1

On upper bounds on algebraic immunity of somePSap and Niho bent functionsSugata Gangopadhyay1, Enes Pasalic2 and Brajesh Kumar Singh3

1 Department of MathematicsIndian Institute of Technology Roorkee, INDIA

gsugata@gmail.com2 University of Primorska, FAMNIT & IAM,

Koper, SLOVENIA.enes.pasalic6@gmail.com

3 Department of Mathematics School of Allied Sciences,Graphic Era Hill University, Dehradun, INDIA

singh.brajesho584@gmail.com

Abstract—In this paper we obtain nontrivial upper boundson algebraic immunity of Boolean bent functions belongingto a subclass of PSap and another of Niho bent functions.Some recent results indicate the existence of bent functions inPSap having maximum algebraic immunity. On contrary, weidentify a class of bent functions in PSap, having monomial tracerepresentation, which cannot have maximum algebraic immunitywhen the number of input variables n ≥ 16. We also considera class of Niho bent functions having two terms in their tracerepresentation and obtain an upper bound on their algebraicimmunity which is again not optimal.

Keywords: Boolean function, bent function, algebraic im-munity, partial spreads, Niho bent.

I. INTRODUCTION

Bent functions are well-known combinatorial objects whichwere introduced by Rothaus [23] and later extensively studiedin many articles, e.g. [3], [5], [6], [14], [15]. Even though thisclass of Boolean functions (only defined for an even numberof input variables) achieve the highest possible nonlinearity,they are not suitable for a direct cryptographic use due to theirstatistical bias. More precisely, assuming that the inputs of abent Boolean function f : F2m

2 → F2 are independent randombinary variables the function f will in general generate morezeros than ones (or vice versa) which then implies certainstatistical weakness if such a function is used in some standardcryptographic applications.

Nevertheless, a classification of bent functions has beenextremely dynamic research area for more than twenty years,see e.g. [6], [15]. Quite recently, a series of constructionmethods for Boolean functions fulfilling several cryptographiccriteria, based on some modifications of a certain class ofbent functions known as partial spreads [14], have beenproposed, see e.g. [28], [25]. The main idea of these types ofconstructions is the use of a particular subclass of functionsfrom the partial spread class of bent functions and to suitablyextend its support set (the domain set) which would give arise to some new classes of Boolean functions resistant tovarious cryptanalytic methods. These classes of functions in

particular possess an optimal resistance to standard algebraiccryptanalysis (possibly not to fast algebraic cryptanalysis) andthis property is closely related to the algebraic properties ofthe bent function used in the construction.

In connection to the above discussion it is both of theo-retical and of practical importance to classify bent functionsin terms of their algebraic properties. Even though certainfunctions in the partial spread class are characterized with themaximum resistance to algebraic cryptanalysis [25] we showthat this is not true for the whole class. We identify somesubclasses of this particular class of bent functions for whichthe algebraic immunity (as a measure of resistance to algebraiccryptanalysis) is not optimal. Furthermore, we also show thata class of Niho bent functions having two terms in their tracerepresentation does not have a maximal algebraic immunityand we obtain an upper bound on the algebraic immunity forboth classes.

The rest of this paper is organized as follows. In Section IIsome basic definitions and notions are introduced. Section IIIintroduces the PSap class of bent functions and monomialtrace bent functions contained in this class. It is shownthat these monomial trace functions do not have maximalalgebraic immunity in general. In Section IV an upper boundon algebraic immunity for Niho bent functions with binomialtrace representations is derived, and the conclusion is thatneither this class have maximal algebraic immunity. Someconcluding remarks are given in Section V.

