n Thus, there exists an i', (0 < i! < 2 - 1), such that < f, k> > > 2 i.e < ^,/2»-i >> n ±2?. By the definition of nonlinearity and lemma 3, one gets Nf < d(£,l%l) < l(2 - 2i). U 2.4. Hadamard matrix and Walsh-Hadamard transformation 23

Definition 13 (Correlation immunity) [15, 98, 110] LetO < k < n. The function f (x) on Vn is k-th order correlation immune if its Walsh-Hadamard transform satisfies:

F(a) = 0, for 1 < wt(a) < k,

where wt(a) is the Hamming weight of a vector aeVn. For distinguishing the general Walsh-Hadamard transform of a function, the correlation immune function is denoted as r(a) i.e r(a) = F(a) = E (-l)/(x)ffiQ'x xevn

Correlation immune functions play an important role in several aspects of cryp­ tography such as, for instance, the design of running-key generators in stream ciphers which resist the correlation attack [98] or the design of hashing functions [87]. The most general definition is defined overfinite alphabets [13] by: let A be afinite al ­ phabet; a function from An to Am is i-th order correlation immune if the probability distribution of the output vector /(x1; • • •, xn) is unaltered when at most t of the vari­ ables x^ • • •, xn are fixed, where xx, • • •, xn are random input variables assuming values from A with independent equivalent probability distributions. For Boolean functions, a function f(x) has k-th order correlation immunity if f(x) © a • x is balanced for all 1 < wt(a) < k.

Lemma 10 [15] Let f(x) be a kth-order correlation immune function on Vn and d be the algebraic degree of f. Then d < n — k. Moreover if f is balanced then d < n — k unless k = n — 1.

In the paper [98], T. Siegenthaler showed that the only possible (n — l)th-order correlation immune functions are

f(x) = xx © x2 © • • • © xn © c, c = 0, 1, and also gave the way on how to construct, by iteration, a limited family of &th-order correlation immune functions: a A;th-order correlation immune function is obtained from two linear functions of m — (k + 1) variables.

Definition 14 (A-uto-correlationj Let f(x) be a function on Vn . Then function

A(a) = < £(0U(a) >= E (-l)/(x)0/(x0a) xevn is called auto-correlation immune. 2.4. Hadamard matrix and Walsh-Hadamard transformation 24

The value of auto-correlation immunity of a Boolean function is a real integer 6- in the range {-2", 2"}. For the vectors, a, such that A(a) = ±2", the Boolean function has linear structure. As a runs through all the vectors in Vn, the values of A(a) form a real integer sequence. Like Hadamard-Walsh transform of the sequence of a Boolean function, Hadamard-Walsh transform of the sequence of auto-correlation immunity is x a defined as £aevn A(a)(-l) ' .

Lemma 11 Let A (a) be the auto-correlation of f(x) for the vector a e Vn. Then the Hadamard-Walsh transform of A (a) is

2 E A(a)(-l)^ = F (A), \eVn, aevn where F(X) is Hadamard-Walsh transform of f(x) with respect to the vector XeVn.

Proof. According to the definition of auto-correlation, there is

E ^-(oO(-i)Q'A = E E (-iy^®^x®a^a-x. otevn aeVn i6Vn

Since the sum is over the whole space Vn, y is substituted for x © a in the above equation. Then one has

E A(a)(-1)Q-A = E (-l)/(x)eA-x E (-l)f{y)ex-y = F2(A). <*evn xevn yevn •

Definition 15 The difference of a Boolean function with respect to a vector a 6 Vn is defined by f(x) © f(x © a). Then the differential distribution matrix is defined by

£)(f) = [Y_l)/(ai)®/(a;®a>)l which is also called differential distribution table.

The matrix D(f) is tightly related with the propagation criteria. The first row of the matrix is always the ±1 sequence of f(x), thefirst column of the matrix is all Is, and the diagonal is the ±1 sequence of f(x) © /(0). Let £(0) = (a0, ax,- • •, a2n_x) and f (a) = (b0, bx, • • •, 62n_,) be ±1 sequences for functions f(x) and /(x©a) respectively. Therefore, f (0) x £(a) is the sequence of function f(x) © f(x © a).

Lemma 12 Let f be a function on Vn . Then the Hamming weight of /(x) © f(x®a) is equal to 2n~l — 5 A (a). 2.4. Hadamard matrix and Walsh-Hadamard transformation 25

Proof. Let A denote the number of Is in the sequence £(0) x fa) and B denote the number of -Is. Then the Hamming weight of f(x) © f(x © a) is the number B.

A-B = A(a) , i A + B = 2n -B = 2---A(a).

• The auto-correlation A(a) = 0 if and only if the function /(x)©/(x©a) is balanced, which corresponds to the fact that f(x) satisfies the propagation criteria with respect to a. If A(a) = ±2\ the propagation, f(x) ©/(x©a), is constant, which corresponds to the fact that the function has linear structure with respect to a [62]. Looking at 2 the value of Zaevn A (a), for the good propagation criteria, one would like it to be as

small as possible. Note thefirst ro w of MM'ris [A(a0), A(ax), • • •, A(a2._1)], where

M is the matrix of a Boolean function on Vn. The following equation is true.

Lemma 13 Let f(x) be a function on Vn . Then

2 2 2 [A(a0), A(ax), • • •-, A(a2n_l)]Hn = [< £, lQ > , < f, lx > , • • •, < £, /2,_l > ].

Proof. Let L denote the matrix with entries

0, for i 7^ j WuH _ , . „ . 2,j =0, l,---,2--l. < £, k > 2 for i = j

n Then thefirst ro w of 2~ HnLHn is

_n 2 [< r, /0 >, < £,h >,-••, < f, ^—i >] = 2-^'^n,

2 2 2 where f' = [< f, /0 > , < f, ^ > , • • •, < f, Z2n_! > ]. Thus one has

n 2 2 2 [A(ao), A(ai), • • •, A(a2n_0] = 2~ {< f, lQ > , < £, lx > , • • •, < £, /2«_1 > ]#n.

Both sides of above equation are multiplied by Hn on the right and then the lemma is proven. •

Lemma 14 Let £ be the sequence of f. Then the following relations hold,

E A2(a)=2-2E<^>4 ' (2.9)

a&Vn i=0 where ^ (i = 0,1, • • •, 2n — 1) are linear sequences.

2n 2 3 a) 2 <£aevnA (a)<2 "; 2.5. Construction of afRne sequences 26

2 2n &) T,aevn A (a) = 2 if and only if f is a bent function;

c 2 3n ) Yla€Vn A (a) = 2 if and only if f is an affine function.

Proof. From the lemma 13 one has T E A»

a€Vn t = [A(ao), A(aO, • • •, A(a2, _x)]HnHn[A(ao), A(ax), •••, A(a2n_l)} 2 2 2 2 2 = [< £, *<> > , < d > , • • •, < f, /2n-i > ][< e, *o > , < t,h > , • • •, < e, i2--i >T 2n-l = E <^h>\ t=0 which derives the equation (2.9). Since 22n < E A>) =2_n E' < z>u >4<2_n f E < Ui >2)

aevn i=0 V t=o / and 2n-l E <^>2=22» i=0 2 3n 2 2 therefore Eaevn A (a) < 2 . All the values for A (a) are positive integers and A (0) = 2n 2 2n 2 . Therefore £a6vn A (a) > 2 . Then the first part of the lemma is proven. If the function f(x) is bent, < f, k >= ±2n/2, and then all the values

E A2(a) = 2~n E < £, ^ >4= 2_n E (±2n/2)4 = 22n.

aeVn i=0 i=0 Since A2(0) = 22n and using the above equation, for a bent function one has

EA2(a)=0.

Furthermore A(a) = 0 (a ^0). The second part has been proved.

Let f(x) is affine over Vn. Then the function f(x) © f(x © a) is always constant. 2 2n 2 3n D Therefore A (a) = 2 and then £aeKi A (a) = 2 .

2.5 Construction of affine sequences

All affine functions are well-defined by sequences obtained using a recursive method.

The (00), (01), (10) and (11) are all sequences on Vx and all are affine. All the con­ catenations of (00) and (11) form 4 affine sequences; the other pairs (01) and (10) 2.5. Construction of affine sequences 27

form another 4 affine sequence; these are all the affine sequences on V2. For any affine function, there is the following lemma.

Lemma 15 Let tp^(x) be an affine function on Vn. Let the restriction, xn = 0 (or

n) (n-1) xn = 1), of ip( (x) on Vn_x be the affine function <£ (x). Then for xn = 1 (or

n-1 n l xn = Oj, the restriction on Vn^x is either (£>( )(x) or 1 ©

Proof. The proof of lemma 15 is by contradiction. Now the function ^n\x) is affine

n l n on Vn. Assume that (1) the function (f^ ~ ^(x) is the restriction of ^ \x) with xn = 0,

n (n) n l)l (2) the function ^ ~^'(x) is the restriction of

(n_1 xn = 0 and the second half of the entries are the sequence of

n l) {n l) {n l) ^ ~ (x) © xn{

By assumption (3), the function (2.10) is not affine, which contradicts the enunciation of the lemma. Therefore the lemma has been proven. •

From the lemma 15, the following corollary is obviously true.

Corollary 2 Let £ be a affine sequence on Vn . Start from the first entry of £, divide

s l £ into 2 equal sub-sequences, ^,^2, • • • ,&*, with length 2 (s + t~n). Then each of

the sub-sequences is still an affine sequence on Vt.

Any affine function on Vn can be represented by

ip(x) = C0 © CiXi © C2X2 0 • • • © CnXn

where a € GF(2), i = 0,1,2, • • -n. The first 2* entries of the sequence ip(x) form a

sub-sequence on Vt and its function is

it is affine.

the second sub-sequence is y\(x) © ct+x,

the third one is fX(x) © ct+2,

the fourth is (fx(x) © ct+x © ct+2, 2.5. Construction of affine sequences 28

and the last one is ipi(x) © ct+x © ct+2 © • • • © cn_4.

The above proves that corollary 2 is true. The lemma in paper [101] (Folklore lemma) can be restated as the following lemma.

Lemma 16 Let £i, £2, • • •, £2t and £1? £2, • • •, £2t be all the affine sequences on Vt, where

£i is the complement of &. Then any affine sequence on Vn can be represented by the

concatenation of sub-sequences rji i.e (nx rj2 • • • n2t) with the conditions:

1. The first sub-sequence nx is one of sub-sequences in

t , £ {€i>€2> •••)6 )6)^2,-- ,C2 }-

2. The second sub-sequence n2 is equal to nx or fjx.

3. The next two sub-sequences (rj3 774) are equal to (nx n2) or (fjx 772)

4. The next four sub-sequences are equal to thefirst four, T)X, TJ2, n3, 774 or their complements respectively.

The last 2t~1 sub-sequences are equal to thefirst 2 l l sub-sequences or their com­ plements respectively.

Affine sequences are based on affine sub-sequences only. Chapter 3

Bent Boolean functions and their constructions

Bent functions were first described by Rothaus in 1976 [81]. They are a special class of Boolean functions that are, in some sense, the farthest from affine functions. Bent functions are of interest in several areas of cryptology, coding theory, logic synthesis and spread spectrum signal carriers [48, 51, 52, 58, 60, 61, 67, 107]. The original paper of O.S. Rothaus considered binary bent functions only. Here they are called bent Boolean functions. The Hamming weight of a bent functions can only be one of the two values, 2n~l ± 2nl2~l. One uses sequences to represent the definition of bent functions: this is exactly equivalent to the definition in the paper [81]. Here bent functions are discussed via their polynomial forms and by sequences respectively. Also Boolean functions related to bent functions such as partially bent and plateaued functions are introduced. Although there is no much new done in bent function, it is necessary to give the understanding for bent function by author's own language. Some examples are given.

3.1 Bent functions and their basic properties

Definition 16 Let f(x) be a Boolean function on Vn. If the Walsh-Hadamard trans­ form of the function satisfies

/(X)0Q X n/2 F(a) = E (-1) ' = ±2 Va e Vn, (3.1) xevn then the function f(x) is said to be a bent function.

Bent functions are special Boolean functions over Vn. There are many properties which identify bent functions. Here some properties of bent functions are listed and the proofs of them are given which can be found in literature such as papers [17, 19, 22, 44, 45, 46, 48, 51, 60, 67, 77, 81, 108, 111] etc..

29 3.1. Bent functions and their basic properties 30

n l n 2 1 Property 1 Any bent function on Vn has Hamming weight either 2 ~ - 2 / ~ or

2n-l + 2n/2-l>

Proof. It is noted that a • x is a linear function. It is seen that ±2n/2 is the difference of the number of Is and the number of 0s of the function f(x) © a • x as x runs through each vector in Vn. Let AL denote the number of vectors such that f(x) © a • x = 1 and N+ the number of vectors such that f(x) © a • x = 0. Then N+ - AL = ±2n/2 and N+ + AL = 2n. Solving the two equations, we get N_ = 2n_1 ± 2n/2_1, which is the Hamming weight of the function f(x) © a • x. Therefore it is proved that a bent function has Hamming weight either 2n_1 - 2n/2_1 or 2n_1 + 2n/2_1. •

Property 2 A bent function has nonlinearity 2n~l - 2"/2"1, which is the maximum value of nonlinearity for all Boolean functions on Vn. Conversely, if a Boolean function n l n 2 1 has nonlinearity 2 ~ - 2 / ~ on Vn, then the function is bent.

Proof. The function /(X)©Q-X takes the value 1 either 2n-1+2n/2_1 or 2n_1 -2n/2_1 times and a is arbitrary. Then, by the definition of nonlinearity, the smaller number is the nonlinearity of the bent function f(x). Lemma 9 tells us that 2n_1 - 2n/2_1 is the maximum value of the nonlinearity. Assume that the function f(x) has nonlinearity 2n_1 - 2n/2_1, where n is even.

Then there exists at least one a € Vn such that f(x) © a • x has Hamming weight

2n-i _ 2n/2-i and wtff) > 2„-i _ 2n/2-i Tf there were another a € Vn such that wt(f © a • x) > 2n_1 - 2n/2~l, one would find an affine function, 1 0 a • x such that wt(f®a-x@l) < 2n-l-2n/2~l, which is contradiction with the assumption. Therefore, n_1 n/2-1 any vector a 6 Vn such that wt(f © a • x) > 2 - 2 can not be found and thus the function is bent. •

Property 3 Bent Boolean functions exist only on Vn with the n an even positive in­ teger.

Proof. From the definition of bent functions, the Walsh-Hadamard transform of a bent function F(a) has the value either +2n/2 or -2n//2. Since the values of Walsh-Hadamard transform of a bent function must be integers for Boolean functions, therefore the size of the space must be even. Thus the property 3 is proven. •

Property 4 Let f(x) be a bent function and p(x) any affine function on Vn. Then the function f(x) © (p(x) is bent on Vn. 3.1. Bent functions and their basic properties 31

Proof. In formula (3.1), a • x is an affine function over Vn. The function a • x © cp(x) is still an affine function and can be written as a' • x © c where c G GF(2). If c = 0, definition 16 is obtained. If c = 1, it changes the sign ± to + in the formula (3.1). Therefore property 4 is true. •

Property 5 Let A, a nonsingular matrix with all entries in GF(2), be the transfor­ mation matrix of the variables (xx, • • •, xn). Then the function f(xA@B) is bent if and

only if f(x) is bent, for any (5 G Vn.

Proof. Because the matrix A is nonsingular, the transformation is linear over Vn . Let x' — xA © B. So a • x is affine and a • (x' © B) A~x is also affine. The a • (x' © B) A-1 can be rewritten as a' • x' © c where c G GF(2). Then the Walsh-Hadamard transform of the function f(xA © (3) is

J2 (_1)/(^)ea'.x'ec = ±2n/2 yQ £ y^

x'€Vn Therefore property 5 is true. D

Suppose the matrix Hn is a Sylvester-Hadamard matrix. Then -Hn is also a Sylvester-Hadamard matrix. Combining with property 4, one can generalize the for­ mula (3.1), the definition of bent function, to

n/2 y* (_n/(*)©v(*) = ±2 (3.2) xevn

where

Property 6 Let f(x) be a bent function on Vn. Then fix) © f(x © a) is balanced for all 1 < wt(a) < n, i.e. bent functions have n-th order propagation criteria.

Proof. Let f(x) be a bent-function on Vn. The function f(x) © f(x © a) is balanced if and only if £ (_!)/(*)©/(*©") =0, a / 0. xevn n Let k, i = 0,1,2, • • •, 2 -1, denote linear sequences over Vn and £ be the bent sequence n of a bent function on Vn. Then one has < f, J* >= ±2^ and

^ (_!)/(*)©/(*©*) = ^*(a) = ^HnHn^(a).

x€Vn 3.1. Bent functions and their basic properties 32

n 2 Since f is a bent sequence, we have £Hn = 2 l Q. Similarly,

(-1)Q-Q0 ••• 0 2 Hn?(a) = 2"/ c 0 (_l)a-a2n_!

Therefore

E (-l)'W®'<*ea) = ±{HnHne{a) xevn *

(-!)«'a o 0 ±c c o (-1)a-Q 2n_i

(-I)*"» 0 2n-l = ± = ±E(-i)Q'Q\ i=0 0 ... (_l)«-«2"-L 1 It is observed that the sequence a-x is balanced. The above summation is 0 as required. •

From the property 6 and definition 8, the following corollary is obtained.

Corollary 3 Bent functions on Vn satisfy the propagation criteria with respect to all vectors in Vn except for 0.

Property 7 The ±1 matrix M of a bent function f(x) on Vn is a Hadamard matrix.

Q a Proof. The matrix of a bent function f(x) on Vn is M = [(-i)/( >© 7)]. Since f(cti © aj) = f(ctj © a^, the transpose of M equals itself i.e. Mt = M. Thus there is

2n-\ 1 MM = y^ l_-\\I{.ai@ak)@f{0Lk@aj) lk=Q

For i 7= j, the function f (ai®ak)@ f (ak@aj) is balanced (property 6) and then the sum is zero. For i = j, the sum is 2n which happens only on diagonal elements. According to the definition of Hadamard matrices, the matrix M is a Hadamard matrix. •

n n Property 7 says that each bent function / on Vn corresponds to a 2 x 2 Hadamard matrix. The matrices of bent functions are Menon-type Hadamard matrices.

Property 8 Let £ be the bent sequence of a bent function f(x) on Vn. Then the se­ n/2 t n quence 2~ Hn£) is also a bent sequence, where Hn is the order 2 Sylvester-Hadamard matrix. 3.1. Bent functions and their basic properties 33

Proof. The Sylvester-Hadamard. matrix can be written as [(-l)a<,cy]. The for­ mula (3.1) is rewritten as

F'(a) = ±2"n/2 E (-l)/(x)eQ-x = ±1 X£V„

As a runs through the whole space, one gets a ±1 sequence

C = (F'(Q),F'(ax),---,F'(a2n_x)).

n 2 t Now the formula £* = 2~ / Hn£ is

C4 = ±2~n/2 Q x /(x) Eievn(-i) - (-i) / : = ±2-/2 [(-l)a^} [/(a,)] n 2 = ±2- l HnC = C*.

If £ is bent sequence, its Walsh-Hadamard transform must be ±2n/2 sequence.

n 2 n 2 n/2 HnC = ifn(±2- / ffn^) = ±2- / HnHn? = ±2 ?.

_n/2 f Therefore the sequence C = ±2 tfn£ is bent. •

Before the next property is given, some concepts of difference sets of a group should' be introduced. Let G be a Abelian group of order v and D a subset of G. The set D is called a (v,k, A)-difference set [52] in G if for each nonzero element g G G there exists A solutions

g = di-dj di,djeD. (3.3)

The difference set D is called a Hadamard difference set [52] if for each element g eG there are A solutions to formula (3.3) and v = 4(k - A). Hadamard difference set is denoted by D-(v, k, A). Since each of the v - 1 nonzero elements in G occurs A times among the k(k - 1) nonzero differences of elements in D, the parameters of a difference set must satisfies the equation X(v - 1) = k(k - 1). (3-4)

Every Abelian group G of order v contains trivial difference sets with parameters

(v, 0,0) (v,v,v) M,0) (v,v-l,v-2) 3.2. Constructions for bent functions 34

Let [dQjg] (a, /3 G G) be a (0,1) v x v matrix whose entries , J 1, if a-PeD; "a/3 = S y 0, otherwise.

Lemma 17 D is a (v, k, X)-difference set for the Abelian group G if and only if

2 [da0] = (k- A)/ - A J

where J is all 1 matrix and I is identity.

The proof of lemma 17 and more detail about difference sets can be found in chapter 11 of the book [54] and other combinatorial books such as [42, 105]. The n-variable Boolean space is a Abelian group (G, ©) of order 2n. If B — ai © aj and B = ctj®ai are considered as two solutions, then the following relationship between

a bent function and a Hadamard difference set in the space Vn holds.

Property 9 If the Boolean space Vn is considered as an additive group, (G, ©) with n the order 2 , then the group is Abelian. Let f(x) be a bent function on Vn. Then the

subset D of Vn such that

D = {a | f(a) = 1, a& Vn}

is a Hadamard difference set with parameters (2n, 2n~l ± 2nl2~l, 2n~2 ± 2nl2~l)

Q a Proof. For a bent function f(x) on Vn, the ±1 matrix M = [(-l)/( *© >)] 0f f(x) is considered to be the matrix [<%]*. So [<%]* is Hadamard matrix. In the matrix

[dij] = W ~ [dijY), the entry d{j equals |(1 - (-l)^©**)). So the entries, such

that d{j = 1, correspond to the set of vectors a such that f(a) = 1. According to the lemma 17, the set {a \ f(a) = 1} is a Hadamard difference set with parameters

7977 2n—1 + 2n/2—* 2n—2 + 2n/2—M ^

3.2 Constructions for bent functions

In this section general constructions for bent functions are given. The proof of the constructions can be found in the literature. The constructions of bent functions are mainly contributed by O.S. Rothaus, J. Dillon, F. MacFarland and C. Carlet. The following two lemmas are used to construct bent functions from known bent functions which were published in the paper [81]. 3.2. Constructions for bent functions 35

Lemma 18 Let g(x) be a bent function on Vm and h(y) a bent function on Vn . Then the function f{x,y) = g(x)®h(y) xevn, yeVm is bent on Vm+n, where (x,y) G Vm+n.

The above statement is written as a lemma as it gives an important structural feature of bent functions. The proof is obtained by using the definition of bent functions directly. Let a = (/3,7) with /3 G Vm and 7 G Vn. Then the transformation of the function f(x,y) is

0 (_l)/(*.2/)©a-(x,y) _ 0 (_^/(x,y)e/3.x©7-y

{x,y)eVm+n (x,y)&Vm+n

= 0 (-iy(x)®P-x 0 ^_^h(y)®Ty

_ jry-mllcy-nfl as required.

Lemma 19 Let A(x), B(x) and C(x) be bent functions on Vn. Let y,z G Vx. If A(x) © B(x) © C(x) is bent, then the function f(x, y, z)=AB®BC@CA@(A@ B)y © (A © C)z © yz (3.5)

is a bent function on Vn+2.

Proof. Let a be a vector on Vn. To prove the lemma, one counts the number of Os or Is of

f(x,y,z)®a-x®an+xy@an+2z (3.6) in which x = (xx,-• • ,xn). It is known that the function

h(x, z) = A(x) © B(x) © z © an+x

is balanced over Vn+X. One considers two cases for the above function and counts as follows.

• h(x, z) = 1: We use z = A(x) © B(x) © an+l © 1 to replace z in the formula (3.6) and then the formula (3.6) becomes

(an+x © an+2)A(x)an+2B(x) © (1 + an+x)C(x) ®y®a-x® an+xan+2 © an+2

n which is balanced function on Vn+X and gives 2 Is or Os. 3.2. Constructions for bent functions 36

• h(x,z) = 0: We use z = A(x) © B(x) © an+2 to replace z in the formula (3.6) and then the formula (3.6) becomes

(1 © an+i © an+2)A(x) © an+2B © an+xC(x) © a • x © an+xan+2

n l n 2 l which is bent and on Vn and gives 2 ~ ± 2 l ~ Is or Os. Note that the above function is the function (3.6) with the restriction that h(x, z) = 0, that it is a

function on Vn+X. Since the variable y does not appear in the above function, the above function has 2n ± 2n/2 Is or Os.

Combining the above two cases, it is seen that the function always has 2n+1 ± 2n>2 Is or Os for any affine function a • x © an+ly © an+2z on Vn+2. •

In even order spaces, bent functions have maximum nonlinearity. In fact, if a function has nonlinearity 2n~l - 271/2"1, then the function is bent.

Definition 17 Let U be a subset of Vn. The characteristic functions of U are those functions which satisfy the following equation jl,ifxeE; [ 0; otherwise.

L Definition 18 Let U be a subset ofVn. Then the subset U

1 U - = {P\a • 0 = 0, aeVm, a,P£Vn}

L is called the dual set of U. If the set U is a subspace of Vn, then U is called the dual subspace.

1 Lemma 20 Let U be a subset of Vn. Between the subset U and its dual U , the following relations hold

x&u ( 0 Pi U^; \U\\UL\ = 2n. (3.8>

Proof. Since ' 0 for p G U1 x-P= { balanced function P £ U ; thefirst equation is true. From the definition of the dual set, the second equation is obvious. C 3.2. Constructions for bent functions 37

The Boolean space Vn has itself as a trivial subspace and its dual space is the space containing only the 0 element. LetV^ be a subspace of Vn with 0 < m < n. Then the intersection of Vm and its dual V£ is the zero element i.e. VmnV^ = {0}. There is no ideal way to discover all bent functions on afinite Boolea n space. Exhaustive searching can give the complete set of bent functions over the lower size Boolean spaces. A few classes of bent functions have been discovered. Here their general structures are list as follows:

Class-M-M (Maiorana-McFarland [30]) Let ir(y) be a permutation over space Vm

and g(x) a Boolean function on Vm. Then the function

f(x,y)=x--K(y)@g(y) (x,y)eV2m (3.9)

is bent over V2m. The Walsh-Hadamard transform of the bent function

f y a x F(a)= E (-l) ^ ^ < ^ aeV2m

{x,y)eV2m is bent.

Class-V (Dillon [30]) In the paper [17], Carlet named the following class of bent functions as Class-D because the original idea came from J.F. Dillon. The class of all Boolean functions with the form

f(x,y) =x-7r(y)©0c/(x,y) (x,y)eVn

is called class-X>, where U is a subspace of Vn that equals to Ux x U2, and Ex

and are any linear subspaces of Vn such that l^il + \E2\ = \, and 7r is a

permutation on Vn such that ir(E2) = Ex-

Class-C (Carlet [17]) This class of bent function wasfirst discovered by C. Carlet [17].

The set of bent functions on Vn

f(x,y) =x-7r(y)®(f)L±(x,y)

is called class C, where IT is a permutation on Vp and L is a linear subspace of Vp _1 L such that, for any element A G Vp, the set 7r (A + L ) is a flat

L L = {xeVv \yeVn,x-y = 0}

The following form of bent functions was introduce by C. Carlet in the paper

[18]. Let f(x) be a Boolean function on Vn. Let Ex,---,Ek be p-dimensional 3.2. Constructions for bent functions 38

subspaces of Vn and mi, • • •, mk (positive or negative) integers. Assume that k m 1 E ^(^)-2P- 50(x)+/(x). t=i

Then f(x) is bent and the Hadamard-Walsh transform cf of / satisfies k 1 E^0Ex(5) = 2*-

Partial Spread Class (7>

of Vn. The indicator of a r-dimensional subspaces The "disjoint" subspaces mean that the intersection of any two of them is 0 only and therefore the direct sum

of all of them is equal to Vn. Dillon denotes partial spread class of bent function by VS~ and VS+. VS~ is the class of bent functions for which the number of n-dimensional subspace is 2n~l and for VS+ it is 2n~1 + 1. To characterize the algebraic normal form of the bent functions of class VS is an open problem.

Applying the Hadamard transform to the functions of class M-M (Maiorana-McFarland

Class) on Vn, one obtains

/(l y)eQ-(x 3/) F(a) = E (-l) ' ' = V (-iy«(y)®9(y)

(x,y)ev2m (x,y)ev2m Rewrite the function x • 7r(y) © g(y) © a • (x,y) as

(a' © 7r(y)) • x © a" • y © g(y)

1 where a = (a , a") G V2m and a' G Vm and a" G Vm. Then the transform becomes

F(a) = y7-l)Q"^®3(2/} \^ (-_n(a'©7r(y))-x

y xevm m The sum for x over Vm is zero if a' © 7r(y) ^ 0 and is 2 if a' © w(y) = 0. When a' © 7r(y) = 0, there is y = 7r^ — l)a', where 7P — 1) is the reverse permutation of w i.e. _1 7r7r is the unit permutation. Therefore the sum for y over Vm is ±1 and

F(a) = y^( — l)a"'y®g^ V1 C_n(a'®7r(y)).a; _ ±2™. y xeVm Thus it is proven that the class of M-M functions are bent. This class of functions was first published in the Rothaus' paper "On 'Bent' Functions" [81]. Since the word 'restriction' is used repeatedly, it is explained as follows. Let f(x) be a function on Vn and Vm its subspace (m < n). Then the 'restriction' of f(x) on Vm means that the variables Xim+l, • • •, xtn are constants in the function

/ [Xii j ' ' ' ) X%m j Xim+1, • • • , XinJ. 3.2. Constructions for bent functions 39

Lemma 21 Let U be a linear subspace of Vn, f(x) a function on Vn and F(x) be the

Walsh-Hadamard transformation of f(x). Then for any elements a and p in Vn, we have

£ (_!)/(x)©/3-x = 2l^|-n/2(_1)Q./3 y (.^(^-x

Xeae£/ xe/3©£/x IfU has dimension f and the restriction of f(x) to U is 0 (or 1), then the restriction of Fix) to UL is 0 (or 1), where the restriction affix) to U means that the variables that are not on U are considered as constants as fix) is evaluated through U.

Proof. According to the definition of the Walsh-Hadamard transform, .one has

F x a x j2 i-i) (x)®*-x = 2-n/2 Y^ j2 i-iyw® -y® - 1 x£0®U - x£0@U^ y€Vn

= 2~n/2 E (-i)/(y) E (-I)(2/®Q)'X. yev„ xepeE1-

By the lemma 20, the last sum of the above equation equals [[/^(-l)^©")-/? if y © Q belongs to U and equals 0 otherwise. Therefore, the above equation becomes to

F x n/2 L y) { a J2 (-\) ( )®<*-x = 2~ \U \ E (-i)tt ® y® ^ xe/3©f/-L yea@U and thefirst part of the lemma holds. For U has dimension \ and the restriction of f(x) on U is 0 (or 1) if and only if

E(-i)/(x) = (-i)^ x677 So the conclusion holds. •

Let E be a subspace of Vn. Then the subset,

- U = {a ®P | for all P e E},

is said to be a linear subspace of Vn, where a G Vn. A Boolean function on Vn is called a characteristic function to a subset of Vn, if all the values of f(x) on the subset equal to 1.

Lemma 22 Let U be a ^-dimensional linear subspace ofVn and (j)u(x) its characteris­ tic function. Let f(x) be a bent function on Vn and its restriction to U be affine. Then the function fix) ® 0(x) 3.3. Constructing bent sequences 40

is bent over Vn and its Walsh-Hadamard transform is

F(x) = F'(x)®4>Ux(x®a)

where a is an element in Vn such that the restriction of f(x) to U is the affine function a • x ® c

Proof. By the definition of bent function, one calculate the sum of its Walsh- Hadamard transform. Then

V^ (_l)/(z)©

x€V„ xeVn x£U in which one notices that 4>u is a characteristic function on E. Thefirst part of above function is equal to 2n^2F(a). The restriction of f(x) to U is affine. So the second part of the above equation is y"V_l)/(x)©Q-x _ y^7_-|Aa-x xeU x€C a

This class function cannot be considered as an effective one, since there is no single description of all the subspaces. However there is special case in which U equals

the cartesian product of two subspaces Ux and U2 of Vn such that Ux + U2 = | and

•K{J2 = Ux- This will lead to the class of bent functions which is called P-class.

3.3 Constructing bent sequences

One can also use concatenations of sequences to construct bent functions. Adams and

Tavares [1] use binary sequences on Vn to construct bent sequences on Vn+m and V2n. They gave two classes of bent functions bent-based and linear-based.

Theorem 1 Let m, n be positive even integers and &, (i = 1,2, • • •, 2m), be ±1 bent

sequences on Vn. Furthermore, let £ be the concatenation of the transforms of these sequences, that is C = (66 ••• 6-0.

The sequence C, is bent on Vm+n if and only if the sequence (bXi b2i • • • b2m) is bent for

all i, where bj{ is the i-th entry of the sequence £,-.

Proof. To prove the sequence ( is bent, one must show that the sequence C € Vm+n.

Hm+nC = iHn£ Hn£ • • • Hne2m)Hm = HnMHm, 3.3. Constructing bent sequences 41

n m where M = (f { $ • • • $m) a 2 x 2 matrix. Each column of M is a bent sequence f. Therefore,

n 2 tfnMtfm = 2 l M'Hm.

The columns of M' are the Walsh-Hadamard transforms of the columns of M. So the

columns of M' are bent sequences. If each row of M' is bent on Vm, then the above formula becomes

n 2 TO 2 Hm+nC = HnMHm = 2 l M'Hm = 2< +»>/ C'.

So it is bent. •

To picture the bent-based bent sequences, let, for example, m = 2. Then one

needs four bent sequences on Vn such that each row of that matrix (£[ Q £\ ££) is bent

which means bXi + b2i + bZi + bAi = ±2. If £x = & = 6 = &, denoted by £, is a bent

sequence on Vn then the sequence (£ £ £ — £) is bent sequence on V^+2. Let A(x) be the polynomial representation of £, Then the sequence (f £ £ — £) is the function described by lemma 19. So in this sense, theorem 1 is the extension of the lemma 19.

Theorem 2 (Linear based bent function [112]) Let Hn be a Sylvester-Hadamard ma­ trix and li its i-th row. Then the sequence

£=(ii« I* ••• h?)

is bent sequence on V2n

Proof. The proof is straightforward from the definition of bent functions. By the lemma 2, each sub-sequence U with length 2n is linear and all the sub-sequences are

different. Let £• denote the z-th row of the Sylvester-Hadamard matrix H2n. Since f contains each sub-sequence k with length 2n once and £• is the concatenation of 2n copies of the same sub-sequence k or 2n~1 copies of same sub-sequence k and l©/j, the 2n_1 n_1 Hamming weight of f • £• is 2 ± 2 only for a row in #2n. Therefore the sequence £ is bent. n

This construction is called linear based bent sequence because each row of a Sylvester- n Hadamard matrix Hn is a linear sequence on Vn. There are 2 rows in Hn. Therefore, n -n t they form a sequence f of length 2 , which has Walsh-Hadamard transform 2 #2n£ . Now we prove the sequence £ is bent. The concatenation of blocks (binary sequences) can be used to construct bent se­ quences. Let A, A, B, B, C, C, D and D denote the blocks with contents as follows; A = 0 0 1 1; 5 = 010 1; C = 0 1 1 0; £ = 000 0; A = 1 1 0 0; 5 = 1010; C = 1001; B = 1 1 1 1. 3.3. Constructing bent sequences 42

The following theorem describes how it works.

Theorem 3 Let n = 2k (> 8). For i = 1,2,-•• ,22k~1,-let Mi,Ni,Pi,Qi be arbi­

k A trary affine functions made up of 2 ~ blocks. Define the function, f on Vn, to be the concatenation of the 2k~l segments Si given by

S{ = (M{Ni • • • PiQi\PiQi • • • MiNi)

In f exactly one quarter of the 22k~2 blocks are based on each of the letters A, B, C and D. The strings MiNi - • • PiQi may be placed arbitrarily in the segments Si subject to the conditions:

(i) Concatenation of the 2k~l segments gives 22k~2 blocks, each of them occupies a different position in the function f.

(ii) For each i, (i = 1, 2, • • •, 2k~2), we have

Si+2k-2 = (NiMi • • • QiPl\QiPl • • • N{Ni)

k 2 (Hi) For any pair i,j with l

Then the function f is a bent function.

k A The strings, M{, • • •, Qi, are affine and made up of 2 ~ blocks. To keep the strings to be affine, each string contains one block (and its complement) 2k'A times only. The string In thefirst 2 k~2 segments must be different from each other at corresponding positions, which ensure the condition (Hi) to be satisfied. The following example shows

how theorem 3 works. Let n = 8. Then we have 8 segments (S{, i = 1,2, • • •, 8). The

each of Mu N{, Pu Qi are made up of 2° blocks from A, B, C, D and their complements.

Thus each letter stands for an affine sequence on V2. Each segment must satisfy the three conditions in theorem 3. Let

SX = {D A AC \ AC D A},

S2 = {AB C D\C D AB},

S3 = {B C D B\D B BC},

SX = {C D B A\B AC D}.

Then

SS = {ADCA\CAAD}, 3.4. Notes on the propagation criterion of degree I and order k 43

S6 = {B A D C | D C B A),

S7 = {C B B D\B DC B),

SS = {DC AB\AB DC}.

It is easy to check that the strings

M{®Mj, N{®Nj, Pi®Pj, Qi®Qj

are balanced. So the function f(x) with binary string such as

DAAC ABCD BCDB CDBA ADC A BADC CBBD DCAB ACDA CDAB DBBC BACD CAAD DCBA BDCB ABDC

is bent. 7 Theorem 2 and 3 give ways to construct bent sequence using sub-sequences, which belong to the Maiorana-MacFarland class. In theorem 1, if one lets m — 2 and £i = £2 = £3 = 1 © £4, the bent functions are those that are described by lemma 19. So theorem 1 is an extension of lemma 19. The shortest sequences of Boolean functions are 0 and 1 (or 1 and —1). Generally speaking, for any bent sequence with length 2n, there exists at least one integer s such that the sub-sequences with length 2s are affine. However, not all bent sequences are bent sub-sequence based. There does not exist, for example, any bent sub-sequence in the bent sequence

00000001 00010110 00010101 00111110 00010011 01011110 01101110 11100000.

3.4 Notes on the propagation criterion of degree / and order k

In this section some studies of the propagation criteria of Boolean functions are intro­ duced briefly. Most of this section are refereed papers [21, 40, 115, 74, 91].

Definition 19 (Propagation criterion PC (I) of order k) Boolean functions satisfy

PC(l) when one keeps constant a certain number k of coordinates xx,---,xn. This property of Boolean functions is called propagation criterion PC (I) of order k.

Definition 20 (Perfect nonlinear Boolean functions)^/ The nonlinear Boolean

functions on Vn satisfying PC(l) for all 0 < / < n are called perfect nonlinear Boolean functions, i.e. the functions satisfy PC(n).

\ 3.4. Notes on the propagation criterion of degree I and order k

Definition 21 Consider the variables xu • • • ,xn to be random uniformly distributed

inputs and the values of variables .are from GF(2). A function f(x) from Vn to Vm (S-box) is said to be k-th order correlation immune if the probability distribution of the

values fix) is unaltered when at most k of the coordinates xx, • • •, xn are kept constant.

That function is k-resilient if it is balanced (which means all of the values in Vm occur equally often) and k-th order correlation immune.

Definition 22 Let s, t be two positive integers with s + t = n. Let g be a function on

Vt and (j> be a function defined by Vt-+Vs. Then a function fix) on Vn is defined by

f(x,y)=x-(f>(y)®g(y), xeVs, y G Vt

For the functions f(x) on Vn, with the propagation criterion of degree / and order k we have: • ./

• SAC is equivalent to PC(1).

• Let n be even and n > 4. The only f(x) on Vn which satisfy PC(n - 2) are perfect nonlinear functions.

• Let n be odd and n > 3. The Boolean functions f(x) on Vn satisfying PC(n - 1) are the functions of the form:

f(x) = g(xx © xn, • • •, xn_! © xn) © h(x) (3.10)

where g is a perfect nonlinear function on Vn-x and h is an affine function on Vn.

• The function f(x) on Vn satisfying PC(n — 2) are the functions of the form (3.10) and the two following forms:

g[Xx © Xn, • • • ,-Xi—x ® Xn, Xi, Xi+x ® Xn, • • • , Xn—x © XnJ © ll\X)

g(xx ©xn_1,---,xn_2©xn_i,xn) © h(x)

where g is a perfect nonlinear function on Vn-x and h is an affine function on Vn.

• For odd n > 3, the functions f(x) on Vn satisfying PC(n - 2) are those functions for which (a,) there exist a nonzero vector a of Hamming weight wt(a) > n - 1 such that the function f(x) ® f(x ® a) is constant; (b,) for every nonzero vector

P ^ a, the function f(x) ® f(x © p) is balanced on Vn. 3.5. Partially-bent functions 45

• A function f(x) satisfies PC(t) of order k = n-t\i and only if every restriction of f(x) obtained by keeping constant n - I coordinates is perfect nonlinear. Thus t must be even. For n even, these functions are called hyper-bent and characterized B. Preneel et al in the paper [19].

For every n > 4 and every even I such that 2 < I < n - 2, the functions f(x) which satisfy PC(l) of order n — I are those of the form;

/(x)= 0 xxXj®h(x) (3.11) l

where h(x) is affine on Vn. For every odd n > 3, the functions f(x) satisfy PC(n — 1) of order 1 are the functions of form (3.10).

• For every n < 3 and every positive even .integer £ < n — 1, the functions f(x) satisfying PC (I) of order n — t—l are the same as those functions which satisfy PC(l) of order n-t-1. For every t < 3 and n > t + 1, the function f(x) which satisfy PC(t) of order n — I - 1 are the functions which satisfy PC(t + 1) of order n-t-1.

* For every even n > 8, 1 the functions f(x) satisfying PC(n - 3) of order 1 are

perfect nonlinear functions on Vn.

» For every positive even t < n - 4 (n > 6) and every odd / such that 5 < t <• n-5 (n > 10), the functions satisfying PC(t) of order n-t-2 are those functions that satisfy PC (I) of order n - t, i.e. the functions (3.11).

3.5 Partially-bent functions

Bent functions exist only on"even size spaces. To study, comparatively, Boolean func­ tions on both even and odd size spaces, Claude Carlet posed the concept of partially- bent functions [16]. In 1991, R. Govaerts, B. Preneel and J. Vandewalle conjectured an inequality relates auto-correlation, Walsh-Hadamard transform and the order of the

^his condition cannot be weakened, since for n < 6, the functions satisfying PCin - 3) are not

necessarily perfect nonlinear. Let gix) be a perfect nonlinear function on V4 and f(x) on V6, for example, the function defined by

fix) =gixX ®X5®X6, X2 ©25®Z6, X3®X5, X48x6).

The function fix) is not perfect nonlinear, since it has a linear structure with the vector (0,0,1,1,1,1). It satisfies PCin - 3) of order 1. 3.5. Partially-bent functions 46

Boolean space [40] [41]. Let N& and Np be the numbers of zeros of the function A(A) and F(X) associated with any Boolean function f(x), where A(A) and F(\) are auto­ correlation and Walsh-Hadamard transform of the function with respect to the vector

A G Vn respectively. Then

n n n (2 -NA{a))(2 -NF{a))>2 .

The equality holds only for functions that are order 2 or satisfy PC(n) or PC(n—1). By functions of order 2, this means the algebraic normal forms of the function have degree at most 2 (called quadratic). In the paper [41], R. Govaerts changed the conditions for the equality, so that equality holds only for functions of order 2 or satisfying PC(n) (n even) or such that n NA{a) = 2 - 2, n odd.

The space Vn is said to be the direct sum of spaces Vm and VT> if each element z G Vn

can be expressed as z = (x, y), where x G Vm and y G V^. Obviously, |V^| = |"K„|x|V^j.

Theorem 4 Any Boolean function f(x) on Vn satisfies

n n n (2 -NA{a))(2 -NF{a))>2 .

Equality holds if and only if there exists an element \eVn such that A(a) equals 0 or A Q n (-l) ' 2 for all a in Vn. This is equivalent to requiring that there exists a linear form

x ->• A • x on Vn and two subspaces Vm, V'm in Vn (in which V^ has even dimension)

such that: (1) Vn is the direct sum of Vm and V^; (2) the restriction of fix) to V'm is

bent; (3) for all x G Vm, y G V'm,

f(x@y)®f(y) = \-x.

Proof. Since the values of the function A(a) are at most 2n, one has

(2n -N&) > 2~n £ A(a) = 2~nF2(0).

a<=.Vn When an affine transformation is made, that is f(x) is replaced by f(x) © A • x, the

number of zeros, NA, does not change. So by choosing an element A' G Vn that makes 2 F (A') the maximum value for all vectors in Vn, one has

n 2 (2*-jVA)>2- F (A'). (3-12)

One also has 2 2n b x (nn N \ > ^evn \ ) - _i (3.13) 2 (2 -NF)> ' F (X') 3.5. Partially-bent functions 47

Multiplying these two inequalities, there is

n n n (2 - NA)(2 - NF) >2 .

Now it is time to prove that the equality holds if the conditions are satisfied. Assume the equality holds. Notice that the right sides of formulae (3.12) and (3.13) are related. So the formulae (3.12) and (3.13).become

22n n n 2 - NA = 2-»F(A') and 2 - NF = —-.

Let A'(a) be the auto-correlation function associated with the function f(x) © A' • x 2 a = 2 such that F (A') is maximal. By the lemma 11, the formula T,aevn ^'( ) F (X') is obtained and therefore / n n r Y A'(a) = 2 (2 -NA) = Y - a£Vn Q6Vn,A(a)^0

n Q A Thus for all vectors a in Vn, A' equals 0 or 2 only. Because A(a) = (-l) " A'(a), the conditions for equality has been proven. A-I n Let Vm be the set of all the elements x in Vn such that A(x) = (-1) 2 that is

for all A in Vn f(x © A) © A • x. It is clear that Vm is a subspace of Vn. Let VL^ be a

subspace of Vn such that Vn is the direct sum of Vm and V£. Then for all 7 ^ 0 in V^, we obtain

/(y)e/(y 7) m /(y)e/(y 7) A(7) = 0 => Y Y (-i) ® = 2 Y (-i) ® = 0. xevm yev^ yeVm'

Thus one has proved Vn is the direct sum of Vm and V'm. Q

Definition 23 A Boolean function f(x) on Vn is called partially-bent if

n n n ' (2 -NA)(2 -NF) = 2 .

Definition 24 Let f be a partially-bent function and V>/ the function defined on Vn x Vn by

il)f = /(0) © f(u) ® f(v) © f(u © v)

The linear space Vm = {u\ipf(u,v) = 0, u G Vn, v G Vn} is called the kernel associated with f [16].

To overview partially bent functions, the remark is quoted from Carlet [16] as follows: 3.5. Partially-bent functions 48

1. Since the degree of any bent function on a linear space of dimension 2k is at most k, the degree of a partially-bent function is at most the half of the codimension of its kernel.

2. The set of partially-bent functions on Vn is not a linear space. For instance, if n = 6, the non-quadratic partially-bent functions are the non-quadratic bent functions which all are known [81]. It is easy to find two bent functions whose sum is neither bent nor quadratic.

3. The number of partially-bent functions seems to be difficult to obtain, since it depends on the number of bent functions which is unknown (except for small values of n).

4. Let / be a quadratic Boolean function on Vn and / be an affine Boolean function

on the same space. Then the following Boolean function on Vn+l

f{XXi " ' ' j xn) © xn+1/(xi, • • •, xn)

is quadratic and any quadratic function on Vn+l is of that form.

In the paper [16], Carlet also listed some properties of partially-bent functions as follows .

1. A partially-bent function f(x) on Vn satisfies PC(k) if and only is its associated

kernel Vm contains elements of Hamming weight k or 0 only.

2. A partially-bent function f(x) on Vn is balanced if and only if its restriction to its

associated kernel Vm is non-constant, that is if and only if there exists an element

u in Vn such that

/(x©u) = /(x)©l xeVn

Otherwise its Hamming weight is equal to 2n_1 ± 2n~h~l, (h < n/2).

n 3. The number of partially-bent balanced functions on Vn is equal to (2 — 1) times n the number of partially-bent balanced functions on Vn-x ( > 2).

4. The number of balanced quadratic functions on Vn is greater than that of the quadratic non-balanced functions when n is odd and smaller when n is even.

5. A partially-bent function defined by

f(x®y) = f(y)®t-x xeVm, yeV^ 3.6. Plateaued Boolean functions

isfcth-order correlation-immune (respectivelyfcth-order correlatio n immune and balanced) if and only if t +1# only contains elements of Hamming weight greater than A: or equal to 0 (respectively greater than k).

Example. Let z = (x, y) =» (zx, z2, z3, z4, z5) = (xl5x2, x3,x4, y) and

f(z) = ZXZ2 © 2324 © Z5 be a Boolean function on V5 and V5 = V4 + VI (direct sum). Clearly the function's restriction to V4,

/(x) = Zi22 © 23Z4 = XiX2 © X3X4 is bent on VA. y = z5 G VI. Then we have

/(z © y) © /(x) = (zxz2 © z3z4) © (zxz2 © z3z4 © z5) =z5 = y.

So the function is partially-bent. Note, x © y = (zx, z2, z3, z4,0) © (0, 0, 0, 0, z5) (direct sum of two vectors) and /(y) = /(0, 0, 0,0, z5). The function

ipf(u, v) = /(0) © f(u) © /(y) © f(u ® v)

3.6 Plateaued Boolean functions

This section generally introduces the generalized partial-bent Boolean functions which are called plateau functions by Dr Xian-mo Zhang in the paper [122].

Definition 25 Let f(x) be a function on Vn, £ the sequence of f(x) and U denote the n ith row of Hn i = 0,1, • • •, 2 - 1). The two sets, S and Re, and AM are defined by

n 5 = {i | 0 < i < 2 - 1, < £, l{ ># 0}

SR = {a | A(a) ^ 0, a G Vn}

AM =- max{\A(a)\\aeVn, aj^O}, and use #£s and #$R denote the cardinal number of the sets.

#S, #3ft and AM are invariant under any nonsingular linear transformation of the variables.

n • For all functions on Vn, (#S)(#3ft) > 2 , where the equality holds if and only if

there exists a nonsingular matrix B over GF(2) and a vector P G Vn such that

f(xB ®P)= g(y) ® h(z) in which x = (y,z), x G Vn, y G Vp, z eVq,]p + q = n

and g is a bent on Vp and h is a linear on Vq.

n A function on Vn has (#S)(#3fj) = 2 is called partially-bent function. 3.6. Plateaued Boolean functions 50

• A function is partially-bent if and only if |A(a)| equals to 0 or 2n only.

• A function is partially-bent if and only if $R is composed of linear structures.

Definition 26 Let f(x) be a function on Vn, £ the sequence of f(x). If there exists an even number r (1 < r < n) such that #S = 2r and each < £, li >2 takes the value 2n r 2 ~ or 0 only, then the function f(x) is called a rth order plateaued function on Vn or plateaued function.

For the plateaued functions, there are:

• Nonlinearity of / has

n 1 2 -i N 2n f< ~ -wiOn/2-1-n1 \ Y ^ A'fo). z f N j=o

the equality holds if and only if the function is plateaued on Vn.

If fix) is rth order plateaued on Vn, then r is even.

If r = n, then f(x) is bent function on Vn. If r = 0, f(x) is affine on Vn.

n l n l If fix) is rth order plateaued on Vn, then Nf = 2 ~ - 2 -^~ .

Let fix) be an rth order plateaued on Vn (n > 2), p an integer 2 < p < n. If n_p+2 < £, l{ >= 0 (mod 2 ), then the algebraic degree of / is at most p - 1.

If fix) is rth order plateaued on Vn, then the algebraic degree of / is equal or less than \ + 1.

If fix) is rth order plateaued on- Vn, then /(xB © a) is an rth order plateaued.

Let fix) is rth order plateaued on Vn. Then the linearity q of fix) satisfies

q

For each function /(x) on Vn, there is

in which the equality holds if and only if /(x) is partially bent.

• For each non-bent /(x) on Vn, there is

(#»)(#^)>!lI-r-X-i + ^

in which the equality holds if and only if fix) is partially bent, but not bent. 3.6. Plateaued Boolean functions 51

For each non-bent /(x) on Vn, there is 2»(2»-#9) , , _ + #3 > 2' /c on

in which the equality holds if and only if #S = 2n or f(x) has a non-zero linear structure. Chapter 4

The excess of Boolean functions and .Hadamard transform

This chapter discusses excesses of matrices of Boolean functions on Vn. Some cryp­ tographic properties of Boolean functions are explicitly related with excesses of their matrices. The work shows some relations between excesses, nonlinearity and auto­ correlation for Boolean functions and leads to the conclusion that the bigger excess of M is, the higher nonlinearity of the function.

Definition 27 Let M = [aZJ] be amxn matrix. Then the excess, denoted by Es(M), of the matrix M is defined by

m n Es(M) = YY^-

Let f(x) be a function on Vn and M the ±1 matrix of fix). Then the excess of the matrix M is 2n-\ Es(M) = YY^= E (-i)f{Qi^.

i=Xj-X iJ=Q The matrix M is symmetric about its diagonal. All the diagonal entries of M equal

(_l)/(o) The first row equals thefirst column . Let lQ be the ±1 sequence of the function 0. Let f (a) be the ±1 sequence of the function f(x © a). Then the inner /(x Q) product of f(a) and l0 is < f(a),Z0 >= £xevn(-l) ® and the excess of M is

2n-l Es(M)= Y <£(<*),io>.

Let Ml denote the transpose of matrix M. Then the matrix MM1 is

T22nn-1l MM1 = £(-i)-f(ai®ak)®f{aj®ak) lk=0

52 53

where i, j = 0,1, • • •, 2n - 1. One can see that all the entries in diagonal of M* are 2n. If every distinct pair of rows (or columns) of M are orthogonal i.e.

2n-l E£ (_1)/(a,-eafc)©/(aieafc)= Q for • ^ J- fc=0 n then the matrix M is Hadamard (MM* = 2 In) and the function f(x) is bent. This happens only for functions on even order spaces. In another words, if the space size is odd, there are no functions whose matrix is orthogonal. Let < ^(ai), £(otj) > be the inner product of £(a;) and f(ctj). Then the matrix MM1 can be written as

A^Mf = [<«,« >] M=0,l,---,2n-l. " (4.1)

It can be seen that the entries in the first row or column of MM1 are the values of

auto-correlation of f(x) with respect to each vector in Vn.

Theorem 5 Let M be the matrix of a Boolean function f(x) on Vn. Then each entry 1 of MM is the value of auto-correlation of the function with respect to a vector in Vn. Each entry in thefirst row of MM1 occurs 2n times in MM1.

Proof. Each entry of MM1 can be written as

£(-i)/(x©a t-)e/(x©a,-)

revn Substitute x for x © ai. The above form becomes

£ (.^/(sjeAxea^oy) =< f(0),f(afc) >,

xevn

where ak = a{ © aj, which proves that each entry of MM* is the value of the auto­

correlation of the function with respect to a vector in Vn. Let ak be a vector in Vn and n ak = ai®aj. Then there are 2 distinct pairs of vectors which can represent ak, if one

takes on © OLJ and aj © on as' different representations, and also include ak ® 0 and ak itself. Thus for ij-tn entry,

< £(<*),£(<*;) >= £ (-1)'<*>®'<*^®0>> =< £(0), £(<**) >,

x€Vn

n there 2 ways to represent ak and each pair stands for a entry of MM*. Therefore each entry in thefirst ro w of MM1 occurs 2n times in MM*. The excess of MM* equals

Es(MMt) = 2£ 2£ £ (-1)/W®'^®^. i=0 j=0 x€V„ 54

One rearranges the sums and obtains

• 2n-12n-l Es(MMt) = Y (-l)/(a:) £ £ (-l)^®"'®^

xevn i=Q j=0 = 2n(2n-2wi(/))2<27l(2n-2iV7)2 by using the result

2n-l EY (-l)f{ai) = N+ - N~ = 2n - 2wt(f), i=0 where N+ is the number of vectors such that f(a) =0 and A^- is the number of vectors such that f(a) = 1. One gets the following conclusions: (1) balanced functions have n 2 zero excess; (2) if wt(f) < 2 ~ , then the equality of above formula holds. We let Mv

be the matrix of f(x) © (p(x) on Vn . Then the excess of M^M^ is

2n-12n-12n-l Es(M M*) = y^ y^ y^ (—i)/^®0*)®^®0*)®^®^®1^0;®0*) (4.2) i=0 j=0 fc=Q

n n n n 2 Es(MvM*J = 2 (2 - 2wt(f © ip)Y < 2 (2 - 2A^/) . (4.3)

If one chooses the affine function such that the Hamming weight of f(x) ® p(x) is minimal, then the equality holds for equation (4.3). From the formulae (4.2) and (4.3), the following lemma is proven .

Lemma 23 Let f(x) be a Boolean function on Vn and

n n 2 f(x)®cp(x) is2 (2 -2Nf) .

n l n_1 Let An_! and Bn_x be its 2 ~ x 2 sub-matrices and

A -x B -x M n n -Sra-l ^n-l

Similarly, ^n-2 -Sn-2 An-x = Bn-2 An_2

and so on. The following theorem is of the excess of the matrix M and the Sylvester-type Hadamard matrix. 55

n n n n Theorem 6 Let Ln bea2 x 2 Sylvester-type Hadamard matrix and M be the 2 x 2 matrix of a Boolean function f(x) on Vn . Then the excess of the matrix MLn equals

Es(ML) = 2n x Y (-l)/(Qi) =2n< ^(0), k >, 7=0 where £(0) and lQ are thefirst row of M and Hn respectively.

Proof. Since M is symmetric, one has

An-2 -8n-2 MLn = Bn-2 An^2

(An-x + Bn^x)Ln-x (An_i — Bn_x)Ln-X

(An-\ + Bn-X)Ln-x —(An_i — Bn-x)Ln-x

So, the excess of ML equals 2 times the excess of (An_i + Bn_x)Ln-x. Note that the matrix (An_! + £?n_i) is also symmetric and has the form of

An-2 Bn_2 (An_i + Bn-i) = B n-l An-1 So (An-2 + Bn_2)Ln_2 (An_2 — -Bn_2)Ln_2 (An_i + Bn-l)-^n-l — (An_2 + Bn-2)Ln-2 — (An_2 — 5n_2)Ln_2

The excess of above matrix equals 2 times the excess of (An_2 + 5n_2)Ln_2. This is Proceeded step by step and the required result is obtained.

Note that the matrix An_; + £n_i is not a matrix in thefield GF(2). Proceed it

step by step until i = n. It is also noted that at the end A0 is 1 x 1 matrix and the entry is the sum of all entries in thefirst row of M. Therefore, the above theorem is proven. ^

v For any Boolean function f(x) on Vn, the ij-th. entry in the matrix ML is 2n-l V^ (_-[\f{<*k®aiWj{ak) Jfc=0 So sum of j-th column of the matrix ML is

n n 2n_12 -l 2 -l2"-l y^ y^ / _j\/(a* ©ai)©'j (<**=) _ y^ y^ (_i\f(<*k®c

j=Q k=o k=Q j=° n 2«_i 2 -i _ y^ C_i-\/(afc©ai) y^ i-l)li(ak) fc=0 3-0 n Qi) = 2 (-l)^

Combined with the above theorem, the following corollary holds. 56

Corollary 4 Let f(x) be a Boolean function on Vn and M be its matrix. Then the excess of ML equals

n n Ex(MLn) = 2 (2 - 2wt(f)); if f(x) is balanced, then the excess of ML equals zero.

Let Ln denote the Sylvester-Hadamard matrix.

2n-12n-12n-l Es(MLM*) = Y Y £ (-i)/(Q'®afc)®'fc(ah)®/(Qh®Q7) i,j k=0 h=0 n n n n 2 -12 -l 2 -l 2 -l l = Y Y (-l) k(ah) y^ (_i\f{ai®ak) y^ /^/(a;,©^) fc=0 /i=0 i=0 j-0 n n 2 n n 2 = 2 (2 -2n;t(/)) <2 (2 -2iV/) .

