SCIENCE CHINA Information Sciences . HIGHLIGHT . March 2018, Vol. 61 038101:1–038101:3 doi: 10.1007/s11432-017-9123-2 Construction of rotation symmetric bent functions with maximum algebraic degree Wenying ZHANG1* & Guoyong HAN1,2 1School of Information Science and Engineering, Shandong Normal University, Jinan 250014, China; 2School of Management Engineering, Shandong Jianzhu University, Jinan 250101, China Received 22 May 2017/Accepted 2 June 2017/Published online 16 August 2017 Citation Zhang W Y, Han G Y. Construction of rotation symmetric bent functions with maximum algebraic degree. Sci China Inf Sci, 2018, 61(3): 038101, doi: 10.1007/s11432-017-9123-2 Boolean functions that are invariant under the ac- m−1 and the subscript of x is modulo 2m. This is tion of cyclic rotation on the inputs are called ro- the first theoretical construction of rotation sym- tation symmetric functions [1]. Aside from their metric bent functions with algebraic degree larger simple algebraic descriptions, rotation symmetric than 2. Later on, 2m-variable rotation symmet- functions have implementation advantages in ei- ric bent functions with algebraic degree 4, where ther hardware or software employing the bit-slicing 2m is not divisible by 4, were constructed from technique, since they produce a shallow circuit two known semi-bent rotation symmetric functions with high parallelism, and hence high clock fre- in m variables with complementary Walsh sup- quencies, without expending too many resources ports [8]. [2]. They have been widely applied in the design of Our result. We present a new construction of symmetric ciphers. For example, both the S-box of 2m =6k, 8k, 14k-variable rotation symmetric bent block cipher AES and the round functions of hash functions by modifying fo(x). We restrict the functions MD4, MD5 and HAVAL are rotation flipped vectors to be related with some affine sub- symmetric functions. Moreover the round func- spaces of GF (2)m, hence the constructed functions tion in stream cipher Grain is the modification of are from the Miorana-McFarland bent Boolean a rotation symmetric bent function. The quadratic functions. More significantly, the proposed 2m- Boolean function fo(x)= x1xm+1 +x2xm+2 +···+ variable rotation symmetric bent functions can xmx2m is the first class of rotation symmetric bent reach the maximum algebraic degree m, and our functions [3]. construction method can be generalized to con- struct many other rotation symmetric bent func- Throughout this article, for n = 2m we study tions. the n-variable rotation symmetric bent functions. An n-variable Boolean function f(x ,...,x ) is In the public literature, the main method of con- 1 n a mapping from GF (2)n to GF (2), which can be structing new rotation symmetric bent functions represented in a unique way as an n-variable poly- is to modify f (x)[4–6]. Up to now, only few con- o nomial whose degree relative to each variable is at structions of rotation symmetric bent functions are most 1, called its algebraic normal form (ANF): known. In [7], Gao et al. proved that the cubic rotation symmetric function ft(x0,...,x2m−1) = n 2m−1 m−1 i=1 (xixt+ixm+i + xixt+i)+ i=0 xixm+i is a0 + aixi + aij xixj +···+a1···nx1 ··· xn. m bent if and only if is odd, where 1 6 t 6 i=1 6i<j6n P gcd(m,t) P X 1 X * Corresponding author (email: [email protected]) The authors declare that they have no conflict of interest. c Science China Press and Springer-Verlag Berlin Heidelberg 2017 info.scichina.com link.springer.com Zhang W Y, et al. Sci China Inf Sci March 2018 Vol. 61 038101:2 Let Bn denote the set of n-variable Boolean func- 0110 ··· 0110) | t ∈ A}, S3 = {(t,t+1100 ···1100) | tions. The support of f ∈ Bn is defined as t ∈ A}, S4 = {(t,t + 1001 ··· 1001) | t ∈ B}. Let supp(f)= {(x1,...,xn): f(x1,...,xn)=1}. For Ω= S1 ∪ S2 ∪ S3 ∪ S4. Then n a vector x = (x1,...,xn) ∈ GF (2) , and an inte- ger l > 0, we define the left l-cyclic shift operator fo(x, y)+1, (x, y) ∈ Ω; l f(x, y)= 8k ρn as l-cyclic rotation on x: ( fo(x, y), (x, y) ∈ GF (2) \Ω l l l l ρn(x) = (ρ (x1),ρ (x2),...,ρ (xn)), is a rotation symmetric bent function. l l Theorem 2. Let A,B,δ be defined as in where ρ (xi) = xi+l, if i + l 6 n and ρ (xi) = xi+l−n, if i + l > n. The orbit generated by Theorem 1. Let T1 = {(x, x + δ) | x ∈ n B},T = {(x, x + 0110 ··· 0110) | x ∈ B},T = x = (x1, x2,...,xn) ∈ GF (2) is defined as 2 3 n−1 Cn(x) = {x, ρ(x),...,ρ (x)}. In other words, {(x, x + 1100 ··· 1100) | x ∈ B},T4 = {(x, x + each orbit consists of all cyclic shifts of one vector 1001 ··· 1001) | x ∈ A}. LetΥ= T1 ∪ T2 ∪ T3 ∪ T4. in GF (2)n. Define l Definition 1 ([9]). For f ∈ Bn, if f(ρn(x)) = n fo(x, y)+1, (x, y) ∈ Υ; f(x) holds for all x = (x1,...,xn) ∈ GF (2) and f(x, y)= 8k 1 6 l<n, then f is called a rotation symmetric ( fo(x, y), (x, y) ∈ GF (2) \Υ. Boolean function (RotS). Then f(x, y) is a rotation symmetric bent func- For instance, if n = 4 and x x x is present in 1 2 3 tion. the ANF of a rotation symmetric function f(x), Example 1. For k = 1,n = 8, let Λ = C8(0000 then the terms x2x3x4, x3x4x1, x4x1x2 must also be present in the ANF of f(x). 0011, 11111100, 01100101, 11010100). Substitut- We extend the definition of ρ and orbit to mono- ing the orbits of (00000011), (11111100) for the or- k k k bits of (01100101), (11010100) ∈ supp(fo). Define mials by ρ (xi1 ··· xil ) = ρ (xi1 ) ··· ρ (xil ), and k 6 6 Gn(xi1 ··· xil )= {ρ (xi1 ··· xil ):for 1 k n}. fo(x, y)+1, (x, y) ∈ Λ; A RotS function f(x1,...,xn) can be written as f(x, y)= ( fo(x, y), otherwise. a0 + a1x1 + a1j x1xj + ··· + a1···nx1 ··· xn, <j6n Then f(x, y) is a rotation symmetric bent func- 1 X tion. The SANF for f(x) is x1x2 +x1x5 +x1x2x4 + where the coefficients a ,a ,a j ,...,a ···n ∈ 0 1 1 1 x1x2x5 + x1x3x4 + x1x4x5 + x1x2x3x4 + x1x3x4x6, GF (2), and the existence of a representative term where δ = 0011,t1 + t2 + t3 + t4 = 0,t = xi1 xi2 ··· xil implies the existence of all the terms (t1,t2,t3,t4) ∈{(0000), (1111), (0110)}. from G (x x 2 ··· x ) in the ANF. This represen- n i1 i il Theorem 3. Let n = 6k, δ = 001001 ··· tation of f(x) is called the short algebraic normal 001, △ = 011011 ··· 011 ∈ GF (2)3k be vectors form (SANF) [9]. As an example, let us consider with period 3, s = (s ,...,s ), s + s + the ANF of a 4-variable RotS Boolean function 1 3k 1 4 ··· + s + ··· + s = 0,i = 0, 1, ··· , k − x + x + x + x + x x x + x x x + x x x + 3i+1 3k−2 1 2 3 4 1 2 3 2 3 4 3 4 1 1, t = (t ,t ,...,t ) ∈ GF (2)3k, t + t + ··· + x x x . Its SANF is x + x x x . 1 2 3k 1 2 4 1 2 1 1 2 3 t = 0. Construct Z = {z|z = (s,s + δ) ∈ The Walsh spectrum of f(x) is the following 3k GF (2)6k},U = {u|u = (t,t + ∆) ∈ GF (2)6k}, real-valued function over GF (2)n: and get all vectors of their left rotation. Let f(x)+w·x C(Z) = z∈Z C6k(z), C(U) = u∈U C6k(u), Γ = Wf (w)= (−1) , n C(Z) ∪ C(U). Then x∈GFX(2) S S where w = (w ,...,w ) and w · x = w x + ··· + fo(x, y)+1, (x, y) ∈ Γ; 1 n 1 1 f(x, y)= wnxn. Let n = 2m be even, f(x) ∈ Bn is called ( fo(x, y), otherwise m bent if its Walsh spectrum satisfies: |Wf (w)| =2 for all w ∈ GF (2)2m. is a rotation symmetric bent function. Let s,t,u,v,w,x,y,z,δ, ∆ be the binary vectors, Theorem 4. Let n = 14k, δ = 0000111 ··· and A, B, Ω, Γ, Λ, Υ, Φ be the sets of binary vec- 0000111, △ = 0001111 ···0001111 ∈ GF (2)7k be tors. vectors with period 7, s = (s1,s2,...,s7k), s1 + Theorem 1. Let t = (t1,t2,...,t4k), δ = s8 + ··· + s7k−6 = 0, t = (t1,t2,...,t7k) ∈ 4k 7k (0011 ··· 0011) ∈ GF (2) . Denote the solutions GF (2) , t1 + t2 + ··· + t7k = 0. Construct 4k 14k of t1 + t2 + ··· + t4k =0 by A, let B = GF (2) \ Z = {z|z = (s,s + δ) ∈ GF (2) },U = {u|u = 14k A, S1 = {(t,t + δ) | t ∈ A}, S2 = {(t,t + (t,t + ∆) ∈ GF (2) }, and get all vectors of their Zhang W Y, et al. Sci China Inf Sci March 2018 Vol. 61 038101:3 left rotation. Let C(Z) = C14k(z), C(U) = first halves of the flipped vectors form an affine z∈Z n 2 u∈U C14k(u), Φ= C(Z) ∪ C(U). Define subspace of GF (2) . The number of such func- S tions can be enumerated by counting the number S f (x, y)+1, (x, y) ∈ Φ; of δ, we skip it to make this article more com- f(x, y)= o 14k pact.