II. PRELIMINARIES

Let F2n be the finite field consisting of 2n elements. Thegroup of units of F2n , denoted by F∗2n , is a cyclic groupconsisting of 2n− 1 elements. An element α ∈ F2n is said tobe a primitive element if it is a generator of the multiplicativegroup F∗2n . Any function from F2n to F2 is said to be aBoolean function on n variables. The set of all Booleanfunctions on n variables is denoted by Bn. Let Z and Zq ,where q is a positive integer, denote the ring of integers and

2013 8th International Conference on Communications and Networking in China (CHINACOM)

978-1-4799-1406-7 © 2013 IEEE379

2

integers modulo q, respectively. A cyclotomic coset modulo2n − 1 of s ∈ Z is defined as [19, page 104]

Cs = {s, s2, s22, . . . , s2ns−1}, (1)

where ns is the smallest positive integer such that s ≡ s2ns

(mod 2n − 1). It is a convention to choose the subscript s tobe the smallest integer in Cs and refer to it as the coset leaderof Cs and ns is the size of the cyclotomic coset Cs. The tracefunction Trn1 : F2n → F2 is defined as

Trn1 (x) = x+ x2 + x22

+ . . .+ x2n−1

, for all x ∈ F2n . (2)

The trace representation [17] of any function f ∈ Bn is

f(x) =∑

k∈Γ(n)

Trnk1 (Akx

k) +A2n−1x2n−1, for all x ∈ F2n ,

(3)where Γ(n) is the set of all coset leaders modulo 2n − 1and Ak ∈ F2nk , A2n−1 ∈ F2, for all k ∈ Γ(n). A Booleanfunction is said to be a monomial trace function or said tohave a monomial trace representation if its trace representationconsists of only one trace term. The binary representation ofan integer d ∈ Z is

d = dm−12m−1 + dm−22m−2 + . . .+ d12 + d0, (4)

where m is a positive integer and d0, d1, . . . , dm−1 ∈ {0, 1}.Once the order in which the exponents of 2 appear in (4) isfixed the finite sequence (dm−1, . . . , d0) (often written simplyas dm−1dm−2 . . . d0) is referred to as the binary representationof d. The Hamming weight of d is wH(d) =

∑m−1i=0 di, where

the sum is over Z. The algebraic degree, denoted by deg(f), off ∈ Bn, as represented in (3), is the largest positive integer wfor which wH(k) = w and Ak 6= 0. Given any two Booleanfunctions f, g ∈ Bn, the Hamming distance of f and g isd(f, g) = |{x ∈ F2n : f(x) 6= g(x)}|, where |S| is thecardinality of any set S. The support of a Boolean functionf ∈ Bn is supp(f) = {x ∈ F2n : f(x) 6= 0}. The weight off is wH(f) = |supp(f)|.

The Walsh–Hadamard transform of a Boolean function f ∈Bn at λ ∈ F2n is defined by

Wf (λ) =∑x∈F2n

(−1)f(x)+Trn1 (λx). (5)

The multiset{Wf (λ) : λ ∈ F2n} (6)

is said to be the Walsh–Hadamard spectrum of the Booleanfunction f . It is known that the Walsh–Hadamard spectrum off ∈ Bn satisfies Parseval’s identity∑

x∈F2n

W 2f (λ) = 22n. (7)

For any even positive integer n = 2m ∈ Z, there existBoolean functions with a “flat” Walsh–Hadamard spectra.These functions are said to be bent functions and as aconsequence of (7), a function f ∈ Bn, where n = 2m, isbent if and only if |Wf (λ)| = 2m for all λ ∈ F2n . It isknown that the bent functions provide maximum resistanceto linear approximations and therefore play a major role inconstruction of cryptographic Boolean functions. The dual, f ,

of a bent function f ∈ B2m is again a bent function definedby Wf (x) = (−1)f(x)2m for all x ∈ F22m .

A Boolean function g ∈ Bn is said to be an annihilator off ∈ Bn if and only if g is not identically zero and g(x)f(x) =0 for all x ∈ F2n (g 6= 0 and gf = 0, in short). We denote byAN (f) the set of all annihilators of f ∈ Bn, that is

AN (f) = {g ∈ Bn : g 6= 0, gf = 0}.

Let f denote the complement of the function f .Definition 1: The algebraic immunity, AI(f), of f ∈ Bn

is defined as

AI(f) = min{deg(g) : g ∈ AN (f) ∪ AN (f)}.

For description of algebraic attack on stream ciphers andtechniques of construction of functions resistant to algebraicattack along with the papers whose results have been directlyused, we refer to [1], [2], [8], [9], [10], [12], [13], [18], [22].For detailed study of cryptographic Boolean functions we referto [4], [24].