The concept of excess is widely used in study of Hadamard matrices. The matrices of Boolean functions are not Hadamard matrices except for bent functions. Theorem 5, 6, and lemma 23 show the tight relations of the excess of the matrix of a Boolean function and cryptographic properties of the function such that nonlinearity, balance, auto-correlation-immunity, etc.. So, the excess of a Boolean function can be used to evaluate functions in cryptography. Since a nxm S-box consists of m Boolean functions that are on Vn, each function directly indicates the quality of the S-box. Further investigations need to be taken to determine the relationships between excesses and S-boxes. For an S-box design, the excess parameter of a component of the S-box gives initial pointer to choose a good Boolean function. The complete set of bent functions over a large size Boolean space is unknown. The excess has the potential to help to discover new properties for bent functions or new forms of bent functions. To illustrate the above discussion, one considers an example. Let

f(x) = x2x2x3 ©X4X5

be a function on V5 (it is chosen randomly). Let '+' stand for 1 and '-' stand for -1. Then the matrix M of f(x) is +++++++- +++++++- +++++++- + ++++++-+ ++++++-+ ++++++-+ +- +++++-++ +++++-++ +++++-++ ++++-+++ ++++-+++ ++++-+++ +++-++++ +++-++++ +++-++++ + -I h + + ++ ++-+++++ ++-+++++ +-++++++ +-++++++ +-++++++ - + -+++++++ -+++++++ -+++++++ H ; +++++++- +++++++- + +++++++- + + + + + H h + + + + + H h +- ++++++-+ +++++-++ +++++-++ +++++-++ ++++-+++ + + + H h ++ ++++-+++ +++-++++ + + H h + ++ +++-++++ ++-+++++ ++-+++++ ++-+++++ +-++++++ +-++++++ -H H h + + + ++ -+++++++ -+++++++ -\ -+++++++ +++++++- + +++++++- +++++++- + + + + + H h +- ++++++-+ + + + + + H h +++++-++ +++++-++ +++++-++ ++++-+++ ++++-+++ + + + H h++ + + H h + ++ +++-++++ +++-++++ + H h + + ++ ++-+++++ ++-+++++ +-++++++ -H +-++++++ H h + + + ++ -+++++++ + -_ -+++++++ -+++++++ 1_ +++++++- +++++++- +++++++- 1— + + + + + H h ++++++-+ ++++++-+ +++++-++ +++++-++ +++++-++ ++++-+++ ++++-+++ ++++-+++ +++-++++ +++-++++ +++-++++ ++-+++++ ++-+++++ ++-+++++ -H +-++++++ +-++++++ +-++++++ H -+++++++ -+++++++ -+++++++ Then the matrices A4 and BA are

+ + ++ + + +- + + ++ + + +- + + ++ + + -+ + + ++ + + -+ + + ++ + -++ + + ++ + -++ + + ++ - + ++ + + ++ - + ++ + + +- + + ++ + + +- + + ++ + + -+ + + ++ + + -+ + + ++ + -++ + + ++ + -++ + + ++ - + ++ + + ++ - + ++ + + ++ A,= + + ++ + + +- + + ++ + + +- + + ++ + + -+ + + ++ + + -+ + + ++ + -++ ^+ + ++ + -++ + + ++ - + ++ + + ++ - + ++ + + +- + + ++ + + +- + + ++ + + -+ + + ++ + H h + + ++ + -++ + + ++ + -++ + + ++ - + ++ + + ++ - + ++ + + ++

+ + ++ + + +- + + + ++ + + -+ +- + + ++ + -++ - + + + ++ - + ++ + + + +- + + ++ h + H—h + + ++ h- H h+ + + ++ -H —+ ++ + + ++ + B* = + + + ++ + + +- \— + + ++ + + -+ - + + + ++ +-++ + + + ++ - + ++ + + + +- + + ++ --+- + + -+ + + ++ - + +-++ + + ++ + - + ++ + + ++ 59

AA + BA =

2 2 2 2 2 2 2 -2 0 0 0 0 0 0 0 0 2 2 2 2 2 2 -2 2 0 0 0 0 0 0 0 0 2 2 2 2 2 -2 2 2 0 0 0 0 0 0 0 0 2 2 2 2 -2 2 2 2 0 0 0 0 0 0 0 0 2 2 2 -2 2 2 2 2 0 0 0 0 0 0 0 0 2 2 -2 2 2 2 2 2 0 0 0 0 0 0 0 0 2 -2 2 2 2 2 2 2 0 0 0 0 0 0." 0 0 -2 2 2 2 2 2 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 2 2 2 2 2 -2 0 0 0 0 0 0 0 0 2 2 2 2 2 2 -2 2 0 0 0 0 0 0 0 0 2 2 2 2 9 -2 2 2 0 0 0 0 0 0 0 0 2 2 2 2 -2 2 2 2 0 0 0 0 0 0 0 0 2 2 2 -2 2 2 2 2 0 0 0 0 0 0 0 0 2 2 -2 2 2 2 2 2 0 0 0 0 0 0 0 0 2 -2 2 2 2 2 2 2 0 0 0 0 0 0 0 0 -2 2 2 2 2 2 2 2

Next we have J33 = 0 and

2 2 2 2 2 2 2 -2 2 2 2 2 2 2 -2 2 2 2 2 2 2 -2 2 2 2 2 2 2 --2 2 2 2 A, = 2 2 2 -2 2 2 2 2 -2 2 -2 2 2 2 2 2 2 -2 2 2 2 2 2 2 -2 2 2 2 2 2 2 2

4 4 4 0 " 4 4 0 4 ' 8 4 ~ A2 + B2 = ; ^ + £i = !; 4) +£0 = [12]. 4 0 4 4 L 4 8 0 4 4 4 _ So the excess of ML V ! x 25= 384 . Chapter 5

On the symmetric properties of Boolean functions

Hashing algorithms are important cryptographic primitives which are indispensable for efficient generation of both signatures and codes [103]. They are also widely used as one-way functions in key agreement and key establishment protocols [59], Hashing can be designed using either block encryption algorithms, computationally hard problems or substitution-permutation networks (S-P networks). To increase the implementary speed, the symmetric properties of Boolean functions are studied. Some work has been done by using group theory to classify Boolean functions [38]. As network develops, it is needed to know more details about symmetric properties of Boolean function from the view of cryptography. This chapter uses symmetric groups to study Boolean functions for cryptography, in particular, homogeneous Boolean functions. The author's contributions are (i) using symmetric groups to classify Boolean func­ tions and to show their cryptographic properties in the aspect of symmetric group classification and (ii) studying homogeneous Boolean functions and some relations to be obtained.

5.1 Symmetric group and Boolean functions

For a n-entry vector, a = (ax, a2, • • •, an) G Vn, an operation is defined by permuting the positions of a* and aj. Then the vector becomes (ax, • • •, aj, • • •, ai, • • •, an). The operation of permuting the positions of a* and aj is denoted by 7r = (ij) and then an operation on a vector can be represented by

7r(ai, a2, • • •, an) = (ax, • • •, aj, • • •, a*, • • •, an).

The permutations for a n-entry vector in Vn may occur for more than two entries. Thus the operation TT = (ijk • • •) is defined by the ith entry goes to jth position, the jth

60 5.1. Symmetric group and Boolean functions 61

entry goes tofcth position, and so on. The operation (ij • --k)a, for example, gives the vector

(eh, • • •,

Let 7Tj and ITJ be any two operations for a vector a eVn. Then the combination of the operations is defined by 7r = -K^J such that

7TQ; = (7T;7Tj)a; = TVi^ja).

The inverse of the operation exists. For ir = (ij • • -k), ir~l = (k- • -ji) is its inverse because 7T7r_1 = 7r_17r = e the unit permutation. So the definition of symmetric group is given as follows.

Definition 28 For a n-entry vector (xx,x2, • • • ,xn) in the Boolean space Vn, an op­ eration it is defined by permuting the positions of the n entries in the vector. Then all possible operations of permutations on the vector forms a group that is called the symmetric group defined on Vn and denoted by Sn (or permutation group).

It is clear that the permutation for a vector on Vn is a one-to-one linear transfor­

mation. If a subset of Sn forms a group under the same laws of combination that are

used in Sn, then the group is called subgroup of Sn. Any group has at least two trivial subgroups that are the unit group, {e}, and the whole group. For a symmetric group

Sn, the following properties hold.

1. The order of Sn (the number of all elements) is n! i.e. |Sn| = n!.

2. Take some elements in Sn as the generators of the group, if any element in Sn can be equivalently expressed by those generators. Then the minimum number of

generators for Sn is n-l. The set {(12), (13), • • •, (In)} can be a set of generators

of Sn. The element (123 • • -n), for example, is equal to (In) • • • (13)(12).

3. The transitive relations of symmetric groups SX,S2,-• • ,Sn are as follows;

5"i C S2 C • • • C Sn-x C Sn.

There are many ways to represent the elements of a symmetric group. All the

elements in Sn can be expressed, for example, by n x n matrices with entries over the field GF(2). The unit element e is expressed by the unit matrix I, thus the elements 5.1. Symmetric group and Boolean functions 62

{e, (12), (123), • • •, } are equivalently expressed by the matrices

10 0 0 1 0 0 0 1 0 1 0 1 0 0 1 0 0 0 0 1 0 0 1 0 1 0

It is easy to verify that all the matrices are nonsingular. For the element TT = (ijk • • •)

(cyclic form) in Sn, by convention the smallest number always comesfirst. Som e elements may contain few cycles. Thus the element TT = (312) (654) • • • will be written as (123)(465)---. The following statements for group theory will be used later. Let G and G' be any two groups and elements g and g' be elements with g €G and g' € G".

1. (Homomorphism). If there is a mapping G -> G' and the laws of combination for the two groups are preserved

9i-*9i (9i9j) -» fej).

then the two groups, G and G', are said to be homomorphic.

2. (Isomorphism). For two homomorphic groups, G and G', if the mapping is in- vertible, then the two groups are said to be isomorphic.

3. (Kernel). For the homomorphic mapping of G and G', the unit element in G maps

to a subset He in G'. The subset He in G' corresponding to the unit element e in G is called the kernel of the homomorphic mapping.

4. (Lagrange's theorem). The order of a subgroup of a finite group is a divisor of the order of the group."

5. (Cayley's theorem). Any group with order n is isomorphic with a subgroup of

For a Boolean space Vn, it is said that the symmetric group Sn acts on the space, if each element in Sn just permutes the vectors in Vn. Let Vm and Vn be subspaces 01 Vm+n. Let Sm be the symmetric group for the space Vm and Sn for the space Vn.

Then for any elements it e Sm and IT' e Sn, it is obvious that 7r7r' = TT'TT. The two groups are said to be commutative (both the two groups are subgroups of Sm+n and 5.1. Symmetric group and Boolean functions 63

Sm+n acts on Vm+n). Obviously, the set, {TTTT' | TT G Vm, TT' G Vn} denoted by Sm x Sn (direct product), is a group with order m! x n!.

Let H be a subgroup of Sn. Then the subset TT#, TT G Sn TT $ H, is called left coset associated with H in Sn and #TT is called the right coset. The subgroup H is called a 1 normal subgroup (or invariant subgroup) of Sn if irHir- = H for any TT G 5n. For any subgroup H of Sn, there exists |Sn|/|# | elements 9i, i9i $ H, 9i e Sn) such that

Sn = H U foif) U • • • U igt_xH) s. = \Sn\/\H\. (5.1)

In the above formula, if H is a normal subgroup, the set, {H, gxH, ••-, gs-xH}, forms a group (called quotient group or factor group of Sn) with order n!/|#('/)|. For more detail about group theory, one can refer to the books [43, 83, 100, 102]. Now it is time to turn our discussion to the relationships between the symmetric groups and Boolean functions onfinite Boolean spaces Vn. Boolean functions are studied by this method as literature is sparce thereon.

Definition 29 Let TT be an element of the symmetric group Sn. Take all the elements of

Sn as permuting operators on a vector a = (ax, • • •, an) in Vn such that for TT = (ij • • • kf

ira = 7ciax,---,ai---,aj,---,ak,---,an)

a — ( i, • • •, Gi-i, ak, ai+l, • • •,aj-x,o-i, Oj+l, • • • ,an) further define Q 0 */(*) = * ( © CaX ] = © C7rQX™ = © X where ira = P and ca = cp € GF(2).

Let Hf denote the subgroup of Sn associated with the Boolean function f(x) over

Vn. The subgroup Hf is described by the following lemma.

Lemma 24 Let Hf denote the subset that contains all elements TT G Sn such that

TT/(X) = fix). Then Hf is a subgroup of Sn.

Proof. For the subset Hf to be a group, it is necessary to show the set is closed under the laws of group combination of Sn. In fact if 7Tj and TT,- are in the set H(f), then TTJTTJ and TTj-Ki are also in H(f), because

7Tiirjf(x) = TTiiiTjfix)) = irlf(x) =f(x).

c The set Hf is closed. Therefore, it is a subgroup of Sn. 5.1. Symmetric group and Boolean functions

The functions f(x) and TT/(X) have some same properties: for example, the same propagation criteria PC(k), k-th order auto-correlation immunity, Hamming weight wt(f) and nonlinearity Nf. Let f(x) on Vn have k-th order propagation criteria. Ac­ cording to definition 8, f(x) ®f(x®a) is balanced for all 0 < wt(a) < k. The function nfix) = f(nx) and then

/(TTX) © /(TTX © TTQ) = fix') ® fix' © p)

Of course wtiira) = wtiP). As a runs through all vectors such that 1 < wtia) < k, p runs through all vectors with l

criteria with respect to a does not mean that TT/(X) satisfies this criteria too.

Lemma 25 If e fix) = /(x) (e the unit of Sn) is the unit of the set {TT/(X) | TT G Sn},

then the set of functions forms a group, denoted by Gf, where the group operation "o", stands for composition of functions, and is defined as follows

M(X)] O Mix)] = (TTtTT;)/(x) = TT,/(x). (5.2)

Proof. To be a group, the set Gf with the operation o must satisfy the following conditions: (i) the unit element must exist; (ii) each element must have the inverse in the set and the left inverse is equal to the right inverse; (Hi) the associative rule must hold for the operation; (vi) the set must be closed under the operation.

The unit element of the set is the function itself fix). Let TT;/(X) be an element of the set. Then the element has its inverse TTj/(x), such as TTJ = TT"1, in the set, since

[TT/(X)] O [TT-V(X)] = [TT-7(X)] O [TT/(X)] = fix). (5.3)

According to the definition of group operation,

[TT;/(x) O IT J fix)] O IT k fix) = ^/(x) O [^/(x) O lTkf(x)] (5.4) holds. Hence the associative law holds. The set, Gf = {TT/(X) | VTT G Sn}, contains all

the different Boolean functions generated by permutations in Sn. Therefore, the set is

closed. So it is proved that the set, {TT/(X) | TT G Sn}, with composition o is a group. •

The group operation "o" on Gf is not the operation in Sn. The equality

fair,) f{x) = 7rkfix) (5.5)

does not restrict that TTJTT;- equals to TT^, because any element in Hnkf will leave the function irkf(x) unchanged. For convenience, the element that TTfc = TTJTT, to identity 5.1. Symmetric group and Boolean functions 65

the function Trkf is used. The group Gf is a set of polynomials on a finite Boolean

space, which is generated by a Boolean function f(x) on Vn and the symmetric group

Sn. Each element, TT/(X), in Gf corresponds to a subgroup, H%f, of Sn. Then for the

function f(x) , there are the left cosets irHf and right coset Hnfir that give the function

TT/(X). Therefore among the elements in Gf, the following lemma holds.

Lemma 26 Let TTi/(x) and Ttjf(x) be any two elements in Gf associated with the

function f(x) over Vn. Then

(i) \Hf\ = \H1Fif\ = \Hir.f\ = ..-;

(ii) There exists a set of elements {e, TTX,^, - • •}, called representative set for the

function fix) on Vn and denoted by Cf, such that

Sn = HfUTTxHfUTT2Hf-; (5.6)

(Hi) Let -Ki and ITJ belong to Cf. If 'Ki i=- Kj, then Kif(x) ^ -Kjf(x) and Cff(x) = Gf.

Proof. The group Hnf is for the function TT/(X). SO Hxf contains all elements in Sn such that TT.,(TT/(X)) = nf(x). The left coset, ixHf, acting on the function f(x) also

produces the function irf(x). So |Trr7/| < \Hvf\. On the other hand, rrHf contains all

elements in Sn such that (irKi)f(x) = TT/(X) for each TT; G Hf. Thus \irHf\ > \HVf\.

Therefore \Hf\ = \Hwf\ which proves (i).

Since each coset contains different elements from others and all cosets contain |5n| elements, so the (ii) holds. The part (Hi) is obvious. According to the definition of Gf, each function is different

from others and generated by the function fix). The set of functions, Cff(x) contains n all different functions. Therefore Cff(x) -Gf

The subset Cf is not a unique subset. One can choose any each element from each

group Hxf to form a subset Cf. But the group Gf is unique. All different subsets, Cf,

-1 conjugate each other, since for any element TT G Sn, there is TTC/TT = C'f. As though

there exists a conjugate class, Cf, in Sn which produces the function group Gf, the

subset Cf is called the identity subset for the function fix) and each element TT the

identity element for the function TT/(X). Note that the class Cf may not contain a unit element.

Lemma 27 Let the f be a Boolean function on Vn. The numbers of repetitions of

xk,---, xlk being equal (i.e. rh = • • • = xik) is a necessary condition for the group Sk

associated with variables xin • • •, xik to be a subgroup of Hf. 5.1. Symmetric group and Boolean functions 66

Proof. The lemma is proven by contradiction. By the lemma 24 the element in Hj operating on the function f(x) does'not change the function itself. Suppose r{ ^ r;.

After the operation, Xj in the function TT/(X) is transformed to x{. Obviously, it is the number of repetitions of X; in TT/(X) is Tj that induces TT/(X) ^ f(x). Therefore

TT i Hf. •

Lemma 28 Let f(x) and g(x) be any two Boolean function on Vn and Hf and Hg be their groups respectively. Then for the function f(x) ® g(x), the group Hf(Bg at least has a subgroup the intersection of Hf and Hg, i.e. HfnHgC Hf(Bg.

Proof. Since the intersection is a subset of Sn, all the laws of combination for Sn are preserved. So to prove Hf®g = HfDHg is a group, it is enough to show it is self closed under the laws of combination that are used in Sn. Let TT^TT,- G Hfeg. Then

itiiTjifix) © g(x)) = 7r{(f(x) ® g(x)) = f(x) © g(x), which shows the element -K^J is in Hf@g. So Hf n Hg is self closed. Therefore it is

a group. Because the elements in Hf@g are all elements in Sn that leave the function

f(x)®g(x) unchanged, so Hf n Hg is a subgroup of Hf®g for the function /(x) ®g(x). •

Note: The groups Hf$g and Hf D Hg may be equal, since the function f(x) ®g(x) may increase the symmetric property and but may also reduce the symmetry properties.

If fix) © gix) — 0, Hf®g = Sn and Hf D Hg is a subgroup. If f(x) and g(x) do not

contain any common term, then Hf9g = Hf D Hg. The following is a few trivial facts for some Boolean functions

1. Let k be an integer with 0 < k < n. Then the function

a - hk(x)= © x va6V„, and wt{a)=k

has group Sn, i.e. Hh = Sn.

2. Let {ix, i2, • • •} be a subset of {1,2, • • •, n}. Based on lemma 28, for the function h(x) = hh(x) ® hi2(x) ® • • •, (5.7)

the group Hh is S„.

3. Let Hf be the group for the function f(x) on Vn. Then Hf is also the group for

the function f(x) © h(x), where h(x) is the function (5.7) on Vn. 5.2. Homogeneous Boolean functions 67

4. Let {ix, i2, • • •, id} be a subset of {1,2, • • •, n} and

J \%) XixXi2 • • • Xjd

a Boolean function on Vn with algebraic degree d. Then the group Hf = SdxSn-d,

where Sd is the symmetric group associated with the subset, and Sn-d is the group

associated with the subset {1,2, • • •, n}\{ix,i2, •••, id}.

2 For a fixed Boolean space Vn, there are 2 " Boolean functions and the size of the permutation group is n!. Although this is very large, one can use permutation groups to discuss Boolean functions. The Boolean functions in the group Gf share the same cryptographic properties such as Hamming weight, nonlinearity, propagation criteria and correlation immunity. For a group Gf, there exist subsets, K = {/|/ G Gf}, of functions such that N is a additive group (/, ©) if the zero is token as the unit

element in the subset. The trivial additive groups are, for example, {0,TT;/(X)} (since 7Ti/©TTi/ = 0). If such a subset contains Tn functions (of course m < \Gf\), the additive group is a S-box designs n x m (note; the group order is m + 1). Good S-box designs need to satisfy some cryptographic properties such as [8, 12, 24, 93, 119]:

(1) any nonzero linear combination Cxfx ® • • • ® Cmfm is balanced where the S-box is

Six) = (fx(x), • • •, fm(x)), fi(x) are on Vn and a G GF(2) i = 1, • • •, m;

(2) any nonzero linear combination has high nonlinearity;

(3) any nonzero linear combination satisfies the same propagation criteria;

n m (4) the mapping of the S-box is regular i.e. each vector in Vm corresponds to 2 ~

vectors in Vn as x runs through all vectors in Vn once;

(5) the S-box has good differential distribution.

If all components of an S-box are in an additive group and Gf at the same time, then

the discussion of the S-box becomes that of the one function, fix), on Vn.

5.2 Homogeneous Boolean functions

A Boolean function is homogeneous if the algebraic degree of all terms in /(x) is the same. All nonzero linear Boolean functions are degree 1 homogeneous Boolean functions. In this thesis the following definition is used as the normal form for degree-d homogeneous function. 5.2. Homogeneous Boolean functions 68

Definition 30 Let f(x) be a function on Vn. If all terms of f(x) have algebraic degree d, then we call the function f(x) degree-d homogeneous Boolean function on Vn and denoted by Pj^ix), i.e.

a f^(x)= © cax ca = 0,l wt(a)=d

For a Boolean space Vn there are single terms.

Degree-1: The degree-1 homogeneous functions are all non-constant linear functions

over V^. They have 0 nonlinearity and are balanced. If the sequence £n is linear

on Vn, then each sub-sequence £k on Vk, 1 < k < n, is linear. Suppose a degree- 1 homogeneous function contains k terms. Then the group of the function is

Hf — Sk x Sn-k where the Sk and Sn-k are symmetric groups on subspaces Vk

and 5n_jfc respectively. The order of Gf equals n\/(k\(n — k)\).

Degree-2: Let 2 t /( )(x)= © cijXiXj=XCX (5.8) l

0 c12 c13 • • • cXn

0 0 c23 ••• c2n C =

0 0 0 ••• 0

X = [xx - - - xn] a 1 x n matrix and X* is the transpose of X. The number of Is in C equals the number of terms in the function. Its propagation is

fix) © fix © a)XCX* ®iX® a)CiX © a)*

It is realized that CX* = XC*, XCa* = aC*X* and /(a) = aCa*. So the above formula can be written as follows; fix)® fix® a) = XCX*®iX®a)CiX®a)* = aiC*®C)X*®fia).

This function is balanced if and only if a(C" © C) ^ 0. The matrix (C* © C) is symmetric with zero diagonal.

Let {yx, • • •, yn} be a linear transformation of {xi, • • •, xn} on Vn. For n = 2m, the

function, yxVm+i 0y2ym+2 © • • •®ymy2m, is bent if and only if the transformation is nonsingular. 5.2. Homogeneous Boolean functions 69

Lemma 29 Let fix) = XCX* be a degree-2 homogeneous function on Vn. If the function satisfies PC(n),then the determinant of the matrix (C* © C) is not equal to zero, which is necessary condition.

Proof. The function satisfying PC(n) means that for all vectors wt(a) ^ 0 in

Vn the propagation f(x) ® f(x © a) is balanced. The lemma 29 is proven by

contradiction. Assume the function f(x) on Vn satisfies PC(n) and has the 0 determinant of matrix \(C*®C)\. Then there exists an n x n matrix A such that A(C* © C)A~l has at least a row with all zero entries. Suppose the row with all zero entries is thefc-th row . Then, the function has linear structure with respect

to the vector a = (ax, • • •, an) with ak = 1 and others are zero. Therefore the function does not satisfy the PC(n) which contradicts the assumption. • / We note that the determinant of (C* © C) is evaluated over the real number field and other calculations are Boolean addition and multiplication. Lemma 29 is equivalent to the property 6 of bent functions when the size of the space is even.

Lemma 30 // each row (or column) in the matrix (C* © C) has an even number of Is, then the function has a linear structure with respect to the vector a = (1, • • •, 1). // the rank of the matrix (C* ® C) is k, then the function satisfies ' PC(l) with I < k

Proof. Let a = (1, • • •, 1) in Vn. If each row has an even number of Is, then a(C* + C) = 0. The formula (5.10) becomes a constant which proves thefirst par t of the lemma. The second part of the lemma says that the order of propagation is less than or equal to k. Since the rank of the matrix is k, there exists a matrix A such that the matrix A(C* ®C)A~l has k non-zero rows only. So the order of propagation criteria can not exceed the rank k. •

For the matrix C, there exist a nonsingular matrix T such that

TCT* = A-mxm &mx(n—Tri) p>t A' = c, ^mx(n—TO) rl-(n-m)x(n-m)

where A',n_m^x,n_m^ is a symmetric matrix. The function (5.8) is transformed to the function f{2)(x') = (XT-^TCT^XT'1)1 = X'C'iX'Y, (5.10) 5.2. Homogeneous Boolean functions JQ

and the space Vn is transformed to V^ where X' = (x[, • • • ,x'n) = XT and C" = TCT*. It is noted that the function is on a Boolean space. Let the matrices TCT be calculated in the field GF(2). So the entries of all the matrices are in GF(2). Then function (5.10) is equivalent to function (5.8) for the cryptographic properties except for the properties that directly relate with Hamming weight. If the matrix T is perfectly chosen to make m minimal, then there are following conclusions:

1. The number m is always even.

2. If m = n, the function (5.10) is bent.

3. If m < n, the function (5.10) is bent on a subspace V'm.

4. The support space of the function (5.10) is V^ if all diagonal entries in the

matrix A(n_m)x(n_m) are zero.

5. The function (5.10) is balanced, if the diagonal entries of Ajn_m)x(n_m) are not all zero.

6. The nonlinearity of the function (5.10) is 2n_1 - 22(2n~m)-1.

7. The function (5.10) satisfies PC(m).

8. The function (5.10) has linear structure with respect to the vectors a =

(0, •••,0,aim+1,---,ain)

In fact, in the matrix Amxm, the entries are

1 if j = i + 1 with i = 1, 3, 5,

o-ij — < an if j = i; 0 otherwise.

In the normal form of function (5.8), if each variable occurs r times, of course, nr = 26, where b is the number of terms in the function. The matrix C* © C is symmetric and each row (and column) contains exactly r Is only. The n rows are linearly independent to each other. So the matrix has rank n.

To construct the symmetric matrix C*®C such that each row and column contains r Is, a method is introduced as follows:

• The n x n matrix is C = [cy], in which

• Cij = 0 for all entries with j < i and

• ELi chi + £JUi+i cih = r. 5.2. Homogeneous Boolean functions 71

Then the matrix C* ® C is symmetric and each row (and column) contains r Is.

Lemma 31 Let the matrix C*®C be symmetric and each row and column contain r Is. Let C*®C be nonsingular. Then the function (5.8) is bent if n is even. If n is odd, the function (5.8) is balanced and has PC(n - 1).

Degree-3 The most interesting topic is degree-3 homogeneous functions because there are bent functions and balanced functions with high nonlinearity without quadratic terms. There is little knowledge about general properties of higher degree homo­ geneous functions until now. Before paper [77] was written, there were no general descriptions of bent functions without quadratic terms. Here a few properties are given and large scale of research on this topic is initiated hopefully.

The general algebraic representation of degree-3 homogeneous functions, is as follows;

(3) / (x) = © CyXiXjXk. c7 G GF(2) (5.11) l

Let a = (ax, • • •, an). Then the propagation of a degree-3 homogeneous function

/ on Vn is as follows;

(3) / (x) © f^(x ® a) = ®i

= ®i

aiajXkffi aia kx.jffi aja kxxffi aiOja k)

= ®\

where the matrix Ay- has an entry 1 at i-th row and j-th column and all other

entries zero and X = (xx,x2, • • •, xn). Let

Aj = (+^ CjOiAjk. l

Then the function (5.12) becomes

71

fix)ffi fix ffi a) = Q)iaiXAiX*ffi aA {a*Xi)ffi /(a ) (5.13) • i=i

Lemma 32 Let the matrices Ax,A2,---,An belong to a degree-3 homogeneous

function on Vn. If the matrices Ax, A2, • • • ,An are linearly independent, then the

function fix) does not have linear structure with respect to all vectors a G Vn such that wtia) ^ 0. 5.2. Homogeneous Boolean functions 72

Proof. From formula (5.13) the quadratic part of the function is

t ®(aiXAiX )=x(^aiA^X*.

Because Ax, A2, • • •, An are linearly independent, the above formula is not equal to zero and hence formula (5.13) is not a constant function. Therefore the function has no linear structure. •

Lemma 33 For a degree-3 homogeneous function on Vn,

1. if the matrices Ax, A2, • • •, An are linearly dependent i.e. there exists a vector

(cx, c2, • • •, Cn) such that

CxAx © • • • © ck_xAk_x ® ck+lAk+l © • • • © c^An = ckAk 1 <>k < n,

2. and there exists at least one of aAia* ^ 0, then the function satisfies the propagation criteria with respect to the vector

(Cl,C2,---,Cn).

Proof. The proof is directly induced from the formula (5.13). If the function satisfies thefirst condition, the quadratic terms disappear. The second condition ensures the function is not a constant affine function. Therefore, function (5.11)

has the propagation criteria with respect to the vector (cx,c2, • • • ,cn). •

The number of non-zero entries of A; is the number of the appearances of the variable X;. From a combinatorial point of view, there is a conjecture as follows.

Conjecture 1 (1) The coefficients aAia* = 0 if Aia* = 0.

(2) If either a, the number of entries (m^) = 1 corresponding to Cj ^ 0 is even or

b, for Cj = 1, ®"=1 mijCj = 0, is satisfied for all 1 < j < n, then aAia* = 0. Then the function has linear structure. 5.3. Degree-3 homogeneous Bent Functions 73

5.3 Degree-3 homogeneous Bent Functions

The degree-3 homogeneous bent functions on V6 are obtained through a computer search. Bent functions play an important role in constructing cryptographically desir­ able Boolean functions. In this section, one uses the theory of the first part of this chapter to discuss their group properties. The following degree-3 homogeneous function

fix) = xxx2x3 © XiX2X4 © XiX2X5 © XiX2X6 © XiX3X4 ©

XiX3X5 © X!X4X6 © XiX5X6 © X2X3X4 © X2X3X6 ©

x2x4x5 © x2x5x6 © x3x4x5 © X3X4X6 © X3X5X6 © X4X5X6

is bent on V6. Its group Hf is generated by the elements (12) (56), (13) (46) and (24) (35). It can be seen that any operation in Hf acts on the function and then the function is transformed to itself. The elements (12), (13), (14) are the 3 generators of SA. If one takes the mapping

(12) ** (12)(56) (13) ++ (13)(46) (14) *+ (24)(35), he will find that Hf is isomorphic with SA, i.e. Hf ~ SA. Let

S'3 = {e, (12)(56), (13)(46), (23)(45), (123)(465), (132)(456)}.

Then the group is also written as

Hf = S'zU (16)(34)53 U (16)(25)S'3 U (25)(34)S'Z.