Suppose gf = h where deg(g) and deg(h) both are at mostd, and g 6= h. Then by [20, Proposition 1] f has an annihilatorwith algebraic degree at most d and hence AI(f) ≤ d. Sinceff = 0, it is trivial that AI(f) ≤ deg(f).

Proposition 2 ([9], Theorem 6.0.1): Let f be any Booleanfunction with n inputs. Then there is a Boolean function g 6= 0of degree at most dn2 e such that gf is of degree at most dn2 e.Thus, for any f ∈ Bn,

AI(f) ≤ min{deg(f),⌈n

2

⌉}. (8)

The following propositions due to Nawaz, Gong and Gupta[21], extensively used in this paper, provide techniques ofobtaining upper bounds on algebraic immunities of Booleanfunctions when they are expressed using the trace representa-tion.

Proposition 3 ([21], Proposition 1): Let f(x) = Trn1 (βxt)and g(x) = Trm

′

1 (γxr) be monomial trace functions, wherex ∈ F2n , t, r are the coset leaders of the cosets Ct, Crrespectively. The sizes of the cosets Ct and Cr are n andm′, respectively, where m′|n, and β ∈ F2n , γ ∈ F2m′ . Then

deg(gf) = max0≤i<m′

wH(r + t2−i).

Since (gf)f = 0, this implies that gf = h ∈ AN (f),therefore,

AI(f) ≤ deg(gf) = max0≤i<m′

wH(r + t2−i).

Proposition 4 ([21], Theorem 1): Let l = b√nc, k = n −

bnl cl and f(x) = Trn1 (βxt), where β ∈ Fn2 and t is the cosetleader of Ct. Let g(x) = Trm

′

1 (xr), where

m′ =

{l, if k = 0,n, if 0 < k < l,

and r =

{1 +

∑nl −1i=1 2il, if k = 0,

1 + 2k +∑bnl c−1i=1 2il+k, if 0 < k < l.

Thendeg(fg) ≤ ul +

⌈nl

⌉− 1, (9)

where u is the number of runs of 1’s in the binary represen-tation of t.

380

3

III. ALGEBRAIC IMMUNITY OF BENT FUNCTIONS IN PSapThroughout this section n = 2m. The partial spreads (PS)

class of bent functions has been introduced by Dillon [14],and the properties of this class have been studied in manyrecent works. This class is divided into two subclasses calledPS− and PS+ depending on the sizes of the supports of thefunctions. Any function f ∈ B2m in the PS− class is obtainedby defining its support as a collection of 2m−1 “disjoint” m-dimensional subspaces of F2m

2 with the additive identity 0 ∈F2m

2 discarded, where “disjoint” means that any pair of thesesubspaces intersects only in 0. In a similar way, a function inthe PS+ class is constructed by selecting 2m−1 +1 “disjoint”m-dimensional subspaces of F2m

2 (with the 0 ∈ F2m2 included).

There are some fundamental differences between the twosubclasses. Whereas the degree of any function f ∈ B2m inPS− is always equal to m, this is not the case for functionsin PS+ whose degrees may be less than m, see e.g. [14],[26]. Furthermore, depending on the choices of these m-dimensional subspaces it might be the case that the support ofa bent function f in PS− (or in PS+) is such that f is notin PS+ (or in PS−).

The algebraic representation of the bent functions in thePS class appears to be hard. Dillon [14] exhibits one explicitrepresentation of a subclass of PS−, denoted by PSap,consisting of functions defined as follows:

f : F2m × F2m → F2 (10)f(x, y) = g(xy2m−2), x, y ∈ F2m ,

where g ∈ Bm is any balanced Boolean function such thatg(0) = 0. It was shown [25] that the selection of the supportof g is of great importance. Indeed, if we consider a balancedg : F2m → F2 defined by

supp(g) = {αs, αs+1, . . . , αs+2m−1−1}, (11)

for some integer s ≥ 0 and a primitive element α ∈ F2m , thenAI(f) = m [25]. The result was proved using the famousBCH bound and the so-called conjecture on binary stringswhich has been proved quite recently [11]. A natural questionis whether there exist n-variable functions in PSap havingalgebraic immunity less than m. We answer this in affirmativeby considering a subclass of functions having monomial tracerepresentations in PSap.