The groups Hf is written down as follows;

' e, (12)(56), (13)(46), (14)(36), (15)(26), (23)(45), (24)(35), (16)(34), (16)(25), (34)(25), < (25)(1364), (25)(1463), (34)(1562), (34)(1265), (16)(2453), >. (16)(2354), (123)(465), (132)(456), (124)(365), (142)(356), ^ (263)(145), (154)(236), (135)(264), (153)(246)

According to Lagrange's theorem the order of Gf = 6!/4! = 30, which means that

there are only 30 degree-3 homogeneous bent functions on V6. Each function TT/(X)

in Gf is associated with an element TT G Sn. The set of the representative elements is 5.3. Degree-3 homogeneous Bent Functions 74 given as follows:

e> (45), • ' (56), (465), (456), (46), (34), (345), (34) (56), (3465), (3456), (346), (354), (35), (3564), (35) (46), (356), (3546), (3654), (365), (364), (3645), (36), (36) (45), (26) (35), (26)(354), (26)(345), (26)(34), (26)(45), (26)

The all characteristic vectors, {a | f(a) = 1, a G Vn}, are as follows:

(0,0,0,1,1,1) (0,0,1,0,1,1) (0,0,1,1,0,1) (0,0,1,1,1,0) (0,1,0,0,1,1) (0,1,0,1,1,0) (0,1,0,1,1,1) (0,1,1,0,0,1) (0,1,1,0,1,1) (0,1,1,1,0,0) (0,1,1,1,0,1) (0,1,1,1,1,0) (1,0,0,0,1,1) (1,0,0,1,0,1) (1,0,0,1,1,1) (1,0,1,0,1,0) (1,0,1,0,1,1) (1,0,1,1,0,0) (1,0,1,1,0,1) (1,0,1,1,1,0) (1,1,0,0,0,1) (1,1,0,0,1,0) (1,1,0,1,0,0) (1,1,0,1,0,1) (1,1,0,1,1,0) (1,1,1,0,0,0) (1,1,1,0,0,1) (1,1,1,0,1,0).

The above vectors form a Hadamard difference set of the group (V6, ©). Using Rothaus' [81] characterization of bent functions on 6 variables, it can be seen that from the automorphism group of the difference set that 3-homogeneous bent function is equivalent to the bent function

XiX2X3 © XiX4 © X2X5 © X3X6

The cubic homogeneous bent functions on VQ are related in a very special way. Let TT be a permutation on {1,2,3,4,5,6}, and let x71" denote the vector (x^i),^^),^^),^^),^^), Let / be the degree 3 homogeneous bent function given above. Then fn(x) = f(xir)

is also a degree 3 homogeneous bent function on the variables Xi,x2,x3,x4,X5,x6. All six variable degree 3 homogeneous bent functions are of the form /*" where TT is a permutation on {1, 2,3,4,5,6} will be shown. Let H denote the group of permutations such that fn is the same Boolean function as /. Now consider the matrix

110 0 0 0 11 10 10 B = 0 10 1 0 110 10 0 1 5.3. Degree-3 homogeneous Bent Functions 75

which encodes the degree 3 terms which do not appear in /. Let B« denote the matrix obtained by permuting the rows of £ according to TT. (SO if TT = (1,2), then B* would equal to the matrix obtained by interchanging thefirst row and second row of B.) Notice that TT G H if and only if the set of columns in the matrix Bn equals to the set of columns in B. Since the columns of B are distinct, every TT G H induces a permutation of the set {1,2,3,4}: namely the permutation needed to be applied to the columns of B* in order to change B* back to B. Let K be the subgroup of H whose elements induce the identity permutation on {1,2,3,4}. Any element 0 of K must fix the sets {1,3,5}, {1,4,6}, {2,3,6} and {2,4,5} setwise, so 0(1) G {1,3,5} n {1,4,6} = {1}. That is 0(1) = 1. Similarly, it can be shown that (f)(i) = i for i = 2,3,4, 5,6. Hence K is trivial,

and H can have at most one element for each element in 54. On the other hand, each row of B corresponds to one of the six pairs of elements in {1,2,3,4}. Thefirst row corresponds to the pair {1,2}, the second row to the pair {3,4}, and so on. So it is easy to construct a row permutation which induces any prescribed permutation of the columns. Hence H contains exactly 4! = 24 elements. Since 56 has 720 elements it follows that exactly 30 = 720/24 distinct Boolean function are of the form f* where 7T G SQ. Since this is the total number of bent functions by exhaustive search, every homogeneous degree 3 bent function on six variable can be obtained from / by applying a permutation to the indices of its variables. Using Theorem 18, homogeneous bent functions of degree 3 can be constructed in

larger spaces V6k (k = 1, 2,...). We rewrite the function as follows;

fix) = XiX2X3 © XiX2X4 © XiX2X5 © XiX2X6 © XiX3X4 ©

XiX3X5 © XiX4X6 © £1X5X6 ® X2X3X4 © X2X3X6 ©

x2x4x5 © x2x5x6 © x3x4x5 © x3x4x6 © x3x5x6 © X4X5X6

= xi(x3 © x6)(x4 © x5) © x2(x3 © x5)(x4 © x6) © x3(xi © x6)(x2 © x5) ffi

x4(xiffi x 5)(x2ffi X6)ffi X 5(X!ffi x 4)(x2ffi X3)ffi X6(Xiffi x 3)(x2ffi x 4)

= (Xl7 X2, X3, X4, X5, X6) • (0i, 02, 03, 04, 05, fa) where

01 = (X3©X6)(X4©X5), 02 = (x3ffiX5)(x4ffiX6), 03 = (x!ffiX6)(x2ffiX5),

04= (x1ffiX5)(x2©X6), 05 = (Xi©X4)(x2©X3), 06 = (xX © X3) (x2 © X4) 5.3. Degree-3 homogeneous Bent Functions 76

The Walsh-Hadamard transform of above function is

F(a) = £ (-l)/(*)©a-*'

x6V6 — V^ l_]\{x\ix2,X3,i4,X5,X6)-(\®a\,02©a2,3©a3,04©a4,5©a5,06©ae)

xGV6 _ V^ /'_^>\a:i0i©X2^2©ai2:i©a2i2

x€V6 , x (_2 ) 303©X404©a3X3©a4X4 7_-| \X55eX606©a5X5©a6X6 which is easily evaluated. No matter what a is, the propagation of f(x) is

6

©0i = (xi ©x2)(x3©x4) © (x3©x4)(x5©x6) © (x5©x6)(xi©x2), i=l which is balanced on 76. So the above result can be extended to the Boolean space

V6n- 1

Lemma 34 Let (XX,X2, • • •, Xn) be a variable vector on V6n, in which

and ik ^ for k ^ h, where 1 < i < n. Lei £/ie functions

${(x) = (0ji, 0;2, 0i3, 0i4, 0i5, 0x6)i ur/iere

0ii = (xiz © xt6)(xu ® xh) i2 - (xi3 © xi5)(xT4 © xi6)

0x3 = (xix ® xl6)(xi2 ® xis) 0i4 = (xix © xh)(xl2 © x^) (5.14)

0x5 = (^x3 ® Xh) (Xl4 © Xh ) 0i6 = (Zx3 © Xh ) (XU ®Xi2). be recursively defined. Then the functions of the form

fix) = iXx, X2,---, Xn) • ($i, $2, • • •, $„) (5.15)

are degree three homogeneous bent functions on V§n

Proof. Function (5.15) over V6n can also be written as /(x)=©^-^ x=l

The function X&i is bent on the subspace V6. All the n subspace V6 are disjointed.

According to lemma 18, the functions (5.15) over V6n are bent. •

(j) {k) Boolean functions 0U and 0i2 on the space V2 U V2 are defined as follows;

0x1 = (XjX ® Xk2)(Xj2 ® Xkl), 0x2 = (Xjl ® Xkx)(Xj2 © Xfc2). 5.3. Degree-3 homogeneous Bent Functions 77

Definition 31 Let TT = (12 • • -n) be an n-order element in Sn- Then

n Cn = {TT, TT , • • • , 7T }

is a cyclic group. Any element in Cn acting on the function 0y is defined as follows;

7T0ii = 0(^)1(3(^)1 © X(n-Jfc)2)(X(7rj-2) © X(^)l), ,_ fis

TT0i2 = 0(Tj)2(X(WJ-)1 © X(nk)x)(X(lrj2) ® X^k)2).

Lemma 35 The function

n_1 (0x1 ® 0x2) © 7T(0zl © 0x2) © • • • © 7r (0ii © 0i2) (5.17)

ij, is a balanced degree 2 homogeneous Boolean function on V2n if n is odd; i

ii), is a degree 2 homogeneous bent function on V2n if n is even.

Proof. From the definition, it can be seen that

0x1 © 0x2 = (XjX ® Xj2)(xkX © Xk2).

Without losing the generality, let k = j + 1. Then the above formula becomes

0x1 © 0x2 = (Xjl ffi Xj2)(x; + i i © Xi+i2).

Thus the function (5.17) can be represented as follows;

n_1 (0x1 © 0x2) © 7T(0xl © 0t2) © • • • © 7T (0xl © 0^)

= (011 © 012) © (021 © 022) © • • • © (0nl © 0n2)

{l) Theorem 7 Let X{ = (xiX,xi2) be a variable vector on V2 . Then the variable vector {j) (Xx,X2,---,Xn) is defined on V2n. Let fy = (0,1,0*2) be a vector function onV2 U (fc) V2 . Then ($1, $2, • • • > ^n) is a vector function on V2n. If the n is odd the function

(Xx,X2,---,Xn)-($x,$2,---,$n)

satisfies the degree 2n propagation criterion over V2n. 5.4. Degree-3 homogeneous Balanced Functions 78

5.4 Degree-3 homogeneous Balanced Functions

In addition to the bent functions, degree-3 homogeneous balanced functions are found. The reasons for interest in these functions is that they have good cryptographic prop­ erties such as balance, high nonlinearity and propagation criteria. There are many degree-3 homogeneous balanced functions over the Boolean space Vn (n > 6. By com­ putationally searching, the following table shows the highest nonlinearity that degree-3 homogeneous balanced functions can reach.

v. v7 v6 v9 Vlo Nonlinearity 24 52 112 232 480 Upper bound (balanced functions) 26 56 116 240 492

Upper bound (Boolean functions) f 28 56 120 240 496

In the above table, the values of nonlinearity in thefirst row are computational over the corresponding Boolean spaces and the upper bounds of nonlinearity in the second row are theoretical values for balanced Boolean functions over the corresponding Boolean spaces. The values in the third row are the nonlinearities of Boolean functions on the corresponding Boolean spaces.

The following discussions are case by case on the space Vn. However, all cases can

be extended to the space Vn+3k, k = 0,1,2, • • -. The function,

fix) = XiX2X3ffiX LX2X4©XiX 2X5 ©XiX3X4 ©XiX3X5 ©XiX4X6 ©XiX5X6 ©

x2x3x6 © x2x4x5 © x2x4x6 © x2x5x6 © x3x4x5 © x3x4x6ffi x 3x5x6

on V6 is balanced and has nonlinearity 24 (that is close to bent function nonlinearity 28). The propagation of the function with respect to vector a G Vg is

n fix) ® f(x ®a) = @(aiXAiX* © aAia*x%) ® f(x) i=l where 000000 0 0 1110 0 1110 0 0 0 0 0 0 110 0 0 0 1 A, = A2 = 0 0 1 0 1 1 0 1 0 1 0 0 5.4. Degree-3 homogeneous Balanced Functions 79

0 1 0 1 1 0 0 110 0 1 0 0 0 0 1 0 0 0 11 0 0 0 0 0 0 11 A, = AA = 0 1 1 0 0 0 0 1 0 0 0 0

0 1 1 0 0 1 0 0 0 110 0 0 1 0 1 0 1110 0 1 0 1 0 110 A, = Afi = 0 0 0 0 0 0 0 0 0 0 0 0 Summarized the above discussion, there are:

• The matrices, Ax, • • •, A6, are linearly independent. By lemma 32, the function has no linear structure except for a = 0.

• The function satisfies SAC.

• The function is balanced.

• Nf = 24

Under the operations {(16), (23), (45)}, the function / is unchanged. Also, the set

{(124635), (125634), (134625), (135624)} leaves the function unchanged. The set

' e, (16),-' (23), (45), (16)(23), (16)(45), (23)(45), (16)(23)(45), (124635), (125634), (134625), (135624), (124)(356), (125)(346), (134)(256), (135)(246), (142)(365), (152)(364), (153)(264), (143)(265),

k (153642), (143652), (152643), (142653) forms a group Hf. It is needed to point out that the group Hf is not isomorphic to the symmetric group SA, since SA does not contain any element with order 6. The group Hf can also be written as

A n Cx n C2 n C3 n C4 5.4. Degree-3 homogeneous Balanced Functions 80

where A, A = Z2 x Z2 x Z2, is the Abelian group, Ci, C2, C3, C4 are four order 6 cyclic groups which are generated by elements

(124635), (125634), (134625), (135624) respectively. The balanced function f(x) can also be expressed as

6 5 /l f(x) = © xJxixfc©©7r (x1x2x6) i

where TT is one of the order-6 elements in Hf. Since the order of the group is 24, there

which says that the set of 30 3-homogeneous balanced functions with 14 terms is complete. The degree-3 homogeneous function with 15 terms,

/i(x) = XiX2X3 © XLX2X4 ©XiX2X5 © XiX2X6 ©XiX3X4 © XiX3X5©

Xix3x6 © Xix4x5 © x2x3x4 © X2X3XQ © x2x4xgffi x2x5x6ffi (5.18)

x3x4x6ffi x3x5x6 © x4x5x6, on VQ is balanced and has nonlinearity 24. The propagation of the function with respect

to vector a G V6 is n fx(x) © f(x ®a) = Q)(aiXAiX* © aA^Xi) © f(x) 7=1 where 0 0 0 0 0 0 0 0 1111 0 1111 0 0 0 0 0 0 111 0 1 0 :1 Ai = , A, - 0 1 0 0 0 1 0 0 0 1 0 0

0 1 0 1 1 1 0 110 10 0 0 1 0 1 0 10 0 1 0 0 0 0 0 0 0 1 A, , A4 = 0 0 1 0 0 0 0 1 0 1 0 0 5.5. Degree-3 homogeneous Boolean functions 81

0 1110 0 0 1 1 0 0 0 " 0 0 0 0 1 0 1110 0 0 0 1 0 110 A, = , ^6 = 0 0 1 0 1 0 0 0 0 0 0 0

Since the matrices, Ax,- •, A6 are linearly independent, so function (5.18) has no linear

structure. The group Hf is {e, (16), (23), (16)(23)} which is Abelian. Therefore, the

group Gf has the order 180. Among all 15 terms homogeneous Boolean functions, there are 4 functions which have the same symmetry. For example, the' following four functions

h(x) = XLX2X3 ©XiX2X4©XiX2X5 ©X!X2X6 © XxX3X4 © XiX3X5 © X!X3X6 © X!X4X5©

X2X3X4 © X2X3X6 © X2X4X6 © X2X5X6 © x3x4x6 © X3X5X6 © X4X5X6

h(x) = XiX2X3 ©X!X2X4 ©XiX2X5 ©X!X2X6 © XXX3X4 © X!X3X5 © XxX3X6ffi XiX4X5ffi

X2X3X5ffi X2X3X6ffi X 2X4X6 © X2X5X6 © x3x4x6 © X3X5X6 © X4X5X6

h(x) = XiX2X3 © XiX2X4 © XiX2X5 © X!X2X6 © X!X3X4 © X!X3X5 © X!X3X6 © X^Xe©

X2X3X6 © X2X4X5ffi X 2X4X6 © X2X5X6 © x3x4x5 © x3x4x6 © x3x5x6

h{x) = XiX2X3 © XiX2X4 © XiX2X5 © XiX2X6 ffi XiX3X4 © X!X3X5 © X!X3X6 © X!X4X6©

x2x3x6 © x2x4x5 © x2x4x6 © x2x5x6 ffi x3x4x5ffi x 3x4x6 © x3x5x6 (5.19) have the relations

/i(x) = (45)/2 = (12)(36)/3(x) = (12)(36)(45)/4(x).

The complete set of degree-3 homogeneous bent and balanced Boolean function on

V6 is listed in appendix 1.

5.5 Degree-3 homogeneous Boolean functions

Let f(x) be a degree-A; homogeneous function on Vn. If the numbers of repetitions of all variables are equal, then all those functions with the same representation have the same nonlinearity, Hamming weight and propagation property.

On VQ. If the function 0i(x) is defined by

0i(x) = (x3 © x5)(x4 © x6) 5.5. Degree-3 homogeneous Boolean functions 82

and recursively define the function 0i+1(x) and 0i+2(x) by

0i+i(x) = (xi+3 © xi+5)(xi+4 ffi xi+6)

0i+2(x) = (xi+3 ffi xi+6)(xl+4 ffi Xi+5)

where i = 0,1, • • -, index of variables modulo 6, then the tiofunctn i

*i0i(s) © z202(x) © X303(x) e x^x) 0 X50s(x) 0 X606(x) (52Q) is bent.

On V10. If the function 0i(x) is defined by

Mx) = (x3 ® X5)(XA ® x6)

and recursively define the function 0i+1(x) and 0i+2(x) by

02i+i(x) = (x2i+3 © x2i+5)(x2i+4 © x2i+6)

02x+2(x) = (x2i+3 © X2i+6)(x2i+4 © X2i+5) where i = 0,1, • • -, and index of variables modulo 10, then the function

Xi0i(x) ©X 0 (x) ©X 0 (x) ©X 0 (x) ©X 0 (x)© 2 2 3 3 4 4 5 5 (5.21) X606(x)ffi X707(x)ffi X808(x) © X90g(x) © XiO0iO(x) has properties:

1. Hamming weight is 2n_1 - 2n/2_1;

2. its restrictions on any subspace Vn_x(C Vn) are either balanced or with Hamming weight 2n~2 - 2nl2~l and have the same nonlinearity (in this case is 224); 3. the function

01© 02 © 03 © 04 © 05 © 06 © 07 © 08 © 09 © 010 is balanced; 4. the function has the propagation criteria with respect to the vector a such that wt(a) = n. 5.5. Degree-3 homogeneous Boolean functions 83

It is noted that if one takes the functions 0* as variables, those functions have similar representations to the bent functions of M-M class. The functions preserve some properties of bent functions. However, the transform from 0; to x is not linear. It

cannot keep all the properties which it has in linear space. The case V10 is an example

of the space VAU+2, (n = 1,2,---). These functions on V4n+2 like formulae (5.20) and (5.21) are called bent-like-MM Boolean functions. Computer calculation gave the following results:

VQ Vio Vx, bent homogeneous bent homogeneous bent homogeneous wt 28 28 496 496 8128 8128 Nf 28 28 496 480 8128 8000

restriction, xs = 1, on Vn_x wt 16 16 256 256 4096 4096

Nf 12 12 240 224 4032 3904

restriction, xs = 0, on Vn_1 wt 12 12 240 224 4032 4904

Nf 12 12 240 224 4032 3904

In the above table, a function on Vl0, for example, is constructed with Hamming weight 496 and nonlinearity 480. The restrictions of that function have Hamming weight 256 (balanced) and 224 respectively and the same nonlinearity, which shows that the restrictions of the homogeneous functions have the same property as bent function has in this sense. Chapter 6

Balanced Boolean functions

Balanced Boolean functions with high nonlinearity are cryptographieally desirable Boolean functions. Work in this chapter contributes some ways to construct highly nonlinear balanced Boolean functions that lead to a new property of bent functions.

6.1 Balanced Boolean functions with high nonlin­ earity and good propagation criteria

Good Boolean functions are defined to have certain properties for their nonlinearity, propagation criteria, correlation immunity and balance [98, 113, 114]. For Boolean

functions on a n-tuple Boolean space Vn, bent functions have the highest nonlinearity

and the best propagation criteria, but they are not balanced. On the space Vn, there are 22 different Boolean functions. In fact, a very high proportion of all functions are 1 balanced . For example out of the 256 functions on V3, 70 are balanced. Simple combi­ natorics gives the distribution curve of the number of Boolean functions by Hamming weight. Highly nonlinear balanced Boolean functions are the best candidates for crypto­ graphic applications. This chapter discusses the balanced Boolean functions with high nonlinearity and good propagation criteria. There is considerable literature about this topic such as [6, 58, 61, 62, 64, 70, 88, 92, 95, 96, 98, 114]. Obviously, a non-constant affine function is balanced. For afinite Boolean space n+ Vn, there are 2 - 2 affine functions. The total number of balanced functions is 2n . Since a linear transformation of a function does not change the Hamming on—1 ' '

l T\ie number of Boolean functions by their Hamming weight m on Vn is ( ]. The equation,

2 £m=o ( m ) =2 ", is trivial.

84 6.1. Balanced Boolean functions with high nonlinearity and good propagation crite8&

N(wt)

N: the number of functions; wt : Hamming weight.

weight of a balanced function, the function f(xT © a) is balanced if the function f(x) is balanced on Vn, where T is a n x n nonsingular matrix and a is a vector in Vn. It is necessary to define high nonlinearity. Normally it is said that a function f(x) on Vn has high nonlinearity if its nonlinearity is close to the upper bound of nonlinearity for all functions in the space. For a fixed Boolean space Vn, each function has a fixed nonlinearity Nf. If the nonlinearity Nf can be presented by a function of n, Nf(n), then the functions in the same class for a larger space Vn have the same expression for nonlinearity. To obtain some indication of how high the nonlinearity is, a quotient P(n) defined by P(n) = Nf/2n-x is used on the space Vn. For a Boolean function f(x) on Vn, high nonlinearity is defined as follows:

Definition 32 Let f(x) be a Boolean function on Vn and the nonlinearity of f(x) be n l Nf. If the quotient P(n) = Nf/2 ~ is lim Pin) = 1, n—xx then the function is said to have high nonlinearity.

n_1 n/2_1 Bent functions have nonlinearity 2 - 2 and limn^oo-P(n) = limn_>00(l - n 2 2~ l ) = 1. So bent functions have high nonlinearity. The function x{Xj on Vn has 6.1. Balanced Boolean functions with high nonlinearity and good propagation criteM

n 2 n 1 nonlinearity 2 ~ . Then P(n) = Nf./2 - = 0.5. So x{Xj does not have high nonlinear­

ity on Vn. Let a function have nonlinearity 2n-1(l - 2_£(n)), where e(n) is any expression in

n. If limn_>00£:(n) = +00, then the function has high nonlinearity. If the expression of e(n) does not contain n, i.e. e(n) is a constant, then the function does not have high n l n/2 l nonlinearity even though it is the highest one on the space V2. Since 2 ~ -2 ~ is the

upper bound of nonlinearity for all Boolean functions over Vn,e(n) < |. If nonlinearity n 2 of a function on Vn is 2 ~ , then e(n) = 1. So for a highly nonlinear Boolean function, the nonlinearity must be a polynomial in n with

1 < e(n) < 2 •

The quotient P(n) does not make any sense for a fixed Boolean space. However, it makes sense for functions with the same structure in different size Boolean spaces.

Lemma 36 Let g(x) and h(y) be Boolean functions on Vt and Vs respectively. Then the function f(x,y) = g(x)®h(y)

is balanced on Vs+t if either g(x) or g(y) is balanced on their support subspaces.

Proof. Suppose the function g(x) is balanced on Vt. Then g(xx, • • •, xt, 0, • • •, 0) is t_1 s balanced on Vt+S. For each fixed y the sequence of f(x,y) has 2 Is. There are 2 different vectors of ys. Therefore, the Hamming weight of f(x,y) is 2t+5_1 and it is balanced. '-'

Let f(x) be a nonlinear function on Vn. Then there exists a nonsingular nxn matrix B with entries in GF(2) such that

f(xB) =gs(xx,---xs)®ht(xs+x,---,xn) (6.1)

where 0 < s < n and 0 < t < n and gs(x) is a function on Vs and ht(x) is a function

onVt (s + t = n, 0 < s,t < n). Thus if either gs or gt (or both) is balanced,

the function (6.1) is balanced. Especially if either gs(x) or gt(x) is a non-constant affine function, the function (6.1) is balanced and its nonlinearity depends on the

nonlinear part. Assume that g3(x) is the nonlinear part of function (6.1). Let Ng be

the nonlinearity of g3(x) over Vs. Then

n s 6 2 Nf = 2 ~ Ng. ( - ) 6.1. Balanced Boolean functions with high nonlinearity and good propagation criteM

For the function (6.1), by choosing the matrix B let ht, denoted by k(x), be a non-zero

linear function on its support subspace Vt. Then the function (6.1) becomes f(xB) =gs(xx,--- xs) © lt(xs+x, • • •, xn). (6.3)

The matrix B can be chosen such that t is maximum. Then if t ^ 0, function (6.1) is balanced. In this sense, there are two classes of balanced functions: one is for t = 0 (class-1) and another is for t ^ 0 (class-2). The integer t equals zero does not mean that there are no order one terms in function (6.3). The nonlinearity, propagation criteria and correlation immunity of the function (6.3) depends on the nonlinear part only. The function (6.3) is affine if and only if s = 0. Since the nonlinearity depends on the nonlinear part only, function (6.3) shows a way to construct highly nonlinear balanced functions by using highly nonlinear functions. It is well known that bent functions have the highest nonlinearity compared to the other functions on the same space. Lemma 36 offers a good tool to construct balanced Boolean functions with high nonlinearity and good propagation criteria. Some balanced function designs are discussed here which can be found in the papers [90, 88, 91, 89].

As stated before, bent functions over Vn reach the maximum nonlinearity and have PC(n). However, bent functions are not balanced. To construct high"nonlinearity and good PC(k) functions, bent functions are one of the best candidates. For the

function (6.3), if gs(x) is bent, the restriction (either 0 or 1) of the function 6.3 on Vs t 5 1 s 2 1 s 2 has PC(s) and Nf = 2 (2 " - 2 ' ' ). The quotient P(n) is 1 - 2~ l . If the space size s is extended, p(n) is getting close to 1. Then function 6.3 has high nonlinearity. In the next two sections balanced Boolean functions are constructed by concatenating functions and splitting highly nonlinear Boolean functions respectively.

Lemma 37 Let A be a n x n nonsingular matrix over thefield GF(2) and fix) be a

function on Vn. Then the linear transformation, fix A), of fix) has the same nonlinear­ ity, same order propagation criteria and correlation immunity as fix). The Hamming weight of fix A) equals the Hamming weight of fix) orl® fix).

Proof. The function /(x) has Hamming weight wt(f) on Vn. If the procedure for evaluating f(x) is reordered, wt(f) is unchanged, which means that if a linear .trans­

formation to the space Vn means that it changes the order of the elements in Vn. A

linear transformation to f(x) is equivalent to transforming the space Vn -> K- There­ fore, fix A) and fix) have the same Hamming weight (note: affine transformation may change the Hamming weight to 2"-wt(f)). By the definition of nonlinearity, there ex­

ists an affine function rfx) such that Nf = wt(f®cp). So also Nf = wt(f(xA)®^p(xA)). 6.2. Concatenating functions 88

l Suppose that N = wt(f(xA) ©

0 < wt(a) < k in Vn. So linear transformation does not affect the properties of propa­ gation and correlation immunity. •

Remark: The linear transformation fix A) of /(x) does not preserve the correlation immunity and propagation characteristics with respect to a vector a as does fix). However, if /(x) satisfies PC(k), then fix A) satisfies PCik). From the definition of propagation criteria

Y (_i)/(*)©/(*®°) =0, V 1 < wtia) < k. x6Vn If the variable x is substituted by y = xA, in the above formula, the linear transfor­ mation, f(y) = f(xA), of f(x) only changes the order of summation. Therefore, the linear transformation preserves the propagation criteria. On the other hand, if f(x) has the propagation criteria with respect to the vector P, f(xA) has the propagation criteria with respect to the vector P', which does not always preserve the property with respect to p. The similar statement for correlation immunity has a similar proof. In lemma 37, it states that "Then the linear transformation, f(xA), of f(x) has the same nonlinearity, same order propagation criteria and correlation immunity as /(x)." When says the same order one means the same k-th order, not only for some particular vectors but also for all vectors that satisfy 1 < wt(a) < k in Vn.

6.2 Concatenating functions

Let g(x) be a highly nonlinear function on Vn with nonlinearity Ng and having PC(k). Let f be its sequence. If the two sequences, f and 1 © f, are juxtaposed together, then n+1 n the new sequence has length 2 (on Vn+X) and Hamming weight 2 . Therefore, the new sequence is balanced on Vn+X, which corresponds to the function

f(xx, ••• ,xn, xn+l) = xn+i © g(xx, • • •, xn),

in which the first half is the function g(x), (xn+l = 0) and the second half is 1 © g(x), (xn+l = 1). The new function has nonlinearity Nf = 2Ng on Vn+l. One extends the above idea to concatenate sequences, f and 1 © £, 2m_1 times respectively. The 6.2. Concatenating functions 89

new concatenated'sequence is on the space Vn+m. The new sequence corresponds to the function .

f(xx, • • •, xn, xn+l) = g(xx, • • •, xn) © (p(xn+l, •••, xn+m), (6.4)

where

Vn+m with a eVn and P £ Vm. Then the propagation of the function (6.4) is as follows: f(x)® f(x®(a,P)) = g(x) ® g(x ® a) ® (p(x) ® (p(x) ® (p(x ® P) = g(x) ® g(x ® a) ® c,

where a = (ax,---,an) G Vn, P = (an+1, • • •, an+m) G Vm, and c e GF(2). Because

g(x) satisfies PC(k), the above function is balanced for all vectors in Vn+m with 0 <

wt(a) < k in Vn. It is noted that the function (6.4) does not have PC(k) any more. Let the (n-f-m) x (n + m) matrix A be nonsingular over GF(2). Then the transformation of function (6.4), f'(y) = f(xA), (6.5)

is balanced and has nonlinearity Nf = Nf where

Lemma 38 T/ie function (6.5) satisfies the propagation criteria with respect to the

vectors i = (a,P)A for all vectors (a, p) € Vn+m such that f(x) © f(x © (a,p)) is

balanced on Vn+m.

Proof. Note that the matrix A is nonsingular. So A"1 exists. Take the inverse transform for function (6.5) and then one obtains fix) = f'(yA~l)

l l Since /(x)©/(x©(a, p)) is balanced on Vn+m, the function f'(yA- )®f'(yA- ®(a, p)) is balanced.

One can refer to similar results in the paper [91]).

Let g(x) and h(x) be any two Boolean functions on Vn and f and n be their sequences respectively. Similarly to the last case, the sequences, f, 1 © £, V and 1 © r/, are

juxtaposed to form new sequences on Vn+2 in any order. Then the new sequences are

balanced and have nonlinearity greater than or equal to 2(Ng + Nh). Suppose the concatenation sequence is (£,!©£, T],! ©"), 6.2. Concatenating functions

then its polynomial form

f(xx, • • •,xn, xn+1, xn+2) = xn+1 © g(x) © xn+2[h(x) ® g(x)]

The propagation of the function with respect to the vector a is

f(x)®f(x®a) = an+l ® [g(x) © g(x ® a')]®

an+2{g(x) ® g(x ® a') © h(x) © h(x ® a')]

xn+2[g(x) ® g(x © a') ® h(x) © h(x ® a')] where a = (en, • • •, an+l, an+2) and a' = (ax, • • •, an). Let £ and n be bent sequences. There are some subcases of its propagation criteria;

• g(x) = h(x): The above function becomes an+l ® g(x) © g(x © a'), which sat­ isfies the propagation criteria with respect to the vectors for which g(x) has the propagation criteria.