Another interesting class of bent functions known as hy-perbent functions (closely related to the class PSap) wasintroduced in [27] and later analyzed in [7]. A bent functionf ∈ Bn is said to be hyperbent if f(xk) remains bent for anyk coprime to 2n − 1. It is proved in [27] that any function inPSap is hyperbent. It is further noted [16, Theorem 2], [27]that any function in PSap can be written as

f(x) =∑

a(2m−1)∈Γ(n)

Trsa(2m−1)

1 (βaxa(2m−1)), (12)

where βa ∈ F2sa(2m−1) . If f ∈ Bn is a PSap bent having

exactly one trace term when represented as in (12), then werefer to f as a PSap bent having monomial trace represen-tation. We restrict ourselves to a class of possible hyperbentfunctions [7], [27] defined as follows.

Definition 5: Let R be a set of representatives of thecyclotomic cosets modulo 2m + 1 for which each coset hasthe full size n = 2m. Define the Boolean functions on F2n

as,

f(x) =∑r∈E

Trn1 (βrxr(2m−1)) E ⊆ R, βr ∈ F2n . (13)

It is known from [5], [16] that functions written in the aboveform are PSap bent if they are bent. We prove that themonomial trace functions of this form cannot have maximumalgebraic immunity.

Let l = b√nc. Given a segment of a finite binary sequence,︷︸︸︷ is used to indicate the length of the segment (i.e., the

number of 0’s and 1’s present in the segment), whereas ︸︷︷︸is used to indicate the weight of the segment (i.e., the numberof 1’s in the segment). Let fλ,d ∈ Bn be a monomial traceBoolean function defined as

fλ,d(x) = Trn1 (λxd) for all x ∈ F2n , (14)

where λ ∈ F∗2n . The algebraic degree of f , deg(fλ,d) =wH(d). If d = 2n−i − 1, then deg(fλ,d) = n − i for alli = 1, . . . n− 1. Therefore if f is in PSap having monomialtrace representation then d = 2n−

n2 − 1 = 2m − 1.

Theorem 6: Let fλ,d(x) = Trn1 (λxd), where λ ∈ F∗2n and,d = 2n−i − 1 such that 1 ≤ i ≤ n− 1. Then

AI(fλ,d) ≤ l +⌈nl

⌉− 1, (15)

where l = b√nc.

Proof: We have d = 2n−i−1 =∑n−ij=1 2n−i−j . Therefore,

the binary representation of d is

i︷ ︸︸ ︷000 . . . 0

n−i︷ ︸︸ ︷111 . . . 1 which has

a single run of 1’s, (i.e., u = 1 as in Equation (9)). UsingProposition 4 we have

AI(fλ,d) ≤ l +⌈nl

⌉− 1. (16)

Corollary 7: Let fλ,d(x) = Trn1 (λx2m−1), then

AI(fλ,d) ≤ l +⌈nl

⌉− 1.

In Table I we list upper bounds on algebraic immunitydeduced from these results. In [7] functions of the form

TABLE IUPPER BOUNDS ON ALGEBRAIC IMMUNITY FOR MONOMIAL BENT

FUNCTIONS IN PSap .

n deg(f) (dn2e) bounds in Theorem 7

16 8 8 736 18 18 1148 24 24 13100 50 50 19144 72 72 23196 98 98 27

fλ,r(2m−1)(x) = Trn1 (λxr(2m−1)) (with gcd(r, 2m + 1) = 1)

were considered and it was proved that fλ,r(2m−1) is bent ifand only if fλ,(2m−1) is bent. As a consequence of the abovediscussion and Corollary 7 we have the following result.

381

4

Proposition 8: The function

fλ,r(2m−1)(x) = Trn1 (λxr(2m−1))

where gcd(r, 2m + 1) = 1 does not have the maximumalgebraic immunity for n ≥ 16.Thus, the monomial trace functions of the form (13) in generaldo not have maximum algebraic immunity.

Finally, we identify a value of d for which the upper boundof the algebraic immunity of the functions of the form fλ,d islower than the one obtained in Theorem 6.