• g(x) ^ h(x) and an+2 = 0: The above function becomes

a-n+i ® g(x) © g(x © a') © xn+2[g(x) © g(x ® a') © h(x) © h(x © a')] which satisfies the propagation criteria with respect to the vectors for which g(x) and h(x) have the propagation criteria respectively.

• g(x) 7^ h(x) and an+2 = 1: whether the function is balanced or not depends on the functions g(x) © h(x ® a') and h(x) © g(x ® a'). If they complement each other it will be balanced.

The function

f(x) = 9n(x) © xn+i © • • • © xn+k

k is balanced over Vn+k and has nonlinearity Nf - 2 Ng. The maximum value of Ng n l n 2 1 n+k 1 n+k 2 1 is 2 ~ - 2 l ' and the maximum nonlinearity on Vn+k is Nmax2 - - 2^ ^l - = n 1 n fc 2 1 2*(2 ~ - 2( ~ )/ - ). The difference between Nf and Nmax is larger as k grows larger. So it is not considered that concatenating functions have high nonlinearity as the size of the extension is too large.

Corollary 5 The maximum nonlinearity of concatenated functions of the form (64) is 2n-2nl2. 6.2. Concatenating functions 91

The above balanced functions are obtained by concatenating a function and its complement.. The concatenated functions have the maximum nonlinearity if bent func­ tions are used. It is known that linear functions have zero nonlinearity. Let l{(x) and lj(x) (k ^ ld) denote any two linear functions on Vn , and i{ and Ij be their binary se­ quences respectively. The sequences, £{ and Ij, have zero nonlinearity but the sequence (ti ij) does not. According to the definition of nonlinearity and the lemma 16, to get the minimum Hamming distance of (4 ij) and an affine function, the one of the best n l candidate is the sequences •(£ i{) which gives the Hamming distance 2 ~ . Thus the n_1 nonlinearity of (£ ij) is 2 . The sequence (^ ij) is on Vn+l corresponding to the function

kix) ®xn+xikix) ®ljix)).

The second part of the above function is quadratic with nonlinearity 2n_1. It is con­

sidered step by step. The sequence (4 ii2 iiz ii4) corresponds to the function

lix © Xn+i^i^ © ij2) © Xn+2(t^ © /j3) © Xn+iXn+2(/i1 © li2 © liz © li4).

The algebraic degree of the above function is less than or equal to 3. To get the minimum Hamming distance to an affine sequence, one of the best affine sequences is (lit • • • i^), which gives the Hamming distance 2n-1(22 — 1). Thus for the concatena­ tions of affine sequences, there is the following lemma:

n Lemma 39 Let the sequences, iix, ii2, • • •, ii2n, be the 2 linear sequences over Vn

and the sequences i!{, i'l2, ••-, i'i , denote their complements respectively. Let the integer m < n. Then any concatenated sequence of 2m nonconstant and different

linear sequences on Vn

(4 4 ••• ii2m) (6-6)

n_1 m - in is balanced on Vn+m and has nonlinearity 2 (2 !)> which each subsequence can also be substituted for by its-complement. The number of these balanced sequences on n m / 2 - 1 *n+m IS ^ \ 2m Proof. It is obvious that the sequence (6.6) is balanced. According to the previous

discussion, any affine function on Vn+m can only be the concatenation of one affine n_1 m subsequence or its complement on Vn. So the sequence (6.6) has nonlinearity 2 (2 -

!)• n m There are 2 - - 1 nonzero linear sequences on Vn. Each concatenation uses 2 on i sequences. So there are ( ] concatenations. Because each subsequence can be 92 substituted by its complement, there 2m ways to do these substitutions. Therefore, ( 2n - 1 x m 2 •>m of this kind of balanced Boolean functions can be constructed over

Vn+m- D Some concatenations using lemma 39 are listed as follows.

V7 V8 V9 Vlo Vn vl2 Vi3 n = 7, m = - 1 2 3 4 5 6 Nf- - 64 192 448 960 1984 4032 n = 6, m = 1 2 3 4 5 6 -

Nf = 32 96 224 480 962 - -

The function of sequence (6.6) is as follows:

fix) = /n ®xn+xilh ® h2) ® xn+2(lh ©/I3)©xix2(^ ®li2 ®lh®lu)®

Xn+tilh ® k5) © Xn+xXn+3ilix ® li2 © li5 © li6) ©

xn+2xn+3(^1 © li3 ® lis © li7) ®

xn+lxn+2xn+3(lu ® li2 ® lh © lu) © li5® li6 ® lir © li8) © • • • ©

^Tl+1 ' ' Xn+m{lil © ii2 ® • • • © H2mJ-

So the maximum algebraic degree of a linear concatenation function is less than or equal to m + 1. On the space Vn, the maximum number of different linear functions n is 2 , which includes the zero function. Let li be the i-th linear function on Vn. Then the equation,

Ixix) © /2(x) © • • • © Z2"-i(x) = 0, is always true. The extreme case is m = n. In this case, there are only 2n linear sequences which includes zero. So one can not make a balanced sequence on V2n by this concatenation. As discussed before, all the different 2n linear sequences juxta­ posed together in any order form a bent function and, of course, have the maximum nonlinearity. From the above discussion, there is a conclusion as follows.

Lemma 40 Let f(x) be a balanced Boolean function on Vn. Let each subsequence with length 2m (m < n) be nonzero and linear. Then the closer m is to n/2, the higher the nonlinearity Nf of f(x). 6.3. Constructions for highly nonlinear balanced Boolean functions by bent functions 93

6.3 Constructions for highly nonlinear balanced Boolean functions by bent functions

In the previous section, balanced functions are formed by concatenating functions and their complements. This section discusses balanced functions obtained by splitting high nonlinear Boolean functions.

Let fix) be a Boolean function on Vn. Then f(x) can be expressed by

f(x) = gix) ffi xnh(x) (6.7)

where gix) and h(x) are two Boolean functions on Vn_x. Let Ng and Nh be the nonlinearities of function g(x) and h(x) on the space Vn_x respectively. Then for the function (6.7), the following lemma is true.

Lemma 41 The nonlinearity of function (6.7) satisfies the in equality

Nf>Ng + Nh.

If the function (6.7) is bent, the following lemma holds.

Lemma 42 Let

fix) = gix)®xnhix) (6.8) be a bent function on space Vn and gix) and h(x) be two functions on Vn_x. Then

(i) the function h(x) is balanced over Vn-x;

(ii) either gix) or gix) ® h(x) is balanced on the space Vn_i;

(Hi) the functions g(x) and g(x) © h(x) have the same nonlinearity 2n~2 — 2n/2_1 on

space Vn-i,

(iv) and the algebraic degree of the balanced function g(x) or g(x) ® h(x) is less than or equal to |.

Proof. Because the bent function satisfies the propagation criteria with respect to all non-zero vectors, it satisfies the propagation criteria with respect to vector (0, • • •, 0,1) which gives that h(x) is balanced on Vn. So h(x) is balanced on Vn-i-

Since the function considered is bent on Vn, its binary sequence has Hamming weight

2n-i_|_2"/2-i Suppose thefirst hal f of the sequence (corresponding to the function g(x)) has Hamming weight A and the second half (corresponding to the function g(x)®h(x)\ 6.3. Constructions for highly nonlinear balanced

Boolean functions by bent functions 94

has Hamming weight B, then A + B = 2""1 ± 2-/2-1. According to the definition of a bent function, it is know that the Hamming distance between the bent function and any 1 2 linear function is 2- ± 2"l ~\ So the linear function xn is chosen and its Hamming

distance to the bent function is calculated. The first half of the sequence of f(x) © xn n l is A and second half of the bent sequence of f(x) ® xn is 2 ~ - B. Thus one gets

A + B = 2n~l ± 2nl2~l ( A + B = 2n~l ± 2nl2~l A + 2"-1 - B = 2n~l ± 2"/2-1 ^ [ A - B = ±2n/2~1.

Hence either A or B is equal to 2n~2. Thus thefirst conclusion of the lemma is proved. From the above proof, the second conclusion is also proved. Since the maximum algebraic degree of a bent function is less than or equal to f, so does the maximum algebraic degree of the balanced function, g(x) or g(x) ®h(x). •

From lemma 42, highly nonlinear balanced functions on any odd space can be n/2 constructed by using bent functions. For a bent function, the quotient PB = 1 - 2~

and, for the balanced function obtained from lemma 42 on Vn_i, the quotient P = 1 - 2~("+2)/2. For a large number n, the two quotient numbers are close 1. For

example consider the function f(x) = xix2ffi x 3x4ffi • • •ffi x n_ixn. Then the function

xtx2ffi x 3x4 © • • •ffi x n_i is balanced whereas /in-i(x) = xn_t. It is known the function

fix) = X!X2X3 © XiX2X4 © XiX2X5 © XiX2X6 © Xj,X3X4 ffi

XiX3X5 © XXXAXQ ® XiX5X6 © x2x3x4 © X2X3X6 ©

x2x4x5 © X2X5X6 © X3X4X5 © X3X4X6 © X3X5X6 © X4X5X6,

given in [75], is bent function on VQ. So either

g(x) = XiX2X3 © XXX2XA ® XxX2X$ ® XXX3XA © XXX3X5 ©

X2X3X4 © X2X4X5 © X3X4X5

or

gix) © h(x) = xix2x3 © XXX2XA ® XiX2x5 © XiX3x4 © XiX3x5 ©

X2X3X4 © X2X4X5 © X3X4X5 © XiX2 © XiX4 ©

X1X5 © X2X3 © X2X5 © X3X4 © X3X5 © X4X5

is balanced. In this case the second one is balanced on V5.

Lemma 43 [76] Let gix) be a bent function on Vn-x (n odd) and h(x) a Boolean function on the same Boolean space. If g(x) ® h(x) is bent, then the function

f(x)=g(x)®xnh(x), (6.9) 6.3. Constructions for highly nonlinear balanced

Boolean functions by bent functions n_ . 95

n l n l over Vn, has Hamming weight either 2 ~ (balanced) or 2 - ±2^)l\ Its noniinearity is

Nt — 9n_1 o(n-l)/2

The function (6.9) satisfies the propagation criteria exactly as do bent functions except

for the vectors a = (ax, • • •, an) <= Vn such that an = l.

Proof. Since the function g(x) is bent over Vn.u it has Hamming weight wt(g) =

2n 2± 2(n-2)/2-l Furthermore) becauge ^ function g^ _. ^ ._ ^ .^ Hamming

2 2 2 weight is wt(g) = 2- ± 2(- )/ -i too. Therefore the Hamming weight of function (6.9) is either 2"-1 (balanced) or 271"1 ± 2<"-1)/2. The sequence of function (6.9) has bent sequences in both itsfirst half and second half by definition. So the Hamming distance between the function (6.9) and any affine 1 function over Vn is 2"" ± 2^~^\ According to the definition of nonlinearity, the nonlinearity of the function is 2n_1 - 2(n_1)/2. Bent functions satisfy the degree k (0 < k < n) propagation criteria. Let a =

(<*i, • • • i On) € Vn. The propagation of the function (6.9) is

fix) ® fix ®a)= gix) ® gix © a) © xn/i(x) © xn/i(x © a) © an/i(x © a) where 0 < _y_(a) = k < n. Since e?(x) © e?(x © a) and e/(x) © gix ®a)® /i(x) © /i(x ffi a)

are balanced on Vn_i, the function

gix) © gix © a) © xn/i(x) © xn/i(x © a)

is balanced on Vn. Then the function (6.9) satisfies the propagation criteria except for

the vectors with an = 1. G

n l There are 2 ~ vectors in.Fn that contain the entry an = 1. Therefore, the function

(6.9) has the same properties as bent functions have over half the vectors in Vn. Since g(x)®h(x) is bent, the algebraic degree of the function is less than or equal to (n—1)/2 and then the function f(x) has algebraic degree less than or equal to (n — l)/2 + 1. Using lemma 42 if let n = m + 1, then the nonlinearity of the functions g(x) and g(x)®h(x) is 2m_1 - 2(m-1)/2 which is the same as the nonlinearity given by lemma 43. The following table shows that the quotient number P of bent functions and balanced functions obtained from both lemma 42 and lemma 43 tend to 1 at the same rate as the space size n increases. 6.4. Constructions for highly nonlinear balanced Boolean functions by highly nonlinear non-balanced Boolean functions

Balanced .Bent Balanced Bent Balanced . Vn v7- ' V8 V9 v10 V__ Nf 56 120 240 496 912 N P - f . 0.875 1 0.9375 0.9375 0.96875 0.96875 ~~ 2n-l

6.4 Constructions for highly nonlinear balanced Boolean functions by highly nonlinear non-balanced Boolean functions

Let _7n_i(x) and /i„__(a;) be Boolean functions on the space Vn_x. Any Boolean function fix) on Vn can be formed by combining by two functions on Kn_i, _/„__(a;) and /in_i(x), such that

f(x) = _7n_i(x) © xnhn_x(x). (6.11) Then we have

9n-i = gn-2 ffi Xn_i/ln_2

9n-2 = _7n-3ffi Xn_2/ln_3

9n-k+l ~ gn-k® ^n-fc+l^n-fc

and

f(x) = _7n_i(x) ffiXn/ln_i(x)

= gn_2ffi x n_i/in_2ffi x n/in_i(x)

= 9n-k ® \JJ Xn-i+Xhn-i i=l Lemma 42 and 43 give high nonlinearity balanced functions on odd spaces. In the for­ tne mula (6.11), if iyi(_/n__) = wt(gn-Xffi /in-i)» function (6.11) is balanced. Therefore, any functions on the subspace Vm can be used to construct balanced functions on Vn (m < n). The nonlinearity of function (6.11) depends on the choice of both g(x) and h(x). From the proof of lemma 43, the following lemma can be proven.

Lemma 44 Let gn-i(x) and gn-X(x)ffi h n-X(x) be two functions on Vn-X with Ham­ ming weight wt(g) andwt(g®h) respectively. Suppose the nonlinearity of gn-X(x) and gn-i(x) © /in_i(ar) is Ng and Ng(Bh respectively. Then the function

fix) =_7n_i(x) ©Xn/ln_!(x) 6.4. Constructions for highly nonlinear balanced Boolean functions by highly nonlinear non-balanced Boolean functions g- on Vn has nonlinearity

Nf>Ng + Ngm.

Proof. Assume ipg and

Vn__. For function f®

Ngeh Is. So the function / © tpg ® xn(ph has Hamming weight Ng + Ng(Sh. Therefore for the function f(x), the Hamming distance to an affine function y on Vn always has

Wt(f®(p)>wt(f®(pg®Xn(fh).

According to the definition of nonlinearity, one has Nf > Ng + Ngeh. Then the lemma is proven. •

To construct a highly nonlinearity balanced function on Vn, two functions are cho­ 2 sen, gn-x(x) which has high nonlinearity and /in_i(x) which satisfies wt(g) = 2"~ - wt(g®h), then the function (6.11) is balanced and has nonlinearity Nf > Ng + Ngeh. Chapter 7

Block designs and degree-3 homogeneous functions

The combinatorial parameters can also be used to discuss the homogeneous functions. A combinatorial design is a way of choosing, from a givenfinite set, a collection of subsets with particular properties. Probably the earliest systematic study of designs was that published by Euler in 1782 [33]. A lot of work has been done for balanced incomplete block designs. Partially balanced incomplete block designs were introduced by Bose and Nair [10]. However, it seems that there is little knowledge about the relations of Boolean function and block designs. Each single term is considered as a block such that xLx2x3 is a block 123. According to combinatorial block design, let the parameters v,k,b,r stand for space dimension, order of the homogeneous function, the terms in the function and the number of repetition of each variable in the function respectively. In this part some definitions for a partially balanced incomplete block design PBIBD and the connection of a PBIBD with a homogeneous function are introduced.

7.1 Introduction of BIBD and PBIBD

Definition 33 (Block Design) A design, in which all blocks contain the same number of varieties and each variety that occurs the same times in all blocks, is called block design (X, B) in which X stands for the variety set and B for the blocks. So the symbols v, b, r, k are used to denote the number of varieties (treatments), blocks, replication of varieties and the size of the blocks respectively.

1. If the number of varieties in one block is less than the number of the varieties in the variety set (0 < k < v), the design is said to be incomplete.

2. If the number of the occurrence of any pairs of varieties in blocks is same and 0 < k < v, the design is called balanced incomplete block design BIBD(v,b,r,k, X)

98 7.1. Introduction of BIBD and PBIBD 99

where X stands for the number of occurrence of a pair of varieties.

3. If the number of the occurrence of any pairs of varieties in blocks is not same and 0 < k < v, the design is called partial balanced incomplete block design

PBIBD(v,b,r,k,Xx,X2,- • •).

A variety and a block are said to be incident if the variety belongs to the block. One convenient way to represent a design is by means of a incidence matrix. For a design (X,#) with v vareties and 6 blocks, the incident matrix is a v x b matrix, A = a^ such that lie bj Qij — 0 otherwise. Let J be the matrix whose all entries equal to one. Then

AJbxb = rJvxb, and JVA = kJvxb

Two designs are isomorphic, if and only if there exist permutation matrices P and Q such that

PAXQ = A2.

In any design, there is vr = bk. (7.1)

If the design is balanced, there is

X(v - 1) = r(k - 1). (7-2)

For a design B[k, X; v], there is

T - AA = (r - X)IV + XJV. (7.3)

For this application, a method for the PBIBD which is called association scheme is introduced. An association scheme with m associate classes on a v-set X is a family of m symmetric anti-reflexive binary relations on X such that:

(i) any two distinct elements of X are ith associates for exactly one value of i, where 1 < i < m;

(ii) each element of X has n» ith associates; 7.1. Introduction of BIBD and PBIBD 100

(iii) for each i, if x and y are ith associates, then there are pj7 elements of X which are both jth associates of x and Ith associates of y. The numbers v,ni (1 < i < m),

% and p jt (1 < i,j, I < m) are called the parameters of the association scheme. It

can be seen that pj, = p}.. Often it is written by P{ = (pj7), 2 = 1,2, ...,m.

A PBIBD(m),which contains parameters (v,b,r,k,X[), determines an associate scheme but the converse is false.

Definition 34 Association Matrix. Bi = (6M, 1 < i < rn, 1 < j, I < v

{1, if j and I are ith associates, 0, otherwise.

Denote B0 = Iv. there is a lemma as follows.

Lemma 45 Let B0,...,Bm be the association matrices for an m-association class as­ sociation scheme. Then m (i) YBi =J ^

(ii) BiJv = niJv; m (Hi) BiBj = YpfljBhi /i=0 B M YEP>l * = Bi{BjBh) = (BtB3)Bh = EEPSP^-

Lemma 46 Let A be the incident matrix of a PB[k,Xx,...,Xm;v] design and let

BQ,BX, •••,Bm be the corresponding association matrices. Then m T x AA = rI + Y uBu u=l

and

JVA = KJyxb

Conversely, if A is a v x b (0,1) matrix which satisfies the above two equations where

B0,Bx,...,Bm satisfy the conditions of lemma 45, then, provided k

dence matrix of a PB[k, A_,..., Am; v] design.

Lemma 47 The parameters of a PBIBD(m) satisfy: 7.1. Introduction of BIBD and PBIBD 101

(i) vr = bk;

(ii) E£_n. = r;-1;

(iii) ___£_n.A. = r(*-l);

h (iv) YZ=QV ju = nf,

v j ( ) mp% = njp lh.

The lemmas 45, 46, 47 are basic relations of parameters of a PBIBD. All of their proofs can be found in the literature [25, 104]. Of all the PBIBDs, those with two associates classes have been studied the most, because they are both the most useful and the simplest. Two-associate classes PBIBD(2)s are usually classified, according to properties of their association schemes, in six types as follows:

1. group divisible;

2. triangular;

3. Latin-square-type;

4. cyclic;

5. partial type;

6. miscellaneous.

As part of the classification depends on the eigenvalues1 of AA1, there is a lemma as follows to evaluate them.

Lemma 48 Let A be the incident matrix of a PB[k, Xx, X2, v] design. Let

2 2 l 2 J=p i2-P\2, P = P i2+P i2, A = 7 + 2/? + l.

Then the eigenvalues of AAt are

1 2 rk and Qi = r + i[(A_ - A2)(7 + (-l) ^' ) - (Ai + A2)], i = 1, 2 with multiplicities

i m+n2 i-iy[(n2-nx)--f(nx+n2)} landc{ = — + ^72" . *-i,^ respectively. xThe eigenvalues of a matrix A are the solutions of equation det\A - 9I\ - 0 7.2. Designs for highly nonlinear homogeneous Boolean functions 102

Let AT be a subset of v variables such that

X^UlxGi, \Gi\=n for 1 < i < m, G{ D Gj = 0 for i ^ j.

The Gj's are called groups although they are not groups on the usual algebraic sense.

Definition 35 An association scheme defined on X is said to be group divisible if the varieties in the same group arefirst associates and those in different groups are second associates. Design in which the underlying association scheme is group divisible is called group divisible design (GD).

7.2 Designs for highly nonlinear homogeneous Boolean functions

In this section, through the examples one will see the relations of the block designs and homogeneous Boolean functions. In block designs, the same two blocks in one design is allowed. However, this is not allowed in a Boolean function as the addition of two equal terms gives zero in GF(2). So for the Boolean function design, the restriction that each block can only occurs once in a Boolean function design is necessary. In most cases, ho­ mogeneous Boolean functions are incomplete non-balanced block designs which are too random to yield useful patterns. Here balanced incomplete function designs (BIFD) and partial balanced incomplete function designs PBIFD are discussed only. Except for the restriction above, all the parameters used are exactly the same as BIBD and PBIBD respectively.

Lemma 49 Let f(x) be a degree-3 homogeneous Boolean function onVn , rx = • • • = rn

and Xx = • • • = Am. If the function has propagation criteria with respect to a, then the function has propagation criteria with respect to all vectors ai such that wt(a[) = wt(a).

Proof. The proof is trivial. Since all variables are uniformly distributed in all the terms of the function, any vector with the same Hamming weight shares the same advantages with the function. If the function has propagation criteria with respect to a, the 1-1 linear transformation is used to change the function one with the equivalent

D to the vector a{ such that wt(a[) = wt(a).

Let f(x) be a Boolean function on Vn . Let r_,•••,rn be the numbers of the

repetitions of the variables xx, • • •, xn in the function /(x) respectively. Each term of fix) is considered to be a block. All designs are based on the following rules: 7.2. Designs for highly nonlinear homogeneous Boolean functions 103

1. The repetitions of variables are equal i.e. rx = • • • = rn. So the designs are partially balanced at least.

2. The values A., • • •, Am of the pair occurrences are as close as possible.

The reasons these rules are chosen are that it is believed that, for a fixed term (denoted by b) in a degree-n homogeneous function, (1) the nonlinearity of the functions that satisfy rule-1 is greater than or equal to that of those do not satisfy rule-1 and they have single weight degree propagation criteria uniformly; (2) rule-2 better defines the nonlinear character of the functions. The rules can be our conjectures for homogeneous Boolean functions. However we can not prove if it is true. From an algebraic view point, the rules ensure that linear transformation can do as little as possible to reduce the number of the same degree terms in the the function. At the moment, our main results to support our choices are experimental. Now one uses a PBIBD, as examples, to construct highly nonlinear Boolean func­ tions on Vn to see how good they are.

PBIBD(6,16,8,3,4,3): There are 6 variables (u = 6) and 16 blocks of variables.

The other parameters of the PBIBD are r = 8, k = 3, Xx = 4 and A2 = 3

respectively. Then there are two associates with nx = 1 and n2 = 4 as follows;

Elements 1-th associates 2-th associates 1 2 3, 4, 5, 6 2 1 3, 4, 5, 6 3 4 1,2,5,6 4 3 1,2,5,6 5 6 1,2,3,4 6 5 1, 2, 3, 4

which satisfies the association scheme, and

n ~ 0 0 " ' 0 i " 1 0 " , P* = , Po = 0 4 _ 1 '2 _ 0 4

Then the PIPBDi2) with parameters (6,16,8,3,4,3) is:

123 124 125 126 134 156 234 256 345 346 356 456 135 146 236 245 7.2. Designs for highly nonlinear homogeneous Boolean functions 104

that is denoted by PBik, A_, • • •, Am : v) = RB(3,4,3 : 6) which appear in the following table No.l. In this case, there are two designs for the association scheme: Consider the last four blocks. If one changes

135 146 236 245 to 136 145 246 235,

he obtains another design with PB(3,4,3 : 6). The design, which is group divisible, was given by Clatworthy in 1956 [25] but he did not relate it with Boolean functions. The design is related to a bent function which was first published in 1999 [77].

PBIBD(6,14,7, 3,2,3): This design was given by Clatworthy in 1956 [25] too, which gives a balanced function. The two associates are as follows;

Elements 1-th associates 2-th associates 1 4 3, 4, 5, 6 2 5 3, 4, 5, 6, 3 6 1, 2, 5, 6 4 1 1, 2, 5, 6 5 2 1,2,3,4 6 3 1,2,3,4

' 0 0 ' " 0 1 ' " 1 0 " , P2 = , Po = 0 4 _ 1 2 0 4 _

Then the PIPBDi2) with parameters (6,16, 8,3,4, 3) is:

125 236 134 245 356 146 123 234 345 456 156 126 135 246

which is. in the table No4. For the above design, if let r_ = 8, stands for the number of repetition of i_,

r2 = 6, stands for the number of repetition of x2 and r3 = 7 stands for the numbers of repetition of other variables. Then the design is non-balanced and incomplete which is the No.5 in the table. 7.9 2. Designs for highly nonlinear homogeneous Boolean functions 105

PBIBD(6,15): In this case, it is impossible to get any balanced Boolean function design with k = 3, since k x b can not be divided by v. Our purpose is to design cryptographic desirable Boolean functions. So according to our rules, let the parameters are:

Ti = 8, r2 = 7, Ax = 4, A2 = 3 A3 = 4

Let r_ stand for the number of repetitions of z_, x2, x3 and x6 and r2 for x4 and

x5. 123 124 125 126 134 135&136 145 234 236 246 256 346 356 456 j This design is No.6 in the following table with

/ Ax x 4 A2- x 7 A2 x 4

The another design with the same parameters but

Ai x 5 A2 x 8 A2 x 3

which is the No.7 in the following table.

Designs Repetitions of x Pair occurrences

No. (v,b,k) rx r2 r3 Ai A2 A3 Weight Nf 1 (6,16,3) 8 4 3 28' 28 2 (6,16,3) 8 4 3 2 24 24 3 (6,16,3) 9 8 7 4 3 2 26 22 4 (6,14,3) 7 3 2 32 24 5 (6,14,3) 8 7 6 4 3 2 26 22 6 (6,15,3) 8 7 4 3 2 32 24 7 (6,15,3)' 8" 7 4 3 2 28 24

Let D be the positive number of the sum of all differences of repetitions Xi

Conjecture 2 Let rx,- • • ,rn be the numbers of appearances of the variables xx, • • •, xn

in the function f(x) on Vn . For thefixed term degree-n homogeneous Boolean func­

tions, the nonlinearity of the function with Dsmaii is greater than or equal to the non- linearity of the function with bigger Dagger, where

D E Ti-Tj\ 7.2. Designs for highly nonlinear homogeneous Boolean functions 106

Later the homogeneous Boolean, function are treated as a block design. In a homo­ geneous function on Vn , each term is considered as a block d = k, each variable as a variety in block design n = v, the repetition of each variable as the repetition of each variety r and the pair of variables as the pair of varieties. Then each function equals to the ® of all blocks in one design.

Definition 36 [26] Let v > m > k. A t-(v, k, X) covering is a pair (X, B, where X is a v-set of elements and B is a collection of k-subset (blocks) of X,

From a combinatorial point of view, bent functions are analyzed as follows. Every homogeneous bent function found in our search, has the following properties:

1. its' covering is 2-(6,3,3) and its packing is 2-(6,3,4);

2. each variable occurs the same number of times,

3. three disjoint pairs of variables occur 4 times and the other pairs happen 3 times.

From the PBIBD, its incidence matrix is [104] [26]

1111111100000 0 00 1111000011110000 1000110011001110 A = 0100101010101101 0010010100111011 00010011010 10111 and adjacency matrix is of the following form

8 4 3 3 3 3 4 8 3 3 3 3 3 3 8 4 3 3 C = AAl 3 3 4 8 3 3 3 3 3 3 8 4 3 3 3 3 4 8

In the matrix A, any row permutation does not affect the values in the diagonal of matrix C. Since there are 6 rows in matrix A, the row permutations give 6! different matrices A. However there are only 15 different matrices C corresponding to the all row permutations of A. Each matrix C corresponds to 2 bent functions. The diagonal 7.2. Designs for highly nonlinear homogeneous Boolean functions

entries of C indicate the frequency of each variable appearing in the function and the other entries, at place (ij) specify the frequencies of the pairs xiXj occurring in the function.

One notes that taking the block complements of the functions as 30 blocks on 20 elements, the repetition number is 6 and with the association scheme that elements are first associates if they appear together in a block, third associates if they are complementary (for example Xix2x3 is complementary to x4x5x6 so 1 is said to be complementary to 20 and k to be complementary to 21 - Jfc), and second associates otherwise, there is a PBIBD(v,b,r,k;Xx,X2,X3) design PBIBD(20,30, 6,4; 2, 0,0). (For the full list of functions see the Appendix 1.) Using block design to construct cryptographically desirable Boolean functions is a new method. The existing block designs give homogeneous bent functions which are known already. This is an exciting area for future research. Chapter 8

The applications of degree-3 homogeneous Boolean functions

As stated in the first chapter, hashing algorithms are important cryptographic primi­ tives which are indispensable for an efficient generation of both signatures and message authentication codes [103]. They are also widely used as one-way functions in key agree­ ment and key establishment protocols [59]. Hashing can be designed using either block encryption algorithms or computationally hard problems or substitution-permutation networks (S-P networks). The parameters of hashing algorithms based on block encryption algorithms, are restricted by the properties of the underlying encryption algorithms. Assume that an encryption algorithm operates on n-bit strings. A single use of the cipher produces n-bit hash value. This means that the n-bit strings have to be at least 128-bit long. Otherwise, the hash algorithm is subject to the birthday attack. The attack finds colliding messages in 2n/2 steps with a high probability (larger than 0.5). If the hash algorithm applies more than one encryption, it becomes slower than the underlying cipher. The use of a "strong" encryption algorithm does not guarantee a collision-free hash algorithm. There have been many spectacular failures that prove the point [73]. The design of hashing algorithms using intractable problems can be attractive as the security evaluation can sometimes be reduced to the proof that finding a collision is as difficult as solving an instance of a computationally hard problem. Numerous examples have shown that the application of hard problems does not automatically produce sound hash algorithms. The misunderstanding springs from the general characterisation of the problem. For example, a problem is considered to be difficult if it belongs to the NP-complete class [36]. Any problem is a collection of instances. Some of them are intractable but some are easy. If a hash algorithm has some easy instances, it'is simply insecure. The main shortcoming of this class of hash algorithms is that they are inherently slow.. The class of hash algorithms based on S-P networks includes the fastest algorithms.

108 8.1. Motivation 109

They apply the well-known concept of confusion and diffusion introduced by Shannon [97]. Representatives of this class are MD4 [79], MD5 [78], SHA [80] and many oth­ ers [86]. Despite demolishing MD4 and weakening MD5 by Dobbertin [31, 32], their structural properties are reasonable and they are frequently used as benchmarks for efficiency evaluation.

8.1 Motivation

The MD family of hash algorithms uses the Feistel structure. The structure can be defined as follows. Let the input be (L^.iVi) and the output be ~(Li,Ri). Then

L{ = Ri_x and Ri = £___•© f(Ri_x,Ki-i), where the function / is controlled by the subkey Kx_x- 1 A single iteration is described as

A, = A-i; Bi = Ai_x+F(Bl_x,Cl-x,Dl_x)+ml_x; Ci = i?i-i; Di = C{-x, where (A{, Bu C{, D[) is a 128-bit string split into four 32-bit words defined for the z'-th iteration, F : {0, l}96 -> {0, l}32 is a function which takes three 32-bit words and generates a 32-bit output word, and m* is the message hashed in the z'-th iteration. Note that rotation has been ignored. For efficiency reasons, the function F is generated on the fly by using bitwise operations such as", &, | accessible in C/C++ . In general, a hashing algorithm can be viewed as a sequence of iterations. A single iteration takes an input X = (Xk, • • •, XQ) and a message word (block) M (for the sake of simplicity it is assumed that M has been already merged with the corresponding constant) and produces the output Y = (Yk, • • • ,Y0) according to

Y0 = M + F(Xk-lt • • •, XQ) + ROT(Xk, s) and Yl+l = Xz for i = 0, • • •, k — 1, where words or blocks are n-bit sequences n = 32,64,128, • • •), n '+' stands for addition modulo 2 and ROT(Xk, s) is circular rotation of the word Xk by s positions to the left. Assume that there is a parallel machine and it is wished to examine how fast the iteration (8.1) can be produced. Parallel implementations of MD4/MD5 are used as benchmarks. For the sake of clarity, it is assumed that all bitwise operations, addition modulo 2n and the rotation ROT take one instruction.- In this analysis, all initial steps necessary to setup hashing are ignored. The computational complexity of a single iteration (8.1) equals the number of in­ structions necessary to produce Y0. The evaluation of the function F seems to be the 8.2. Definition of Rotation-Symmetric Boolean Functions 110

major component. Note that the function can be evaluated after XQ is known. The evaluation of X0 can be done concurrently with the evaluation of two parts of the function F as

F(Xk-x,...,X0)=Gx(Xk-x,...,Xx)®X0Go(Xk_x,...,Xx).

When Ao, G0 and G_ are available then the function F can be evaluated using two instructions: one to produce XQG0 and the second to generate thefinal evaluation. To obtain Y_, one would need a single addition only as the rotation and M + ROT(Xk, s) can be executed in parallel. All together, a single iteration of any member of the

MD family takes three instructions assuming that the evaluation of G_"and G0 can be done in parallel [11]. This is the absolute upper bound for efficiency of hashing with members of the MD family. Can it be done better? Before answering the question, let the efficiency of hashing algorithms be expressed by the number of bits of a compressed message per instruction. The MD4 speed is then ^^ = 3.55 bits of compressed message per instruction. The length of the message block in MD4 is 512 bits, the number of instructions is 144 (48 rounds and each round takes 3 instructions). Consider an algorithm implemented on a 64-bit machine. Assume that the algorithm takes 4096-bit messages and compresses them into 1024-bit digests using 3 passes with 64 iterations each. Its speed is ^^ = 7.1 so twice as fast as MD4 (and seems to be much more secure as it employs 192 iterations). The crucial issue becomes the design of the function F which needs to be based on a Boolean function in 15 variables.

8.2 Definition of Rotation-Symmetric Boolean Func­ tions

n Let Vn = {0, l} be the space of binary vectors. Use the Boolean function / : Vn -» V_ written as

f(x) = /(xi,-.. •, xn) = e/i(xi,... xn-i) ® xng0ixx,... zn__).

The rotation operation binds variables y{ with x{ according to the following assign­ ments: yi+l = x{ for i = 1, 2,'... ,n - 1. Note that yx is evaluated after the final evaluation of /(x) and is equal to _/_ = m + /(x) + c where m is a binary message and c is a bit extracted from a block Xn. After substituting yi+x = xt for i = 1,2,.. -,n - 1, 8.3. Properties of Rotation-Symmetric Functions 111 the function f(y) becomes

f{y) = f{Vi, •••,yn) = hx(xl,..., xn_i) + yxh0(xx,..., zn__).

These conclusions can be formulated as the following corollary.

Proposition 1 Suppose we are given two consecutive iterations of a hashing algorithm from the MD family (an MD-type hash algorithm) based on the function f(xx,...,xn).

Then the evaluation of the function f(yx,...,yn) in the second iteration may use some terms of f(xx, ...,i„) evaluated in the previous iteration. Ideally, the evaluation f(y) will take three operations if (1) the partial functions gx(xx,... xn__) = /f_(x_,..., xn_i)

and (2) the partial functions g0(xx,.. .xn__) = h0(xlr • •. ,xn_i); assuming that yx is given.

Let a function /(xi,x2,x3,x4,x5) = XiX2 ® x2x3 ® x3x4 © x4x5 © xsxx. It can be represented as f(x) = XiX2©x2x3©x3x4ffiX5(xi©x4) The function /(y) with y2 = xx,

2/3 = x2, y4 = x3, y5 = x4 becomes f(y) = xxx2 © x2x3 © x3x4 © yx(xx © x4) The

evaluations of both xxx2 © x2x3 © x3x4 and Xi © x4 done for the function f(x), can be reused for the evaluation of /(_/).

Definition 37 The class of rotation-symmetric functions includes all Boolean func­

tions f : Vn -> Vx such that /(x_,... ,xn) = f(yi,...,yn), where yi+l = x{ for

i = 1, 2,..., n — 1 anei yi = xn or shortly f(x) = f(ROT(x)).

8.3 Properties of Rotation-Symmetric Functions

The class of symmetric functions can be defined as a collection of all Boolean functions

f(x) : Vn -> V_ which are symmetric for all permutations TT G Sn. For every V_ such that C*(^)= © *n-^ (8-2)

ix,...,ik€M\ ix ^ ••• ^*fc where AA = {1,... ,n}. The functions efc(x) = efc(7r(x)) for any TT e

Let mk(x) = Xil ...xik be a monomial where all the indices ix,..., ik are different. Given a permutation TT G Sn, then ir(mk) = x^^.x^, where 1 < k < n. Observe that the

2 1 permutation TT generates a cyclic group Cr of order r < n and Cr = {_-, TT, TT , ..., TT'"- } where e is the identity permutation. The cyclic group acts on the monomial mk(x) and produces a homogeneous Boolean function of degree k in the following form:

T l fk(x) =mk® 7r(mk) © ... © K ~ (mk) (8.3)

Note that rotation p e Sn is defined as p(i) = i + 1 for i = 1,..., n - 1 and p(n) = 1. Equation (8.3) can be used to generate a homogeneous rotation-symmetric Boolean function of degree k and

n l fk(x) = mk ® p(mk) © ... © p ~ (mk) (8.4)

Lemma 50 Suppose we are given a rotation-symmetric Boolean function in the form n k of expression (84). Then its nonlinearity is Nfk > 2 ~ for k = 2,..., n.

Consider an example. Let n = 6 and m3 = x2x3x5. Then the corresponding rotation-symmetric function (of degree 3) is generated as follows

2 3 4 /3(x) = (x2x3x5) © p(x2x3x5) © p (x2x3x5) © p (x2x3x5) © p (x2x3x5) ©

5 p (x2x3x5) = X2X3X5 © X3X4X0 © X4X5Xi © x5x0x2 © XQXXX3 © XXX2XA.

Equation (8.4) produces simple rotation-symmetric functions for two following cases. When k = 1, the corresponding homogeneous rotation-symmetric function of degree 1 is n-l h(x) =e_ = 0p*[m_(:r)] = xt © x2 © ... © xn

which is a linear function and is symmetric with respect to all permutations from Sn.

If k = n, the function (8.4)-becomes fn(x) = en(x) = xxx2...xn which is symmetric with respect to all permutations from Sn and has the lowest Hamming weight which equals 1. Consider homogeneous rotation-symmetric Boolean functions of the degree 2. As­ sume that an initial monomial is m2(x) = XjXj+e for some £ (£+j < n) and the rotation is p G Sn. Then the corresponding homogeneous rotation-symmetric Boolean function is n-l /2(x) = Qp^XjXj+i) = xix£+i © ... @XiXi+i © .- ©xnx£+n, (8.5) where the subscript calculations are performed modulo (n + 1). 8.4. Balanced Rotation-Symmetric Boolean Functions

Theorem 8 Let f2(x) :Vn->Vxbea homogeneous rotation-symmetric Boolean func­ tion of degree 2 which is generated from a monomial of degree 2 using the rotation

p G Sn. The function has the following properties:

n 2 n n 2 (i) the Hamming weight of f2(x) is 2 ~ < wt(f2) <2 + 2 ~

n 2 (ii) the nonlinearity of the function is Nf > 2 ~ ,

(Hi) ifn is odd (n > 2), the function f2(x) is balanced,

(iv) the functions satisfy the propagation criterion with respect to all vectors a G Vn such that 0 < wt(a) < n and satisfies the SAC criterion.

Lemma 51 [69] Given /_(__) : Vn -> V_ for n odd, the nonlinearity of the function is 71 1 1 2 Nf2 = 2 " - 2("" )/ .

Consider two classes of functions

n) f2 = xxx2 © x2x3 © ... © Xn_iXn © XnX!

n) _?_ = xix2 © x2x3 © ... © xn_ixn for n = 0,1,.... If one assumes that wt^) = wt(ff]) = 0, then the following equations are satisfied wt(gin)) = 2»-2 + 2wt(gt2)); l) { 2) { 2) wt(ff) = wt(gt- )+wt(xx®g r )wt(l®xx®xn_2®g r ),

n 2) { 2) where (xx © e?2 ~ ) and (1 © xx ® xn_2 © g 2~ ) are two functions on Vn_2.

Given two rotation-symmetric functions f(x), g(x) on Vn. The next corollary is useful to create a combined function which preserves the rotation symmetry.

Corollary 6 Given two functions f(x), g(x) on Vn and the rotation p G Sn. If P(f{x)) = fix) and p(g(x)) = g(x), then p(f(x) © gix)) = fix) ® gix).

8.4 Balanced Rotation-Symmetric Boolean Func­ tions

The function /2(x) of degree 2 is an ideal candidate for a hashing round function. It is balanced, highly nonlinear and satisfies the propagation criterion (including the SAC). 8.4. Balanced Rotation-Symmetric Boolean Functions 114

To get other cryptographically strong rotation-symmetric functions, one may apply Corollary 6 which states that the sum of rotation-symmetric functions is a rotation- symmetric function as well. A general construction for rotation symmetric functions can be obtained by using the following algorithm.

1. select the requested collection of monomials of degrees kx,...,k-,

2. generate homogeneous rotation-symmetric functions of degrees kx,...,k-,

3. compose the functions into the compound rotation-symmetric function

f(x)=fkl(x)®...®fk.(x).

Clearly, the evaluation of the function f(x) will be faster when the number of monomials used to generate homogeneous functions is restricted. In practice, there are two most interesting cases when the number is limited to two and three. These two cases are going to be investigated.

Class 1 generated by two monomials. Consider the case when mx(x) and m2(x) = xxxt

where mx : Vn+S ->• V_ and m2 : Vn ->• V_. The the class of rotation-symmetric function is expressible as

n l /(z) = /2©/i = ©pWx))© 0 P (mx(x)) (8.6) i=0 i=0

for p G Sn. Note that monomials mx(x) do not need to be evaluated so the function fix) is especially attractive for a fast evaluation. The explicit form of the function is

fix) = Xi(l © xi) © x2(l © x.+i) © ... © xn(l © x£+n_i) © xn+1 © ... © x+5n

The function f(x) is balanced, its nonlinearity is Nf > 2n+s~2, and the function satisfies 1 the propagation criterion with respect to a such that a = (/3X,(32) and fix i {0,1}, where /?_ G Vn and /32 G Vs.

Class 2 generated by three monomials. Consider the case when mx(x) is a monomial of the degree 1 over Vn+S, m2(x) is a monomial of the degree 2 over Vn+m and mk(x) is a monomial of the degree k over Vn, where n> k > 2 and (s >m). The function

fix) = A(x)©/2(x)©/i(x) n-l n+m-1 n+s-1 l l = ®p'(mfc(x))© © p (m2(x))® © p (mx(x)) t=0 i=0 i=0 8.5. Evaluation of Functions 115

where p G Sn, Pl G Sn+S and p2 G Sn+m. The function f(x) is balanced, has non- n+s k linearity Nf> 2 ~ and satisfies the propagation criterion with respect to n < wt(o)

neous rotation-symmetric function fk(x) generated by mk(x) is the most expensive so

that is why it should be kept relatively short p G Sn (see [35]). For instance n = 4, s = m = 1 and k = 3, the balanced rotation-symmetric function is

f(x) = XiX2X3 © x2x3x4 © X3X4Xi © X4XiX2 © XxX2 ® x2x3 ©

©X3X4 © X4X5 © X5X1 © Xi © x2 © x3 © x4 © x5

8.5 Evaluation of Functions

Consider functions from Class 1, i.e. rotation-symmetric functions of degree two. The analysis of the bounds for the number of necessary operations is needed to evaluate a round function when it is used for m consecutive rounds. Let rotation-symmetric

function over Vn be

f(x) = xxx2 © x2x3 © ... © Xn_!Xn © XnXi, where n is odd. In the first round, the whole function needs to be evaluated from scratch. This will consume no more than 2n operations. This number can be reduced

to ^y^ if the evaluation is done in pairs f(x) = Xix2©x3(x2©x4)©.. .©xn(xn_i©xi).

For the next round, if one keeps the evaluation of h(xx,... ,xn_i) = XiX2©x2x3©.. .©

xn_2xn_i then he/she needs to evaluate the new term x0(xi © xn_i) which takes 2

operations. Evaluation of /(x0, Xi,..., xn_i) takes at most three operations, where x0 is a "new variable" which was not used in the previous round. To be able to use the

same technique in next rounds, one needs to evaluate the function h(x0,... ,xn_2) =

x0xi©xix2©...©xn_3xn_2from/(x0,...,xn_i). The "correction" of h(x) will cost at

most three operations as h(x) = f(x) ©xn_i(xn_2 ©x0) and the term xn_i(xn_2 ©x0) needs to be generated. In conclusion, the evaluation of f(x) for m consecutive rounds will take no more than ^f1 + 6(m - 1) operations. What can be gained if a shorter function which is not rotation symmetric but is obtained from one by removing some of the terms is used . Let this function be

f(xx, ...,xn)= xxx2 © x3x4 © ... © xn_2xn_i © Xn_iXn

In the first round the function needs (n-l) operations for its evaluation. In the second round, the same number of operations is necessary as all terms need to be generated. 8.6. Extensions and Further Research 116

This costs (n - 1) operations. In the third round, partial evaluation from the first round is used. This consumes at most 3 operations. The evaluation of the expression for the 5-th round takes at most 3 operations. All together, the evaluation takes at most 2(n - 1) + 6(m — 2) operations. Paradoxically, shorter functions require more steps for their evaluation. This phe­ nomenon relates to the fact that rotation will generate all terms of the rotation- symmetric function gradually round by round with no chances for optimisation. Start­ ing from a rotation-symmetric function allows optimal evaluation of terms which can be reused further in the consecutive rounds. The designers of the HAVAL hashing algorithm [120] fell into the trap. Thefirst roun d function they used is-

fl(xQ, x5,x4,x3,x2, Xi,X0) = xLx4 ©x2x5 ©x3x6 ©X0Xi ©x0

which is a shortened version of a rotation-symmetric function /2(xi,..., X7).

8.6 Extensions and Further Research

The chapter suggests a novel framework for designing cryptographically strong Boolean functions which can be efficiently evaluated when they are applied as round functions in a MD hashing with rotation as the round mixing operation. Clearly any symmet­ ric Boolean function (with respect to any permutation) is also rotation symmetric. The reverse is not true as a rotation-symmetric function is not symmetric in general. Rotation-symmetric functions are much shorter than their symmetric equivalents. This

is especially visible for bigger n. For instance, a rotation-symmetric function /2(x) over n n l Vn includes n terms of degree 2 while its symmetric equivalent consists of \ ~ ) terms. Symmetric functions could be useful if the round mixing operation is an arbitrary permutation controlled by either cryptographic key (as for keyed hashing) or messages. The round mixing operation can be viewed as a linear transformation of the input variables. Rotation is an especially simple case. Note that linear transformation of input variables does not increase the degree of the function. Similarly, it is possible to extend these considerations to the case of linear transformations.

The concept of efficient evaluation can be extended for permutations p : Vn -+ Vn. This is not directly applicable in MD hashing but certainly is of interest for other cryp­ tographic algorithms where the S-boxes are evaluated on thefly instea d of using their lookup tables. The idea is to design a cryptographically strong permutation whose component output functions share as many common terms as possible so partial eval­ uations can be shared among the functions. The confirmation that such permutations 8.6. Extensions and Further Research 117 exist can be found in the papers [62, 69]. Finally, it can be argued that an efficient evaluation may actually contradict the security of hashing. This argument may or may not be valid depending on other com­ ponents used in the single round (shifting, addition modulo 2n, etc.). Also the number of different functions together with the total number of rounds plays a significant role in obtaining a secure (collision free) hash algorithm. Appendix A

Homogeneous bent functions on VQ

1 The complete set of degree-3 homogeneous bent functions on V6:

/i = 124 ©125 ©126 ©134 ©135 ©136 ©146 ©156 ©234 ©235© 236 © 245 © 256 © 345 © 346 © 456

f2 = 124 © 125 © 126 © 134 © 135 © 136 © 146 © 156 © 234 © 235 © 236 © 245 © 246 © 345ffi 356ffi 456

f3 = 124ffi 125ffi 12 6ffi 134ffi 135ffi 13 6ffi 145ffi 15 6 © 234 © 235 © 236 © 246 © 256 © 345 © 346 © 456 /_ = 124 © 125 © 126 © 134 © 135 © 136ffi 14 5 © 156 © 234 © 235 © 236 © 245 © 246 © 346 © 356 © 456

/5 = 124 ©125 ©126ffi 134ffi 135 ©136ffi 14 5ffi 14 6 ©234 ©235© 236 © 246 © 256 © 345 © 356 © 456

/6 = 124 © 125 © 126 © 134 © 135 © 136 © 145 © 146ffi 234ffi 235 ffi 236ffi 24 5ffi 25 6 © 346 © 356 © 456 ft = 123 © 125 © 1-26 © 134 © 136 © 145 © 146 © 156 © 234 © 235 ©

245 © 246 © 256 © 345 © 346 © 356

/8 = 123 ©125 ©126 ©134 ©136 ©145 ©146 ©156 ©234 ©235©

236 © 245 © 246 © 345 © 356 © 456

f9 = 123 ©125 ©126 ©134 ©135 ©145 ©146 ©156 ©234 ©236©

245ffi 24 6 © 256 © 345 © 346 © 356 /_o = 123 ©125 ©126 ©134ffi 135ffi 145ffi 146 ©156 ©234ffi 235©

x For the writing conveniently, on the Boolean space Vn the number, 1,2,- • .,n, are used to stand for the variables x_,x2> • • • ,xn. Thus the term xiXjxk is represented by ijk. These notations are applied for all appendices.

118 236 © 245ffi 246ffi 346ffi 356 © 456 fxx = 123 ©125ffi 126ffi 13 4ffi 135ffi 13 6 ©145ffi 14 6 ©234 ©236©

245 © 246 © 256ffi 34 5ffi 356ffi 45 6

/i2 = 123ffi 12 5 ©126ffi 13 4ffi 135ffi 13 6ffi 145ffi 14 6ffi 234ffi 235 ffi 245ffi 246ffi 256ffi 346 © 356 © 456

/13 = 123 © 124 © 126 © 135 © 136 © 145 © 146 © 156 © 234 © 235 © 245 © 246 © 256 © 345 © 346 © 356 fxA = 123ffi 12 4 ©126 ©135 ©136 ©145 ©146ffi 15 6ffi 23 4ffi 235 ffi

236ffi 24 5ffi 256ffi 345ffi 346ffi 45 6

/15 = 123ffi 124ffi 126ffi 13 4ffi 13 5ffi 14 5ffi 146 ©156ffi 235ffi 236 ffi

245 © 246 © 256 © 345 © 346 © 356

/16 = 123 ©124ffi 126 ©134 ©135 ©145 ©146 ©156ffi 234 ©235©

236 © 245 © 256 © 346 © 356 © 456 fx- = 123 ©124 ©126ffi 13 4ffi 13 5ffi 136ffi 145ffi 156ffi 235ffi 23 6 ffi

245ffi 246ffi 256ffi 34 5 © 346 © 456 fxs = 123 ©124 ©126 ©134 ©135 ©136 ©145 ©156 ©234 ©235 ffi

245 © 246 © 256 © 346 © 356 © 456

/19 = 123 © 124 © 125 © 135 © 136 © 145ffi 146 © 156 © 234 © 236 © 245 © 246 © 256 © 345 © 346 © 356

/20 = 123 ©124 ©125 ©135 ©136 ©145 ©146 ©156 ©234 ©235©

236 © 246 © 256 © 345 © 346 © 456

/21 = 123 © 124 © 125 © 134 © 136 © 145 © 146 © 156 © 235 © 236 © 245 © 246 © 256 © 345ffi 346 © 356

f22 = 123 © 124 © 125 © 134ffi 13 6 © 145 © 146 © 156 © 234 © 235 ©

236 © 246 © 256 © 345 © 356 © 456

/23 = 123 © 124 © 125 © 134ffi 13 5 © 136 © 146 © 156 © 235 © 236 ffi

245ffi 246ffi 256ffi 34 5ffi 346ffi 45 6

/24 = 123ffi 124ffi 125ffi 13 4ffi 13 5ffi 13 6ffi 14 6ffi 15 6ffi 234ffi 23 6 ffi

245ffi 246 © 256 © 345ffi 356 © 456

/25 = 123 ©124 ©125 ©126ffi 13 5 ©136 ©145 ©146 ©234 ©236 ffi

245ffi 256ffi 345ffi 34 6ffi 356ffi 45 6 /26 = 123ffi 124ffi 12 5ffi 126 © 135ffi 13 6ffi 14 5ffi 14 6 © 234ffi 23 5 © ' 246 © 256ffi 34 5 © 346ffi 35 6 © 456 f27 = 123ffi 124ffi 125ffi 126ffi 134ffi 13 6 ©145ffi 15 6ffi 235ffi 236 ffi 245ffi 246ffi 34 5 © 346ffi 35 6ffi 45 6

/28 = 123 © 124 © 125 © 126 © 134 © 136 © 145 © 156 © 234 © 235 © 246 © 256 © 345ffi 34 6ffi 35 6ffi 456

/29 = 123ffi 124 © 125ffi 12 6ffi 134ffi 13 5ffi 146ffi 156ffi 235ffi 23 6 ffi 245 © 246 © 345 © 346 © 356 © 456

/30 = 123 © 124 © 125 © 126 © 134 © 135 © 146 © 156 © 234 © 236 © 245 © 256ffi 34 5 © 346 © 356 © 456 Appendix B

Homogeneous balanced functions

e complete sets of nonlinear balanced degree-3 homogeneous functions ;r VQ, each function has nonlinearity 24, are listed as follows:

1) 30 functions with 14 terms:

/i = 125 ©126 ©134 ©135 ©136 ©145 ©146 ©234 ©235 ©236© 245 © 246 © 356 © 456

f2 = 124 ©126 ©134 ©135 ©136 ©145 ©156 ©234 ©235 ©236© 245 © 256 © 346 © 456

h = 124 ©125 ©134 ©135 ©136 ©146 ©156 ©234 ©235 ©236© 246 © 256 © 345 © 456

h = 124 ©125 ©126 ©135 ©136 ©145 ©146 ©234 ©235 ©236© 256 © 345 © 346 © 456

h = 124 © 125 © 126 © 134 © 136 © 145 © 156 © 234 © 235 © 236 © 246 © 345 © 356 © 456

f6 = 124 ©125 ©126 ©134 ©135 ©146 ©156 ©234 ©235 ©236© 245 © 346 © 356 © 456

ft = 124 ©125 ©126 ©134 ©135 ©136 ©156ffi 235 ©236 ©245© 246 © 345 © 346 © 456

f8 = 124 ©125 ©126 ©134 ©135 ©136 ©146 ©234 ©236 ©245© 256 © 345 © 356 © 456 U = 124 © 125 © 126 © 134 © 135 © 136 © 145 © 234 © 235 © 246 ©

256 © 346 © 356 © 456 /io = 123 ©126ffi 134ffi 135ffi 14 5ffi 14 6ffi 156ffi 234ffi 23 5ffi 245©

246ffi 25 6ffi 346 © 356 122

/n = 123 © 125ffi 134ffi 13 6ffi 14 5ffi 14 6ffi 15 6ffi 234 © 236 © 245 ©

' 246 © 256ffi 345 © 356

/i2 = 123 © 125 © 126 © 135 © 136 © 145 © 146 © 234 © 245 © 246 © 256 © 345 © 346 © 356

/is = 123 © 125 © 126 © 134 © 145 © 146 © 156ffi 23 5ffi 236ffi 245 ffi 246ffi 34 5ffi 346ffi 35 6 flA = 123 © 125 © 126 © 134 © 136 © 145 © 156 © 234 © 235 © 245 © 246 © 346 © 356 © 456 fi5 = 123 ©125 ©126 ©134 ©136 ©145 ©146 ©234ffi 23 5 ©246© 256 © 345 © 356 © 456 f16 = 123 © 125 © 126 © 134 © 135 © 146 © 156 © 234 © 236 © 245 ffi 246ffi 34 5ffi 356ffi 456

/IT = 123ffi 12 5ffi 12 6ffi 134ffi 13 5ffi 14 5ffi 14 6ffi 23 4ffi 236ffi 245 ffi 256 © 346 © 356 © 456

/i8 = 123 © 124 © 135 © 136 © 145 © 146 © 156 © 235 © 236 © 245 © 246 © 256 © 345 © 346 /ig = 123 © 124 © 126 © 135 © 145 © 146 © 156 © 234 © 236 © 245 ©

256 © 345 © 346 © 356 f2Q = 123 ©124 ©126 ©135 ©136 ©145 ©156 ©234 ©235 ©246© 256 © 345 © 346 © 456 f2l = 123 © 124 © 126 © 135 © 136 © 145 © 146 © 234 © 235 © 245 ffi 256ffi 34 6ffi 35 6ffi 456

/22 = 123 © 124 © 126 © 134 © 136 © 145 © 156 © 235 © 245 © 246 © 256 © 345 © 346 © 356

/23 = 123 © 124 © 126 © 134 © 135 © 146 © 156 © 235 © 236 © 245 ffi

256ffi 34 5ffi 34 6ffi 45 6

/24 = 123ffi 12 4ffi 126ffi 134ffi 135ffi 14 5ffi 15 6 © 235 © 236 © 245 ©

246 © 346 © 356 © 456

/25 = 123 ©124 ©125 ©136 ©145 ©146 ©156 ©234 ©235 ©246 ffi

256ffi 345 © 346 © 356 f26 = 123ffi 12 4ffi 125ffi 13 5ffi 136ffi 146ffi 156ffi 234ffi 23 6ffi 24 5 ffi 256ffi 34 5ffi 346ffi 456

f-n = 123ffi 124 © 125ffi 135ffi 13 6ffi 145ffi 146ffi 23 4ffi 23 6 © 246 ffi 256ffi 34 5ffi 356 © 456

/28 = 123 ©124 ©125 ©134 ©136 ©146 ©156 ©235ffi 23 6ffi 245 ffi 246ffi 34 5 © 356 © 456

/29 = 123 © 124 © 125 © 134 © 136 © 145 © 156 © 235 © 236 © 246 © 256 © 345ffi 346ffi 456

/30 = 123 © 124 © 125 © 134 © 135 © 146 © 156 © 236 © 245 © 246 © 256 © 345 © 346 © 356

/

2) 180 functions with 15 terms:

fx = 125 © 126 © 135 © 136 © 145 © 146 © 234 © 235 © 236 © 245 © 246 © 345 © 346 © 356 © 456

f2 = 125 © 126 © 135 © 136 © 145 © 146 © 234 © 235 © 236 © 245 © 246ffi 25 6ffi 34 5 © 346 © 456

/3 = 125 © 126 © 135 © 136 © 145 © 146 © 234 © 235 © 236 © 245 ffi 246ffi 256ffi 34 5ffi 34 6ffi 35 6

/4 = 125ffi 12 6ffi 13 4ffi 13 5ffi 136ffi 145 ©146 ©235ffi 23 6ffi 24 5 ffi

246ffi 34 5ffi 34 6ffi 35 6ffi 45 6

f5 = 125ffi 12 6 © 134 © 135 © 136 © 145 © 146 © 156 © 235ffi 23 6 ffi

245ffi 246 © 345 © 346 © 456

/6 = 125 © 126 0.134 © 135 © 136 © 145 © 146 © 156 © 235 © 236 ffi

245ffi 246ffi 34 5ffi 34 6ffi 356 ft = 125ffi 12 6 © 134 © 135 © 136 © 145 © 146 © 156 © 234 © 235 ffi

236 © 245 © 246 © 256 © 456 /_ = 125 ©126 ©134 ©135 ©136 ©145 ©146 ©156 ©234 ©235 ffi

236 © 245ffi 246 © 256 © 356

/9 = 124 © 126ffi 13 4 © 136 © 145 © 156 © 234 © 235 © 236 © 245 ©

256 © 345ffi 346 © 356 © 456

flQ = 124 © 126ffi 13 4 © 136 © 145 © 156 © 234 © 235 © 236 © 245 © 246 © 256 © 345 © 356 © 456 fxx = 124 © 126 © 134 © 136ffi 14 5ffi 15 6ffi 23 4ffi 235ffi 236ffi 24 5 ffi

246 © 256 © 345 © 346 © 356

/12 = 124 © 126 © 134 © 135 © 136 © 145 © 156 © 234 © 236 © 245 © 256 © 345 © 346 © 356 © 456

/13 = 124 © 126 © 134 © 135 © 136 © 145 © 146 © 156 © 234 © 236 ffi 245ffi 25 6ffi 345ffi 35 6ffi 456

/u = 124ffi 126 © 134 © 135 © 136 © 145 © 146 © 156 © 234 © 236 © 245 © 256 © 345 © 346 © 356

/_5 = 124 © 126 © 134 © 135 © 136 © 145 © 146 © 156 © 234 © 235 © 236 © 245 © 246 © 256 © 456

/16 = 124 ©126 ©134 ©135 ©136 ©145 ©146 ©156 ©234 ©235 ffi 236 © 245 © 246 © 256 © 346

fl7 = 124 ©125 ©134 ©135 ©146 ©156 ©234 ©235 ©236 ©246©

256 © 345 © 346 © 356 © 456

/i8 = 124 ©125 ©134 ©135 ©146 ©156 ©234 ©235 ©236 ©245©

246 © 256 © 346 © 356 © 456

/19 = 124 ©125 ©134 ©135 ©146 ©156 ©234 ©235 ©236 ©245 ffi

246ffi 25 6ffi 345ffi 34 6ffi 35 6

f20 = 124ffi 125ffi 134ffi 135ffi 13 6ffi 146ffi 15 6ffi 23 4ffi 235ffi 246 ffi

256ffi 345 © 346 © 356 © 456

f2l = 124 © 125 © 134 © 135 © 136 © 145 © 146 © 156 © 234 © 235 ©

246 © 256 © 346 © 356 © 456

f22 = 124 ©125 ©134 ©135 ©136 ©145 ©146 ©156 ©234 ©235©

246 © 256 © 345 © 346 © 356

f23 = 124 © 125 © 134 © 135 © 136 © 145 © 146 © 156 © 234 © 235 ©

236 © 245 © 246 © 256 © 456

/24 = 124 © 125 © 134 © 135 © 136 © 145 © 146 © 156 © 234 © 235 ffi

236ffi 24 5ffi 24 6ffi 256ffi 345

/25 = 124 ©125ffi 126ffi 13 5ffi 136ffi 145ffi 14 6ffi 23 5ffi 236ffi 24 5 ffi

246 © 256 © 345 © 346 © 456 /26 — 124ffi 125ffi 126ffi 135ffi 136ffi 145ffi 146ffi 156ffi 235ffi 236 ffi 245 © 246 © 345 © 346 © 456

/27 = 124 © 125 © 126 © 135 © 136 © 145 © 146 © 156 © 235 © 236 © 245ffi 246 © 256ffi 34 5ffi 346

/28 = 124ffi 125ffi 126ffi 135ffi 136ffi 145 © 146 © 156 © 234 © 235 © 236 © 345 © 346 © 356 © 456

/29 = 124 © 125 © 126 © 135 © 136 © 145 © 146 © 156 © 234 © 235 © 236 © 256 © 345 © 346 © 356

/30 = 124 © 125 © 126 © 134 © 136 © 145 © 156 © 234 © 236 © 245 © 246 © 256 © 345 © 356 © 456 .