Theorem 9: Suppose l = b√nc with l|n, e is a positive

integer with l|e. Then

AI(fλ,d) ≤ l +n

l− 2,

where λ ∈ F∗2n and d = 2e−1 − 1.Proof: Since l|n, k = n− bnl cl = 0. By Lemma 4, take

r = 1 +∑n

l −1i=1 2il. We consider the binary representations of

d = 2e−1 − 1 and r.

d =

n−e︷ ︸︸ ︷l︷ ︸︸ ︷

000 . . . 0 . . .

l︷ ︸︸ ︷000 . . . 0

e︷ ︸︸ ︷l︷ ︸︸ ︷

011 . . . 1 . . .

l︷ ︸︸ ︷111 . . . 1

r = 000 . . . 1 . . . 000 . . . 1 000 . . . 1 . . . 000 . . . 1000 . . . 1︸ ︷︷ ︸

1

. . . 00 . . . 01︸ ︷︷ ︸1

100 . . . 1︸ ︷︷ ︸2

. . . 000 . . . 0︸ ︷︷ ︸0

Thus wH(r + d) = nl . We observe that wH(r + d2−i) is

maximized if i = l − 1,

d2−(l−1) =

l︷ ︸︸ ︷11 . . . 10 . . .

l︷ ︸︸ ︷000 . . . 0

l︷ ︸︸ ︷111 . . . 1 . . .

l︷ ︸︸ ︷111 . . . 1

r = 00 . . . 01 . . . 000 . . . 1 000 . . . 1 . . . 000 . . . 1

r + d2−(l−1) = 11 . . . 11︸ ︷︷ ︸l

. . . 00 . . . 10︸ ︷︷ ︸1

000 . . . 1︸ ︷︷ ︸1

. . . 000 . . . 0︸ ︷︷ ︸0

Using Proposition 3 we have,

AI(fλ,d) ≤ max0≤i<l

wH(r + d2−i)

= wH(r + d2−(l−1)) = l +n

l− 2.

IV. ALGEBRAIC IMMUNITY OF A SUBCLASS OF NIHO BENTFUNCTIONS

Let n = 2m. Dobbertin et al. [15] proved that

f(x) = Trn1 (a1x(2m−1) 1

2 +1) + Trn1 (a2x(2m−1)3+1), (17)

where a1 ∈ F∗2n , a2m+12 = a1 + a2m

1 = β5 for some β ∈ F∗2n ,is a bent function. The functions of this form belong to theclass of Niho bent functions. In the following theorem weobtain an upper bound of algebraic immunity of the functionsof this form.

Theorem 10: If f ∈ Bn (n = 2m) is a Niho bent functionof the form (17), then

AI(f) ≤

l +⌈nl

⌉− 1, if l|m and l > 3,

l +⌈nl

⌉, if l - m and l > 2.

Proof: Using the property Trn1 (x2) = Trn1 (x), we have

f(x) = Trn1 (a1x(2m−1) 1

2 +1) + Trn1 (a2x(2m−1)3+1)

= Trn1 (a′1x2m+1) + Trn1 (a′2x

2m+2m−1−1)

Let g(x) = Trn1 (a′1x2m+1) and h(x) = Trn1 (a′2x

2m+2m−1−1).The binary representation of the exponent of h, is d = 2m +2m−1 − 1 = 2m +

∑m−2i=0 2i. Consider the following cases.

Case 1. Suppose l|m. Then the binary representations of dand r are as follows.

d =

m︷ ︸︸ ︷l︷ ︸︸ ︷

000 . . . 0 . . .

l︷ ︸︸ ︷000 . . . 1

m︷ ︸︸ ︷l︷ ︸︸ ︷

011 . . . 1 . . .

l︷ ︸︸ ︷111 . . . 1

r = 000 . . . 1 . . . 000 . . . 1 000 . . . 1 . . . 000 . . . 1000 . . . 1︸ ︷︷ ︸

1

. . . 00 . . . 10︸ ︷︷ ︸1

100 . . . 1︸ ︷︷ ︸2

. . . 000 . . . 0︸ ︷︷ ︸0

Thus, wH(r+d) = nl . Noting that wH(r+d2−i) is maximized

if i = l − 2,

d2−(l−2) =

l︷ ︸︸ ︷1 . . . 100 . . .