/31 = = 124 © 125 © 126 © 134ffi 136ffi 145ffi 146ffi 156ffi 23 4ffi 236 ffi 245 © 256 © 345 © 356 © 456

/32 = = 124ffi 125ffi 126ffi 13 4ffi 136ffi 145ffi 146ffi 156ffi 23 4ffi 236 ffi 245ffi 246ffi 256 © 345 © 356 fzz - = 124 © 125 © 126 © 134 © 136 © 145 © 146 © 156 © 234 © 235 © 236 © 345 © 346 © 356 © 456 fzA ~ = 124 © 125 © 126 © 134ffi 136ffi 145ffi 146ffi 156ffi 234ffi 235 ffi 236 © 246 © 345 © 346 © 356 fzs = 124ffi 125ffi 126ffi 134ffi 135 © 146 © 156 © 234 © 235 © 245 © 246 © 256 © 346 © 356 © 456 = 124ffi 125ffi 126ffi 13 4ffi 135ffi 145 © 146 © 156 © 234 © 235 © /36 246 © 256 © 346 © 356 © 456 = 124 © 125 ©126 © 134 © 135 © 145 © 146 © 156 © 234 © 235 © fzi 245 © 246 © 256 © 346 © 356 = 124 © 125 © 126 © 134ffi 135ffi 145ffi 146ffi 156ffi 23 4ffi 235 ffi /38 236ffi 34 5ffi 346ffi 356ffi 456 = 124ffi 125ffi 126ffi 134ffi 135ffi 145ffi 146ffi 156ffi 23 4ffi 235 © /;3 9 236ffi 24 5ffi 345ffi 346ffi 356 = 124ffi 125ffi 126ffi 134ffi 135ffi 136ffi 235ffi 236ffi 245ffi 246 ffi

/•4 0 256ffi 34 5ffi 346ffi 356ffi 456 = 124ffi 125 © 126 © 134ffi 135ffi 136ffi 23 4ffi 236ffi 245ffi 246 ffi /

256ffi 345ffi 34 6ffi 356ffi 45 6

/42 =' 124ffi 12 5ffi 12 6ffi 134ffi 13 5ffi 13 6ffi 234ffi 23 5ffi 24 5ffi 24 6 ffi 256ffi 345 © 346 © 356 © 456

/43 = 124 ©125 ©126 ©134 ©135 ©136 ©156 ©235 ©236 ©245© 246 © 256 © 345 © 346 © 356

/44 = 124 © 125 © 126 © 134 © 135 © 136 © 146 © 234 © 236 © 245 © 246 © 256 © 345 © 346 © 356

/45 = 124 © 125 © 126 © 134 © 135ffi 13 6ffi 14 5ffi 234ffi 23 5ffi 24 5 ffi 246ffi 256ffi 345ffi 346ffi 356

/46 = 123ffi 12 6ffi 134ffi 13 5ffi 14 6 © 156 © 234 © 235 © 245 © 246 ffi 256ffi 345ffi 346ffi 356 © 456 /

/47 = 123 © 126 © 134 © 135 © 146 © 156 © 234 © 235 © 236 © 245 ffi 246ffi 256ffi 345ffi 356ffi 456

/48 = 123ffi 12 6ffi 134ffi 13 5ffi 14 6ffi 15 6ffi 234 © 235 © 236 © 245 © 246 © 256 © 345 © 346 © 456

/__ = 123 ©126 ©134 ©135 ©145 ©146 ©156 ©234 ©235 ©246 ffi 256 © 345 © 346 © 356 © 456

/50 = 123 © 126 © 134 © 135 © 136 © 145 © 146 © 156 © 234 © 235 ffi 246ffi 256ffi 345ffi 356ffi 456

/5i = 123ffi 12 6ffi 134ffi 13 5ffi 13 6ffi 14 5ffi 14 6ffi 15 6ffi 234ffi 23 5 ffi 246ffi 25 6ffi 34 5ffi 34 6 © 456

/52 = 123 © 126 © 134 © 135 © 136 © 145 © 146 © 156 © 234 © 235 ffi 236ffi 24 5ffi 24 6ffi 25 6ffi 35 6 /_3 = 123ffi 12 6ffi 134ffi 13 5ffi 13 6ffi 14 5ffi 14 6ffi 15 6ffi 234ffi 23 5 ffi

236ffi 24 5ffi 24 6ffi 25 6ffi 34 6

/54 = 123ffi 12 5ffi 134ffi 13 6ffi 14 5ffi 15 6ffi 234ffi 23 6ffi 24 5ffi 24 6 ffi 256ffi 345ffi 34 6ffi 35 6ffi 45 6

/55 = 123ffi 12 5 ©134ffi 13 6ffi 14 5ffi 15 6ffi 234ffi 23 5ffi 23 6ffi 24 5 ffi

246ffi 25 6ffi 346ffi 35 6ffi 45 6

f56 = 123ffi 12 5ffi 134ffi 13 6ffi 14 5ffi 15 6ffi 234ffi 23 5ffi 23 6ffi 24 5 ffi

246ffi 25 6ffi 345 © 346 © 456 hi = 123 © 125 © 134 © 136 © 145 © 146 © 156 © 234 © 236 © 245 © 256 © 345 © 346 © 356 © 456

/58 = 123© 125 ©134 ©135 ©136 ©145 ©146 ©156 ©234 ©236© 245ffi 25 6 © 346 © 356 © 456

/59 = 123 © 125 © 134 © 135 © 136 © 145 © 146 © 156 © 234 © 236 ffi 245ffi 256 © 345 © 346 © 456

/so = 123 ©125 ©134 ©135 ©136 ©145 ©146 ©156 ©234 ©235© 236 © 245 © 246 © 256 © 356

fex = 123ffi 12 5 ©134ffi 135ffi 136ffi 145 ©146 ©156ffi 23 4ffi 235 ffi 236 © 245 © 246 © 256 © 345

/62 = 123 © 125 © 126 © 135 © 136 © 145 © 146 © 235 © 236 © 245 © 246 © 256 © 345 © 346 © 356 fez = 123 ©125 ©126 ©135 ©136 ©145 ©146 ©156 ©235 ©236© 245 © 246 © 345 © 346 © 356

/64 = 123 ©125 ©126 ©135 ©136 ©145 ©146 ©156 ©235 ©236 ffi 245ffi 24 6ffi 256 © 345 © 346 f65 = 123 ©125 ©126 ©135 ©136 ©145 ©146 ©156 ©234 ©245© 246 © 345 © 346 © 356 © 456

/66 = 123 ©125 ©126 ©135 ©136 ©145 ©146 ©156 ©234 ©245 ffi 246 © 256 © 345 © 346 © 456

/67 = 123 © 125 © 126 © 134 © 145 © 146 © 235 © 236 © 245 © 246 © 256 © 345 © 346 © 356 © 456

/68 = 123 © 125 © 126 © 134 © 145 © 146 © 234 © 235 © 236 © 246 © 256 © 345 © 346 © 356 © 456

/69 = 123 © 125 © 126 © 134 © 145 © 146 © 234 © 235 © 236 © 245 © 256 © 345 © 346 © 356 © 456

/70 = 123 © 125 © 126 © 134 © 145 © 146 © 156 © 235 © 236 © 245 © 246 © 256 © 345 © 346 © 456 f7l = 123 ©125 ©126 ©134 ©136 ©145 ©156 ©234 ©235 ©236©

245 © 256 © 346 © 356 © 456

/72 = 123 ©125 ©126 ©134 ©136 ©145 ©146 ©234ffi 23 5 ©236© 128

246 © 256 © 345ffi 34 6ffi 456

ftz - 123ffi 12 5 © 126 © 134ffi 13 5 © 146 © 156 © 234 © 235 © 236 © 246 © 256 © 345 © 356 © 456

fu = 123 ©125 ©126 ©134 ©135 ©145 ©146 ©234 ©235 ©236© 245 © 256 © 345 © 346 © 456

/75 = 123 © 125 © 126 © 134 © 135 © 136 © 146 © 156 © 234 © 245 © 246 © 345 © 346 © 356 © 456

f76 = 123 © 125 © 126 © 134 © 135 © 136 © 146 © 156 © 234 © 236 ffi 245ffi 246ffi 34 5ffi 346ffi 456

fit = 123 © 125 © 126 © 134 © 135 © 136 © 146 © 156 © 234 © 235 © 246 © 256 © 345 © 356 © 456 /'

/78 = 123 © 125 © 126ffi 134 © 135 © 136 © 146 © 156 © 234 © 235 ffi 236 © 246 © 256 © 345 © 456

/T9 = 123 ©125 ©126 ©134 ©135 ©136 ©145 ©156 ©234 ©245 ffi 246 © 345 © 346 © 356 © 456

/80 = 123 ©125 ©126 ©134 ©135 ©136 ©145 ©156 ©234 ©236 ffi 245ffi 25 6ffi 34 6ffi 35 6ffi 45 6

/si = 123ffi 125 ©126ffi 13 4ffi 13 5ffi 136ffi 14 5ffi 15 6ffi 234ffi 235 ffi 245ffi 246ffi 34 5ffi 34 6ffi 45 6

/82 = 123ffi 125ffi 12 6ffi 134ffi 13 5ffi 136ffi 14 5ffi 15 6ffi 234ffi 235 ffi 236ffi 24 5ffi 25 6ffi 346ffi 45 6

/83 = 123ffi 124ffi 13 5ffi 136ffi 14 5ffi 146ffi 235ffi 23 6ffi 24 5ffi 24 6 © 256 © 345 © 346 © 356 © 456

/84 = 123 © 124 ©135 © 136 © 145 © 146 © 234 © 235 © 236 © 245 © 246 © 256 © 346 © 356 © 456

/85 = 123 © 124 © 135 © 136 © 145 © 146 © 234 © 235 © 236 © 245 © 246 © 256 © 345 © 356 © 456

/86 = 123 © 124 © 135 © 136 © 145 © 146 © 156 © 235 © 236 © 245 ©

246 © 345 © 346 © 356 © 456

/87 = 123 ©124 ©134 ©135 ©136 ©145 ©146 ©156 ©235 ©236 ffi

245ffi 24 6ffi 346ffi 35 6ffi 45 6 /88 = 123ffi 12 4ffi 134ffi .135 © 136 © 145 © 146 © 156 © 235 © 236 © 245 © 246 © 345 ©'356 © 456

/__ = 123 © 124 © 134 © 135 © 136 © 145 © 146 © 156 © 234 © 235 ffi 236ffi 24 5ffi 24 6ffi 25 6ffi 346

/90 = 123ffi 12 4ffi 134 ©135ffi 13 6ffi 145ffi 14 6ffi 15 6ffi 23 4ffi 23 5 ffi 236ffi 24 5ffi 24 6ffi 25 6ffi 345

/91 = 123 © 124 © 126 © 135 © 145 © 156 © 234 © 236 © 245 © 246 © 256 © 345 © 346 © 356ffi 45 6

/92 = 123ffi 124ffi 12 6 ©135ffi 145ffi 15 6ffi 23 4ffi 235ffi 23 6ffi 246 ffi 256ffi 34 5ffi 34 6ffi 35 6ffi 45 6

/_3 = 123ffi 12 4ffi 126ffi 135ffi 145ffi 156ffi 23 4ffi 235ffi 236ffi 245 ffi 246ffi 34 5ffi 34 6ffi 35 6ffi 456

/94 = 123ffi 12 4 ©126ffi 135ffi 145ffi 146ffi 156ffi 23 4ffi 236ffi 245© 246 © 256 © 345 © 356 © 456

/95 = 123 ©124 ©126 ©135 ©136 ©145 ©156 ©234 ©235 ©236© 246 © 256 © 345 © 356 © 456

/96 = 123 ©124 ©126 ©135 ©136 ©145 ©146 ©234 ©235 ©236 ffi 245ffi 24 6ffi 34 6ffi 35 6ffi 45 6

/97 = 123ffi 12 4ffi 12 6 ©134ffi 13 6ffi 145ffi 15 6ffi 234ffi 23 6 ©245 ffi 246 © 256 © 345 © 346 © 356

/98 = 123 ©124 ©126 ©134 ©136 ©145 ©146 ©156 ©235 ©245 ffi 256ffi 34 5 © 346 © 356 © 456

/99 = 123 ©124 ©126 ©134 ©136 ©145 ©146 ©156 ©235 ©245©

246 © 256 © 345 © 356 © 456 /ioo = 123 © 124 © 126 © 134 © 136 © 145ffi 14 6ffi 15 6ffi 234ffi 23 6 ffi

245ffi 25 6ffi 34 5ffi 34 6ffi 35 6 fxox = 123ffi 124ffi 12 6ffi 134ffi 13 6ffi 145ffi 14 6ffi 15 6ffi 234 ©236 ffi

245 © 246 © 256 © 345 © 356

/102 = 123 ©124 ©126 ©134 ©135 ©146 ©156 ©234 ©235 ©236©

246 © 256 © 345 © 346 © 456 /___ = 123 ©124 ©126 ©134 ©135 ©145 ©156 ©234 ©235 ©236© 130

245ffi 24 6ffi 34 5 © 356ffi 456

/104 = 123 © 124ffi 126ffi 134ffi 135ffi 136ffi 146ffi 156ffi 235ffi 245 ffi 256 © 345ffi 34 6ffi 35 6ffi 456

/ios = 123ffi 124ffi 126ffi 13 4ffi 135ffi 136ffi 146ffi 156ffi 235ffi 236 ffi 245ffi 25 6ffi 34 5ffi 356ffi 456

/loe = 123ffi 124ffi 126 © 134 © 135 © 136 © 146 © 156 © 234 © 235 © 246 © 256 © 345 © 346 © 456

/107 = 123 © 124 © 126 © 134 © 135 © 136 © 146 © 156 © 234 © 235 ffi 236ffi 246ffi 256 © 345 © 456

/io8 = 123 © 124 © 126 © 134 © 135 © 136 © 145 © 146 © 235 © 245 ffi 256 © 345 © 346 © 356 © 456 ;/ /109 = 123 © 124 © 126 © 134 © 135 © 136 © 145 © 146 © 235 © 236 © 245 © 246 © 346 © 356 © 456 /no = 123 ©124 ©126 ©134 ©135 ©136 ©145 ©146 ©234 ©235©

245 © 256 © 345 © 356 © 456 /in = 123 ©124 ©126 ©134 ©135 ©136 ©145 ©146 ©234 ©235©

236 © 245 © 246 © 356 © 456

fYl2 = 123 © 124 © 125 © 136 © 146 © 156 © 234 © 235 © 245 © 246 ffi 256ffi 34 5ffi 34 6ffi 35 6ffi 45 6

/n3 = 123ffi 12 4ffi 12 5ffi 136ffi 14 6ffi 15 6ffi 23 4ffi 23 5 ©236ffi 24 5 ffi

256ffi 345ffi 34 6ffi 35 6ffi 45 6 Au = 123ffi 12 4ffi 12 5ffi 136ffi 14 6ffi 15 6ffi 23 4 © 235 © 236 © 245 ©

246 © 345 ©"346 © 356 © 456

/115 = 123 ©124 ©125 ©136 ©145 ©146 ©156 ©234 ©235 ©245©

246 © 256 © 346 © 356 © 456

/116 = 123 ©124 ©125 ©135 ©136 ©146 ©156 ©234 ©235 ©236©

245 © 256 © 346 © 356 © 456 fxxt = 123 ©124 ©125 ©135 ©136 ©145 ©146 ©234 ©235 ©236©

245 © 246 © 345 © 356 © 456

/118 = 123ffi 12 4ffi 12 5ffi 134 ©136ffi 14 6 ©156 ©234 ©235 ©236©

245 © 246 © 346 © 356 © 456 131

/ng = 123 ©124 © 125 © 134 © 136 ©145 ©156© 234 © 235 © 236 © 245 © 256 ©345 ©346© 456

/120 = 123 ©124 © 125ffi 13 4 ffi135 ©146 ©156© 234 ffi 235 ffi 245 ffi 246 © 256 © 345 © 346 © 356

/m = 123 ©124 © 125 © 134 © 135 © 145 © 146 ffi156 ffi 236 ffi 246 ffi 256 © 345 © 346 © 356 © 456

/122 = 123 ©124 ©125 ©134© 135ffi 145ffi 146 156ffi ffi 236 © 245 ffi 246 © 256 © 346 © 356 © 456

/123 = 123 ©124 ©125 ©134© 135ffi 145ffi 146 ffi156 ffi 234 ffi 235 ffi 246 © 256 © 345 © 346 © 356

/_2_ = 123 ©124 ©125 ©134© 135ffi 145ffi 146 156ffi ffi 234 ffi 235 ffi 245 © 246 © 256 © 346 © 356

/125 = 123 ©124 © 125 © 134 © 135 ©136ffi 145 ffi156 ffi 236 ffi 246 ffi 256 © 345 © 346 © 356 © 456

/126 = 123 ©124 ©125 ©134© 135ffi 136ffi 145 ffi156 ffi 235 ffi 236 ffi 246 © 256 © 346 © 356 © 456

/127 = 123 ©124 ©125© 134© 135ffi 136ffi 145 ffi156 © 234 © 236 ffi 245 © 256 © 345 © 346 © 456

/i28 = 123 ©124 ©125 ©134© 135ffi 136ffi 145 ffi156 © 234 ffi 235 ffi 236 © 245 © 256 © 346 © 456

/_29 = 123 ©124 ©125 ©134© 135ffi 136ffi 145 146ffi © 236 © 246 ffi 256 © 345 © 346 © 356 © 456

/i30 = 123 ©124 ©125 ©134© 135ffi 136 ©145 ffi146 ffi 235 ffi 236 ffi 245 © 246 © 345 © 356 © 456 /i3i = 123 ©124 ©125 ©134© 135ffi 136ffi 145 146ffi ffi 234 ffi 236 ffi 246 © 256 © 346 © 356 © 456

/132 = 123 ©124 ©125 ©134© 135ffi 136ffi 145 ffi146 ffi 234 ffi 235 ffi 236 © 245 © 246 © 356 © 456 156 ffi 234 ffi 235 ffi /i33 = 123 ©124 ©125 ©126© 136ffi 145ffi 146 ffi 245 © 256 © 346 © 356 © 456 136ffi 145 © 146 © 156 ffi 234 ffi 235 ffi /134 = 123 ©124 ©125 ©126© 245 © 246 © 346 © 356ffi 45 6

/135 =' 123ffi 124 © 125 © 126 © 136 © 145 © 146 © 156 © 234 © 235 ©

236 © 256 © 345 © 346 © 356

/i36 = 123 ©124 ©125ffi 126 ©136 ©145 ©146 ©156 ©234 ©235© 236 © 246 © 345 © 346 © 356

/137 = 123 © 124 © 125 © 126 © 135 © 145 © 146 © 156 © 234 © 236 © 246 © 256 © 345 © 356 © 456

/138 = 123 ©124ffi 12 5 ©126 ©135 ©145 ©146 ©156 ©234 ©236© 245 © 246 © 345 © 356 © 456

/139 = 123 © 124 © 125 © 126 © 135 © 145 © 146 © 156 © 234 © 235 © 236 © 256 © 345 © 346 © 356 / /uo = 123 ©124 ©125 ©126 ©135 ©145 ©146 ©156 ©234 ©235 ffi

236ffi 24 5ffi 34 5ffi 34 6ffi 356 /ui = 123ffi 12 4ffi 12 5 ©126ffi 13 5ffi 13 6ffi 14 6ffi 15 6ffi 23 4ffi 245 ffi

246ffi 25 6ffi 345ffi 34 6ffi 456

/142 = 123 ©124ffi 12 5ffi 126ffi 13 5ffi 13 6ffi 14 6ffi 15 6ffi 23 4ffi 236 ffi

245ffi 246ffi 34 5ffi 34 6ffi 45 6

/143 = 123ffi 12 4ffi 125ffi 12 6ffi 13 5ffi 13 6ffi 14 6ffi 15 6ffi 234ffi 235 ffi 245 © 256 © 346 © 356 © 456

fxA4 = 123 © 124 © 125 © 126 © 135 © 136 © 146 © 156 © 234 © 235 ffi

236ffi 24 5ffi 346ffi 356 © 456

/145 = 123 ©124 ©125 ©126 ©135 ©136 ©145 ©156 ©234 ©245©

246 © 256 © 345 © 346 © 456

fxA6 = 123 ©124 ©125 ©126 ©135 ©136 ©145 ©156 ©234 ©236®

246 © 256 © 345 © 356 © 456

/147 = 123 © 124 © 125 © 126 © 135 © 136 © 145 © 156 © 234 © 235 ©

245 © 246 © 345 © 346 © 456

/148 = 123 ©124 ©125 ©126 ©135 ©136 ©145 ©156 ©234 ©235©

236 © 246ffi 34 5ffi 35 6ffi 45 6

/149 = 123ffi 124ffi 125ffi 12 6ffi 134ffi 145ffi 14 6ffi 15 6ffi 23 5ffi 23 6 ffi

246ffi 25 6ffi 34 5ffi 34 6ffi 45 6 /iso = 123ffi 12 4 ffi 125ffi 126 ffi134 © 145 © 146 © 156 © 235 © 236 © 245ffi 25 6 ffi 345ffi 34645 ffi6

Asi = 123 ©124 ©125 ©126© 134 © 145 © 146 ©156 © 234 © 235 ffi 236 © 246 © 345 © 346 © 356

/152 = 123 ©124 ©125 ©126© 134 © 145 © 146 © 156 ffi 234 ffi 235 ffi 236 © 245 © 345 © 346 © 356

/153 = 123 ©124 ©125 ©126© 134 ©136 ©146© 156 ffi 235 ffi 245 © 246 © 256 © 345 © 356 © 456

/i54 = 123 ©124 ©125 ©126© 134 ©136 ©146© 156 © 235 © 236 © 245 © 256 © 345 © 356 ffi45 6 / /iso = 123 ©124 ffi 125ffi 126 ffi134 © 136 © 146 © 156 © 234 © 235 ffi 245 © 246 ffi 346ffi 35645 ffi6

/ise = 123 ©124 ffi 125ffi 126 ffi134 © 136 © 146 © 156 ffi 234 ffi 235 ffi 236 © 245 © 346 © 356 © 456 /157 = 123 ©124 ©125 ©126© 134 ©136 ©145© 146 © 235 © 245 ffi 246 © 256 © 345 © 356 © 456

/iss = 123 ©124 ©125 ©126© 134 ©136 ©145© 146 ffi 235 ffi 236 ffi 246 © 256 © 345 © 346 © 456 /isg = 123 ©124 ©125 ©126© 134 ©136 ©145© 146 ffi 234 ffi 235 ffi 245 © 256 © 345 © 356 © 456

/i60 = 123 ©124 ©125 ©126© 134 ©136 ©145© 146 ffi 234 ffi 235 ffi 236 © 256 © 345 © 346 © 456

/161 = 123 ©124 ©125 ©126© 134 ©135 ©145© 156 ffi 236 ffi 245 ffi 246 © 256 © 346 © 356 ffi45 6

fl62 = 123 ©124 ffi 125ffi 126 ffi134 ©135 ©145© 156 ffi 235 ffi 236 ffi 246 © 256 ffi 346ffi 35 645 ffi6 156 ffi 234 ffi 236 ffi /163 = 123 ©124 ffi 125ffi 126 ffi134 ©135 ©145© 245 © 246 ffi 345ffi 35 645 ffi6 134 ©135 ©145© 156 ffi 234 ffi 235 ffi /i64 = 123 ©124 ffi 125ffi 126 ffi 236 © 246 ffi 345ffi 35 645 ffi6 134 ©135 ©145© 146 ffi 236 ffi 245 ffi /l65 = 123 ©124 ©125 ©126© 134

246ffi 256ffi 346ffi 356ffi 456

AM = 123ffi 12 4ffi 12 5ffi 12 6ffi 134ffi 13 5 © 145 © 146 © 235 © 236 © 245 © 256 © 345 © 346 © 456

/i67 = 123 ©124 ©125 ©126 ©134 ©135 ©145 ©146 ©234 ©236 ffi 246ffi 256ffi 346ffi 356ffi 45 6

/i68 = 123ffi 124ffi 12 5ffi 12 6ffi 134ffi 13 5ffi 14 5ffi 14 6ffi 23 4ffi 23 5 ffi 236ffi 25 6ffi 345ffi 346ffi 45 6

/i69 = 123ffi 124ffi 12 5ffi 12 6ffi 134ffi 13 5ffi 13 6ffi 15 6ffi 23 6ffi 24 5 ffi 246ffi 256ffi 345ffi 346ffi 35 6

/ITO = 123ffi 124ffi 12 5ffi 12 6ffi 134ffi 13 5 ©136ffi 15 6 ©235ffi 24 5 ffi 246ffi 256ffi 345ffi 34 6ffi 35 6 '• fxn = 123 ©124ffi 12 5ffi 12 6ffi 134ffi 13 5ffi 13 6ffi 15 6ffi 23 4ffi 236 © 245ffi 24 6ffi 345ffi 34 6 © 456

/m = 123 ©124 ©125 ©126 ©134 ©135 ©136 ©156 ©234 ©235 ffi 245ffi 246ffi 345ffi 34 6ffi 45 6

/173 = 123 ©124 ©125ffi 126ffi 134ffi 135ffi 13 6ffi 14 6ffi 236ffi 24 5 ffi 246ffi 25 6ffi 345ffi 34 6ffi 356

/m = 123ffi 124ffi 12 5 ©126ffi 134ffi 135 ©136ffi 14 6 ©235ffi 236 ffi 245 © 256 © 345 © 356 © 456

/175 = 123 ©124 ©125 ©126 ©134 ©135 ©136 ©146 ©234 ©245© 246 © 256 © 345 © 346 © 356 fxtQ = 123 © 124 © 125 © 126 © 134 © 135 © 136 © 146 © 234 © 235 © 245 © 256 © 345 © 356 © 456 fxtt = 123 ©124 ©125 ©126 ©134 ©135 ©136 ©145 ©235 ©245 ffi

246ffi 25 6ffi 345ffi 346ffi 35 6

/i78 = 123ffi 12 4ffi 12 5ffi 12 6 © 134 © 135 © 136 © 145 © 235 © 236 ffi 246ffi 256ffi 346ffi 35 6ffi 45 6

/i79 = 123ffi 124ffi 12 5ffi 12 6ffi 134ffi 13 5ffi 13 6ffi 14 5ffi 23 4ffi 24 5 ffi 246ffi 25 6ffi 345ffi 34 6ffi 35 6

/i80 = 123ffi 124ffi 12 5ffi 12 6ffi 134ffi 13 5ffi 13 6ffi 14 5 ©234ffi 23 6 ffi

246 © 256 © 346 © 356 © 456 135

The following 10 balanced functions are examples on V8. They have nonlinearity 112 with 40 terms1: fx (x) = 123 © 124 © 125 © 126 © 127 © 128 © 138 © 145 © 147 © 148 ©

156 © 158 © 167 © 168 © 178 © 235 © 236 © 237 © 245 © 246 ©

247 © 248 © 256 © 257 © 258 © 267 © 268 © 278 © 345 © 346 ffi 347ffi 348ffi 35 6ffi 35 7ffi 35 8ffi 36 7ffi 368ffi 378ffi 45 6ffi 45 7

/2(x) = 123 ffi 124 ffi 125 ©126 ffi 127 ffi 128 ©136 ffi 146 ffi 147 ffi 156 ffi 157ffi 158ffi 167ffi 16 8ffi 178ffi 23 4ffi 235ffi 237ffi 238ffi 245 ffi 246ffi 24 7ffi 248ffi 25 6ffi 25 7 © 258 © 267 © 268 © 278 © 345 © 346 © 347 © 348 © 356ffi 35 7 © 367 © 368 © 378 © 456 © 457

f3(x) = 123 ©124 ©125 ©126 ©127 ©128 ©136 ©137 ©147 ©156© 157 © 158 © 167 © 168 © 178 © 234ffi 236ffi 237ffi 238ffi 24 5 © 246 © 247 © 248 © 256 © 257 © 258 © 267 © 268 © 278 © 345 © 346 © 347 © 348 © 356 © 357 © 358 © 367 © 368 © 456 © 457

f4(x) = 123 ©124 ©125 ©126 ©127 ©128 ©136 ©137 ©138 ©148© 156 © 157 © 158 © 167 © 168 © 178 © 235 © 236 © 237 © 245 © 246 © 247 © 248 © 256 © 257 © 258 © 267 © 278 © 345 © 346 ffi 347ffi 34 8ffi 35 6ffi 357ffi 35 8 © 367 © 368 © 378 © 456 © 457

They have nonlinearity 104 with 48 terms:

f5(x) = 123 ©124 ©125 ©126 ©127 ©128 ©136 ©137 ©138 ©145© 156 © 157 © 158 © 167 © 168 © 178 © 234 © 235 © 237 © 238 ffi

245 © 246 © 247 © 248 © 256 © 257 © 258 © 267 © 268 © 345 ©

346 © 347 © 356 © 357 © 358 © 367 © 368 © 378 © 456 © 457

f6(x) = 124 ffi 125 ©126 ©128 ©134 ©135 ©136 ©137 ©138 ©147 ffi

lr £he upper bound of nonlinearity of boolean functions on space V8 is 120 136

148ffi 156ffi 157 © 158ffi 167 © 168 © 178 © 234 © 236 © 237 ffi

, 238 © 245ffi 24 6 ©.247ffi 24 8ffi 256ffi 257 © 258 © 267 © 278 ©

346ffi 347 © 348 © 356 © 357 © 358 © 367ffi 36 8 © 378 © 456 ©

457 © 458 © 467 © 468 © 478 © 567 © 568 © 678 ft(x) = 124 ©125 ©126 ©128 ©134 ©135 ©136 ©137 ©138 ffi 145©

148 © 156 © 157 © 158 © 167 © 168 © 178 © 234 © 236 © 237 ©

238 © 245 © 246 © 247 © 248 © 256 © 257 © 258 © 267 © 268 © 278 © 346 © 347 © 348 © 356 © 357 © 358 © 367 © 378 © 456 © 457 © 458 © 467 © 468 © 478 © 567 © 568 © 678

/

fB(x) = 124 ©125 ©126 ©128 ©134 ©135 ©136 ©137 ©138 ©145 ffi 146 © 156 © 157 © 158 © 167 © 168 © 178 © 234 © 236 © 237 ffi 238 © 245 © 246 © 247 © 248 © 256 © 257 © 258 © 267 © 268 © 278 © 346 © 347 © 348 © 356 © 357 © 358 © 367 © 378 © 456 ffi

457 © 458 © 467 © 468 © 478 © 568 © 578 © 678

f9(x) = 124 ffi 125 ffi 126 ffi 128 ffi 134 ffi 135 ©136 ffi 137 ffi 138 ffi 145 ffi 146ffi 147ffi 15 7ffi 15 8ffi 16 7ffi 16 8ffi 17 8 © 235 © 236 © 237 © 238 © 245 © 246 © 247 © 248 © 256 © 257 © 267 © 268 © 278 ffi

345ffi 34 6ffi 347ffi 34 8ffi 356ffi 35 7ffi 358ffi 36 7 © 378 © 456 © 457 © 458 © 467 © 468ffi 47 8ffi 567ffi 56 8ffi 57 8

/io(x) = 124 ffi 125 ffi 126 ffi 128 ffi 134 ©135 ©136 ©137 ©138 ©145©

146 © 147 © 148 © 158 © 167 © 168 © 178 © 235 © 236 © 237 © 238 © 245 © 246 © 247 © 248 © 256 © 257 © 258 © 267 © 268 ffi 278 © 346 © 347 © 348 © 356 © 357ffi 35 8ffi 367ffi 37 8ffi 456 ffi

457ffi 458ffi 467ffi 468ffi 567ffi 56 8ffi 57 8ffi 67 8 Appendix C

Etomogeneous functions with the highest nonlinearity

Some examples of the highest nonlinear degree-3 homogeneous funct ions1 are listed as follows: /

fx(x) = 123 ffi 124 ffi 125 ffi 126 ffi 127 ffi 134 ffi 135 ffi 136 ffi 137 ©145 ffi 146ffi 23 4ffi 235ffi 24 5ffi 256ffi 26 7 © 346 © 356 © 357 © 456

f2(x) = 123 ©124 ©125 ©126 ©127 ©134 ©135 ©136 ©137 ©146© 167 © 234 © 236 © 245 © 247 © 267 © 345 © 347 © 367 © 467

f3(x) = 123 ©124 ©125 ©126 ©127 ©134 ©135 ©136 ©145 ©146 ffi 147 © 234 © 235 © 245 © 256 © 267 © 346 © 356 © 456 © 457

fi(x) = 123 ©124 ©125 ©126 ©127 ©134 ©135 ©136 ©137 ©145© 146 © 234 © 235 © 237 © 245 © 247 © 256 © 267 © 346 © 356 © 357 ©457

/s (x) = 123 © 124 © 125 © 126 © 127 © 134 © 135 © 136 © 137 © 146 © 156 © 234 © 236 © 237 © 247 © 345 © 347 © 356 © 367 © 456 ©

457 © 567

l The functions reach the upper bound (56) of nonlinearity of boolean functions over V7. However they are not balanced.

137 138 h(x) = 123 ©124 ©125 ©126 ©127 ©134 ©135 ©136 ©137 ©147© / 157ffi 23 4ffi 236ffi 237ffi 245ffi 24 6ffi 257ffi 267ffi 345ffi 34 6 ffi 357ffi 457

/7(x) = 123 ffi 124 ffi 125 ffi 126 ffi 127 ffi 134 ©135 ffi 136 ffi 137 ffi 145 ffi 146ffi 235 © 236 © 245 © 246 © 257 © 267 © 356 © 357 © 367 © 456 ©457 ©467 ©567 fs(x) = 123 ffi 124 ©125 ©126 ffi 127 ffi 134 ffi 135 ffi 136 ffi 137ffi 145 ffi 146ffi 235 © 236 © 245ffi 257ffi 26 7ffi 346ffi 35 6 © 357 © 367 © 456 © 457 © 467 © 567 /

f9(x) = 123 ©124 ©125 ©126 ©127 ©134 ©135 ©136 ©145 ©146© 147 © 235 © 236 © 237 © 245 © 247 © 267 © 346 © 347 © 356 © 367 ©456 ©467 ©567 Bibliography

[1] C. Adams and S. Tavares. Generating and counting binary sequences. IEEE Transactions on , 36:1170-1173, 1990.

[2] C. Adams and S. Tavares. The structured design of cryptographically good S- boxes. Journal of Cryptology, 3:27-41, 1990.

[3] C. M. Adams. On immunity against Biham and Shamir's 'differential cryptanal­ ysis'. Information Processing Letters, 41:77-80, 1992.

[4] M. Beale and M. F. Monaghan. Encryption using random Boolean function. In Cryptography and Coding, Clarendon Press, Oxford, pages 219-230, 1989.

• [5] H. Beker and F. Piper. Cipher Systems: The Protection of Communications. Interscience, New York, 1982.

[6] T. Beth and C. Ding. On almost perfect nonlinear permutations. Advances in Cryptology - EUROCRYPT'93, Lecture Note in Computer Science, Springer- Verlag, Berlin Heidelberg New York, 765:65-76, 1994.

[7] J. Bierbrauer, K. Gopalakrishnan, and D. R. Stinson. Bounds for resilient func­ tions and orthogonal arrays. Advances in Cryptology - CRYPTO'94, Lecture Notes in Computer Science, Springer-Verlag, Berlin Heidelberg New York Toyko,

839:247-256, 1994.

[8] E. Biham and A. Shamir. Differential of DES-like cryptosystems. Journal of Cryptology, 4.1:3-72, 1991.

[9] E. Biham and A. Shamir. Differential Cryptanalysis of The Data Encryption Standard. Springer-Verlag, Berlin Heidelberg New York Toyko, 1993.

[10] R. C. Bose and K. R. Nair. Partially balanced incomplete block designs. Sankhya,

4:337-372, 1939.

139 BIBLIOGRAPHY 140

[11] A. Bosselaers, R. Govaerts, and J. Vandewalle. Fast hasing on the Pentium. Advances in Cryptology - CRYPTO'96, Lecture Note in Computer Science, Springer-Verlag, Berlin Heidelberg New York Toyko, 1109:298-312, 1996.

[12] E. F. Brickell, J. H. Moore, and M. R. Purtill. Structures in S-boxes of the DES. Advances in Cryptology - CRYPTO'86, Lecture Notes in Computer Sci­ ence, Springer-Verlag, Berlin Heidelberg New York Toyko, pages 3-8, 1987.

[13] P. Camion and A. Canteaut. Construction of i-resilient functions over a finite alphabet. Advances in Cryptology - EUROCRYPT'96, Lecture Note in Computer Science, Springer- Verlag, Berlin Heidelberg New York, 1070:283-293, 1996.

[14] P. Camion and A. Canteaut. Generalization of seigethaler inequality and schnorr- vaudenay multipermutations. Advances in Cryptology - CRYPTO'96, Lecture Notes in Computer Science, Springer- Verlag, Berlin Heidelberg New York Toyko, 1109:372-386, 1996.

[15] P. Camion, C. Carlet, P. Charpin; and N. Sendrier. On correlation-immune functions. Advances in Cryptology - CRYPTO'91, Lecture Notes in Computer Science, Springer-Verlag, Berlin Heidelberg New York Toyko, 576:86-100, 1991.

[16] C. Carlet. Partially-bent functions. Designs, Codes and Cryptography, 3:135-145, 1993.

[17] C. Carlet. Two new classes of bent functions. In Advances in Cryptology - EUROCRYPT'93, Lecture Notes in Computer Science, Springer-Verlag, Berlin, Heidelberg, New York, 765:77-101, 1994.

[18] C. Carlet. Generalized partial spreads. IEEE Transactions on Information The­ ory, 41.5:1482-1487, 1995.

[19] C. Carlet. Hyperbent functions. PRAGOCRYPT'96, Czech Technical University Publishing House, pages 145-155, 1996.

[20] C. Carlet. More correlation-immune and rsilient functions over Galois fields and Galois rings. Advances in Cryptology - EUROCRYPT'97, Lecture Note in Computer Science, Springer-Verlag, Berlin Heidelberg New York, 1233:422-433, 1997. BIBLIOGRAPHY 141

[21] C. Carlet. On propagation criterion of degree I and order k. Advances in Cryp­ tology - EUROCRYPT'97, Lecture Note in Computer Science, Springer-Verlag, Berlin Heidelberg New York, 1403:462-474, 1998.

[22] C. Carlet, J. Seberry, and X. Zhang. Comments on "generating and counting binary bent sequences". IEEE Transactions on Information Theory, 40.2:600- 600, 1994.

[23] F. Chabaud and S. Vaudenay. Links between differential and . Advances in Cryptology - ASIACRYPT'94, Lecture Notes in Computer Science, Springer-Verlag, Berlin Heidelberg New York Toyko, 950:356-36511995.

[24] J. H. Cheon, S. Chee, and C. Park. S-boxes with controllable nonlinearity. Ad­ vances in Cryptology - EUROCRYPT'99, Lecture Note in Computer Science, Springer-Verlag, Berlin Heidelberg New York, 1592:286-294, 1999.

[25] W. H. Clatworthy. Tables of Two-Associate-Class Partially Balanced Designs. U.S. Department of Commerce, National Bureau of Standards, 1973.

[26] C. J. Colbourn and J. H. Dinitz. The CRC Handbook of Combinatorial Designs. CRC Press, Boca Raton, 1996.

[27] T. W. Cusick. Boolean functions satisfying a higher order strict avalanche cri­ terion. Advances in Cryptology - EUROCRYPT'93, Lecture Note in Computer Science, Springer-Verlag, Berlin Heidelberg New York, 765:102-117, 1994.

[28] Y. Desmedt, J.J. Quisquater, and M. Davio. Dependence of output on input in DES: small avalanche characteristics. Asvances in Cryptology - CRYPTO'84, Lecture Notes in Computer Science, Springer- Verlag, Berlin Heidelberg New York Toyko, pages 359-376,. 1985.

[29] J. F. Dillon. A survey of bent functions. The NSA Technical Journal, (unclassi­ fied),, pages 191-215, 1972.

[30] J. F. Dillon. Elementary Hadamard Difference Set. University of Maryland, 1976.

[31] H. Dobbertin. Cryptanalysis of MD4. In Fast Software Encryption, Lecture Notes in Computer Science, Springer-Verlag, Berlin Heidelberg New York Toyko, 1039:71-82, 1996. BIBLIOGRAPHY 142

[32] H. Dobbertin. Cryptanalysis of MD5 compress. Announcement on , May, 1996. •

[33] L. Euler. Recherches sur une nouvelie espece de quarres magiques. Verhandlingen Zeeuwach Genootschap Wetenschappen Vlissengen, 9:85-239, 1782.

[34] J.H. Evertse. Linear structure in block ciphers. Asvances in Cryptology - EU- ROCRYPTO'87, Lecture Notes in Computer Science, Springer-Verlag, Berlin Heidelberg New York, pages 359-376, 1988.

[35] C. Fontaine. The nonlinearity of a class of Boolean functions with short represen­ tation. In J. Pribyl, editor, Proceedings of PRAGOCRYPT'96, CTU Publishing House, pages 129-144, 1996. / [36] M. Garey and D. S. Johnson. Computers and Intractability: A Guide to the Theory of NP-Completeness. Freeman, 1979.

[37] J. D. Golic. Correlation via linear sequential circuit approximation. Advances in Cryptology - EUROCRYPT'92, Lecture Notes in Computer Science, Springer- Verlag, Berlin Heidelberg New York, 658:113-123, 1993.

[38] S. Golomb. Shift Register Sequences. Aegean Park Press, Laguna Hills, California, 1982.

[39] S. W. Golomb. Shift Register Sequences. Holden-Day, San Francisco, Calif., 1967.

[40] R. Govaerts, B. Preneel, and J. Vandewalle. Boolean function satisfying higher order propagation criteria. Advances in Cryptology - EUROCRYPT'91, Lec­ ture Notes in Computer Science, Springer- Verlag, Berlin Heidelberg New York, 547:141-152, 1991.

[41] R. Govaerts, B. Preneel, and J. Vandewalle. Cryptographic properties of quadratic Boolean functions. Int. Conf. on and Adv. in Com. and Comp, 1991.

[42] R. L. Graham, M. Grotschel, and L. Lovasz. Handbook of . Else­ vier, Amsterdam Oxford, 1995.

[43] M. Hamermesh. Group Theory and Its Application to Physical Problems. Read­ ing, Mass., Addison-Wesley, 1962. BIBLIOGRAPHY 143

[44] X. Hou and P. Langevin. Results on bent functions. Journal of Combinatorial Theory, A 80:232-246, 1997. '

[45] P. V. Kumar and R. A. Scholtz. Bounds on the linear span of bent sequences. IEEE Transaction on Information Theory, 29:854-862, 1983.

[46] P. V. Kumar, R. A. Scholtz, and L. R. Welch. Generalized bent functions and their properties. Journal of Combinatorial Theory (A), 40:90-107, 1985.

[47] A. Lempel and M. Cohn. Matrix factorization over GF(2) and trace-orthogonal bases of GF(2n). SI AM J. Comput., 4.2:175-186, 1975.

[48] A. Lempel and M. Cohn. Maximal families of bent sequences. IEEE Transactions on Information Theory, IT-28:865-868, 1982.

[49] S. Lloyd. Properties of binary functions.' Advances in Cryptology - EURO- CRYPT'90, Lecture Note in Computer Science, Springer-Verlag, Berlin Heidel­ berg New York, 473:124-139, 1990.

[50] S. Lloyd. Counting binary functions with certin cryptographic properties. Journal of Cryptology, 5:107-131, 1992.

[51] V. V. Losev. Decoding of sequences of bent functions by means of a fast hadamard transform. Radiotechnika I Electronika, 7:1479-1492, 1987.

[52] F. J. MacWilliams and N. J. A. Sloane. The Theory of Error Correcting Codes. North-Holland, Amsterdam, 1978.

[53] S. Maifra and P. Sarkar. Highly nonlinear resilient functions optimizing Siegen- thaler's inequality. Advances in Cryptology - CRYPTO'92, Lecture Notes in Computer Science,' Springer-Verlag, Berlin Heidelberg New York Toyko, 1666:198-215, 1999.

[54] Jr. Marshall Hall. Combinatorial Theory. Ginn-Blaisdell, Waltham, 1967.

[55] M. Matsui. Linear cryptanalisis method for DES cipher. Advances in Cryptology - EUROCRYPT'93, Lecture Notes in Computer Science, Springer-Verlag, Berlin Heidelberg New York, 756:386-397, 1994.

[56] M. Matsui. On correlation between the order of S-boxes and the atrength of DES. Advances in Cryptology - ASIACRYPT'94, Lecture Notes in Computer Science, Springer-Verlag, Berlin Heidelberg New York Toyko, 950:366-375, 1995. BIBLIOGRAPHY 144

[57] W. Meier and 0. Staffelbach. Correlation properties of combiners with memory in stream ciphers. Advances in Cryptology - EUROCRYPT'90, Lecture Note in Computer Science, Springer-Verlag, Berlin Heidelberg New York, 473:204-213, 1990.

[58] W. Meier and 0. Staffelbach. Nonlinearity criteria for cryptographic functions. Advances in Cryptology - EUROCRYPT'89 Lecture Notes in Computer Science, Springer-Verlag, Berlin Heidelberg New York, 434:549-562, 1990.

[59] A. Menezes, P. van Oorschot, and S. Vanstone. Handbook of Applied Cryptogra­ phy. CRC Press, Boca Raton, 1997.

[60] K. Nyberg. Constructions of bent functions and difference sets. Advances in cryptology - EUROCRYPT'90, Lecture Notes in Computer Science, Springer- Verlag, Berlin Heidelberg New York, 473:151-160, 1990.

[61] K. Nyberg. Perfect nonlinear S-boxes. Advances in cryptology - EURO- CRYPT'91, Lecture Notes in Computer Science, Springer-Verlag, Berlin Hei­ delberg New York, 547:378-386, 1991.

[62] K. Nyberg. On the construction of highly nonlinear permutations. Advances in Cryptology - EUROCRYPT'92, Lecture Notes in Compter Science, Springer- Verlag, Berlin Heidelberg New York, 658:92-98, 1993.

[63] K. Nyberg. Differentially uniform mappings for cryptography. Advances in Cryp­ tology - EUROCRYPT'93, Lecture Note in Computer Science, Springer-Verlag, Berlin Heidelberg New York, 765:55-65, 1994.

[64] L. O'Connor and A. Klapper. Algebraic nonlinearity and its applications to cryptography. Journal of Cryptology, 7:213-227, 1994.

[65] L. O'Connor and A. Klapper. Convergence in differential distributions. Advances in Cryptology - EUROCRYPT'95, Lecture Note in Computer Science, Springer- Verlag, Berlin Heidelberg New York, 921:13-23, 1995.

[66] National Institute of Standards and (NIST). Deta Encryption Stan­ dard U.S Department of Commerce. FIPS Publication 46, January 1977.

[67] J. D. Olsen, R. A. Scholtz, and L. R. Welch. Bent-function sequences. IEEE Transaction on Information Theory, 28:858-864, 1982. BIBLIOGRAPHY 145

[68] J. Pieprzyk. Non-linear of exponent permutations. Advances in Cryptology - EUROCRYPT89, Lecture Note in Computer Science, Springer-Verlag, Berlin Heidelberg New York, 434:80-92, 1989.

[69] J. Pieprzyk. Bent permutations. Proceeding of 1st International Conference on Finite Field, Coding Theory, and Advances in Communication and (In G. Mullen and P. Shiue, editors), Lecture Notes in Pure and Applied Math­ ematics, Las Vegas, 141, 1991, 1992.

[70] J. Pieprzyk and G. Finkelstein. Towards effective nonlinear design. IEE Proceedings (Pari E), 135:325-335, 1988.

[71] J. Pieprzyk and C. Qu. Rotation-symmetric functions and fast hashing. Infor­ mation Security and Privacy - ACISP'98, Lecture Note in Computer Science, Springer-Verlag, Berlin Heidelberg New York Toyko, 1438:169-180, 1998.

[72] J. Pieprzyk and C. Qu. Fast hashing and rotation-symmetric functions. Journal of Universal Computer Science, 5.1:20-31, 1999.

[73] B. Preneel. Analysis and Design of Cryptographic Hash Functions. PhD thesis, Katholieke Universiteit Leuven, 1993.

[74] B. Preneel, W. V. Leelwijck, L. V. Linden, R. Govaerts, and J. Vandewalle. Propagation characteristics of Boolean functions. Advances in Cryptology - EU­ ROCRYPT'90, Lecture Note in Computer Science , Springer- Verlag, Berlin Hei­ delberg New York, 473:161-173, 1990.

[75] C. Qu, J. Seberry, and J. Pieprzyk. On the symmetric properties of homoge­ neous Boolean functions. Information Security and Privacy - ACISP'99, Lecture Note in Computer Science, Springer- Verlag, Berlin Heidelberg New York Toyko, 1587:26-35, 1999.

[76] C. Qu, J. Seberry, and J. Pieprzyk. Construction of highly nonlinear balanced Boolean functions. (Submitted to ASIACRYPT'2000), ?:?, 2000.

[77] C. Qu, J. Seberry, and J. Pieprzyk. Homogeneous bent functions. Discrete , 102:133-139, 2000.

[78] R. L. Rivest. The MD5 message-digest algorithm. Internet Request for Com­ ments, RFC 1321, April 1992. BIBLIOGRAPHY 146

[79] R. L. Rivest. The MD4 Message Digest Algorithm. Technical Report MIT/LCS/TM-434, MIT Laboratory for Computer Science, October 1990.

[80] M. J. B. Robshaw. MD2, MD4, MD5, SHA and Other Hash Functions. Technical Report TR 101, RSA Laboratories, July 1994.

[81] 0. S. Rothaus. On "Bent" functions. Journal of Combinatorial Theory (A), Academic Press, Inc., 20:300-305, 1976.

[82] R. A. Rueppel. Correlation immunity and th summation generator. Advances in Cryptology - Crypto'85, Lecture Notes in Computer Science, Springer-Verlag, Berlin Heidelberg New York Toyko, pages 260-272, 1986.

[83] B. E. Sagan. The Symmetric Group; Representations, Combinatorial Algorithms, and Symmetric Functions. Pacific Grove, Calif., Wadosworth & Books, 1991.

[84] P. Sarkar and S. Maitra. Construction of nonlinear Boolean functions with im­ portant cryptographic properties. Advances in Cryptology - EUROCRYPT'2000, Lecture Notes in Computer Science, Springer- Verlag, Berlin Heidelberg New York Toyko, 1807:485-506, 2000.

[85] Palash Sarkar. A note on the spectral characterization of correlation immune Boolean functions. Information Processing Letters, Elsevier, 74:191-195, 2000.

[86] . Applied Cryptography. John Wiley k Sons, New York, 1996.

[87] C. P. Schnorr and S. Vaudenay. cryptanalysis of hash networks based on multipermutations. Advances in Cryptology - EUROCRYPT'94, Lecture Note in Computer Science, Springer- Verlag, Berlin Heidelberg New York, 950:47-57, 1995.

[88] J. Seberry, X. Zhang, and Y. Zheng. Highly nonlinear 0-1 balanced functions satisfying strict avalanche criterion. Advances in Cryptology - AUSCRYPT'92, Lecture Notes in Computer Science, Springer- Verlag, Berlin Heidelberg New York Toyko, 718:145-155, 1993.

[89] J. Seberry, X. Zhang, and Y. Zheng. Systematic generation of cryptographi­ cally robust S-box. In Proceedings of The First ACM Conference on Computer and , The Association for Computing Machinery, New York, pages 172-182, 1993. BIBLIOGRAPHY 147

[90] J. Seberry, X. Zhang, and Y. Zheng. Improving the stric avalanche characteristics of cryptographic function. Information Processing Letters, 50:37-41, 1994.

[91] J. Seberry, X. Zhang, and Y. Zheng. Nonlinearly balanced Boolean functions and their propagation characteristics. Advances in Cryptology - CRYPTO'93, Lecture Note in Computer Science, Springer-Verlag, Berlin Heidelberg New York Toyko, 773:49-60, 1994.

[92] J. Seberry, X. Zhang, and Y. Zheng. On constructions and nonlinearity of cor­ relation immune functions. Advances in Cryptology - EUROCRYPT'93, Lec­ ture Note in Computer Science, Springer- Verlag, Berlin Heidelberg New York, 765:181-199, 1994.

[93] J. Seberry, X. Zhang, and Y. Zheng. Remarks on S-boxes based on permutation polynomials. Advances in Cryptology - CRYPTO'94, Lecture Notes in Computer Science, Springer-Verlag, Berlin Heidelberg New York Toyko, 839:0000, 1994.

[94] J. Seberry, X. Zhang, and Y. Zheng. Nonlinearity and propagation characteristics of balanced Boolean functions. Information and Computation, Academic Press, 119, No.l:l-13, 1995.

[95] J. Seberry, X. Zhang, and Y. Zheng. The relationship between propa­ gation characteristics and nonlinearity of cryptographic functions. Jour­ nal of Universal Computer Science, 1.2:136-150, 1995. (available at http: //hgiicm. tu-graz. ac. at /).

[96] J. Seberry, X. Zhang, and Y. Zheng. Relationships among nonlinearity criteria. Advances in Cryptology - EUROCRYPT'94, Lecture Notes in Computer Science, Springer-Verlag, Berlin Heidelberg New York, 950:376-388, 1995.

[97] C. E. Shannon. of systems. Bell Systems Technical Journal, 28:656-715, 1949.

[98] T. Siegenthaler. Correlation-immunity of nonlinear combining functions for cryp­ tographic applications. IEEE Transaction on Information Theory, 30.5:776-779, 1984.

[99] R. Sikorski. Boolean Algebras. Springer-Verlag Berlin Heidelberg New York, 1969. BIBLIOGRAPHY 148

[100] A. Solomon, Don. Mansfield, and J. Jaworski. Group Theory. London: BBC TV for Open University; South Melbourne, Vic.: Educational Media Australia 1977. '

[101] P. Stanica. Quadratic functions in characteristic' 2. International Conference on Combinatorics, Information Theory and , Portland, Maine, pages 17-20, July, 1997.

[102] S. Sternberg. Group Theory and . Cambridge University Press, Cam­ bridge, 1994.

[103] D. R. Stinson. Cryptography: Theory and Practice. CRC Press", Boca Raton, 1995. / [104] A. P. Street and D. J. Street. Combinatorics of Experimental Design. Oxford Science Publications, Oxford, 1987.

[105] A. P. Street and W. D. Wallis. Combinatorics: A First Course. CBRC, Winnipeg, Canada, 1982.

[106] A. Webster and S. Tavares. On the design of S-boxs. Advances in Cryptol­ ogy - CRYPTO'85, Lecture Notes in Computer Science, Springer-Verlag, Berlin Heidelberg New York Toyko, 219:523-534, 1986.

[107] A. F. Webster and S. E. Tavares. Plaintext/ciphertext bit dependencies in crypto­ graphic system. Master's Thesis, Department of Electrical , Queen's University, Ontario, 1985.

[108] J. Wolfmann. Bent functions and coding theory. Difference Set, Sequences and Their Correlation Properties, Kluwer Academic Publishers. Printed in Nether­ lands, Series C: Mathematical and Physical Sciences, 542:393-418, 1999.

[109] Y. Xian and B. Guo. Further enumeration Boolean functions of cryptographic significance. Journal of Cryptology, 8:115-122, 1995.

[110] G. Xiao and J. L. Massey. A spectral characterization of correlation-immune combining functions. IEEE Transactions on Information Theory, 34:3, May 1988.

[Ill] R. Yarlagadda and J. E. Hershey. Analysis and synthesis of bent sequences. IEE Proceedings, Vol 136 Pt. E. No.2:112-123, March 1989. BIBLIOGRAPHY 149

[112] R. Yarlagadda and J.E. Hershey. Analysis and synthsis of bent sequences. IEE Proc. (PartE), 136:112-123, Mar. 1989.

[113] X. Zhang and Y. Zheng. GAC- the criterion for global avalanche characteristics of cryptographies functions. Journal for Universal Computer Science, 1.5:316-333 1995.

[114] X. Zhang and Y. Zheng. Auto-correlations and new bounds on the nonlinearity of Boolean functions. Advances in Cryptology - EUROCRYPT'96, Lecture Notes in Computer Science, Springer-Verlag, Berlin Heidelberg New York, 1070:294-306, 1996.

[115] X. Zhang and Y. Zheng. Characterizing the structures of cryptographic functions satisfying the propagation criterion for almost all vectors. Design, Codes and Cryptography, 7(1/2):111-134, 1996. Special issue dedicated to Gus Simmons.

[116] X. Zhang and Y. Zheng. The nonhomomorphicity of Boolean functions. Se­ lected Areas in Cryptography, 5th Annual International workshorp SAC'98, Lec­ ture Notes in Computer Science, Springer-Verlag, Berlin Heidelberg New York Toyko, 1556:280-295, 1999.

[117] X. Zhang, Y. Zheng, and H. Imai. Differential distribution and other properties of substitution boxes. Proceedings of JW-ISC'97, Session 1 /, pages 19-29, 1997.

[118] X. Zhang, Y. Zheng, and H. Imai. Connections between nonlinearity and re­ strictions, terms and hypergraphs of Boolean functions. ISIT, August 16-18:439, 1998.

[119] X. Zhang, Y. Zheng, and H. Imai. Relating differential distribution tables to other properties of substitution boxes. Designs, Codes and Cryptography, 19:45- 63, 2000.

[120] Y. Zheng, J. Pieprzyk, and J. Seberry. HAVAL - a one-way hashing algorithm with variable length of output. Advances in Cryptology - AUSCRYPT'92, Lecture Notes in Computer Science, Springer- Verlag, Berlin Heidelberg New York Toyko, In J. Seberry and Y.Zheng Editors:83-104, 1992.

[121] Y. Zheng and X. Zhang. The nonhomomorphicity of s-boxes. The 1st in­ ternational Conference on Information Security and Cryptology, Proceedings of CISC'98, Seoul Korea, Dec..T31-145, 1998. BIBLIOGRAPHY 150

[122] Y. Zheng and X. Zhang. Plateaued functions. The Second International Con­ ference on Information and Communication Security, ICICS'99, Lecture Note in Computer Science, Springer-Verlag, Berlin Heidelberg New York, 1726:284-300, 1999.