l︷ ︸︸ ︷000 . . . 0

l︷ ︸︸ ︷0 . . . 101 . . .

l︷ ︸︸ ︷111 . . . 1

r = 00 . . . 01 . . . 000 . . . 10 . . . 001 . . . 000 . . . 1

r + d2−(l−2) = 11 . . . 11︸ ︷︷ ︸l−1

. . . 0 . . . 001︸ ︷︷ ︸1

0 . . . 111︸ ︷︷ ︸3

. . . 000 . . . 0︸ ︷︷ ︸0

Using Proposition 3 we have

AI(h) ≤ max0≤i<l

wH(r + d2−i)

= wH(r + d2−(l−1)) = l +n

l− 1. (18)

More precisely, by Proposition 3, there exists a multiplierof the form q(x) = Trl1(xr) with deg(q) = n

l such thatdeg(qh) = l + n

l − 1. Since g is a quadratic functiondeg(qg) ≤ n

l + 2. Also, deg(fq) = deg(gq + hq) ≤max(deg(gq),deg(hq)). For all l > 3 the degree of qh willdominate and therefore

AI(f) ≤ l +n

l− 1.

Case 2. If l|n but l - m, then k = 0. Thus the exponentcontains two runs of one in which one contains only single 1.Therefore, wH(r + d2−i) is maximized whenever the string101 lies in one of the segments, and at the same time theHamming weights of other segments are maximized. Weobserve that wH(r + d2−i) is maximized if i = l − 1,

d2−(l−1) =

l︷ ︸︸ ︷11 . . . 10 . . .

l︷ ︸︸ ︷000 . . . 0

l︷ ︸︸ ︷0 . . . 101 . . .

l︷ ︸︸ ︷111 . . . 1

r = 00 . . . 01 . . . 000 . . . 10 . . . 001 . . . 000 . . . 1

r + d2−(l−1) = 11 . . . 11︸ ︷︷ ︸l

. . . 000 . . . 1︸ ︷︷ ︸1

0 . . . 111︸ ︷︷ ︸3

. . . 000 . . . 0︸ ︷︷ ︸0

Using Proposition 3 we have

AI(h) ≤ max0≤i<l

wH(r + d2−i)

= wH(r + d2−(l−1)) = l +n

l. (19)

More precisely, by Proposition 3, there exists a multiplierof the form q(x) = Trl1(xr) with deg(q) = n

l such that

382

5

deg(qh) = l + nl . Since g is a quadratic function deg(qg) ≤

nl + 2. For all l > 2 the degree of qh will dominate andtherefore

AI(f) ≤ l +n

l.

Case 3. If l - n. By Lemma 4, the binary representation t andr are as follows

t =

l︷ ︸︸ ︷000 . . . 0 . . .

l︷ ︸︸ ︷00 . . . 00

l︷ ︸︸ ︷0101 . . . 1 . . .

l︷ ︸︸ ︷111 . . . 1

k︷ ︸︸ ︷111 . . . 1

r = 000 . . . 1 . . . 00 . . . 010000 . . . 1 . . . 000 . . . 1 000 . . . 1000 . . . 1︸ ︷︷ ︸

1

. . . 00 . . . 01︸ ︷︷ ︸1

0110 . . . 1︸ ︷︷ ︸3

. . . 000 . . . 1︸ ︷︷ ︸1

000 . . . 0︸ ︷︷ ︸0

Thus wH(r + t) = dnl e + 1. Noting that wH(r + d2−i) ismaximized if i = l − 1,

d2−(l−1) =

l︷ ︸︸ ︷11 . . . 10 . . .

l︷ ︸︸ ︷000 . . . 0

l︷ ︸︸ ︷101 . . . 1 . . .

k︷ ︸︸ ︷111 . . . 1

r = 00 . . . 01 . . . 000 . . . 1000 . . . 1 . . . 000 . . . 1

r + d2−(l−1) = 11 . . . 11︸ ︷︷ ︸l

. . . 000 . . . 1︸ ︷︷ ︸1

110 . . . 1︸ ︷︷ ︸3

. . . 000 . . . 0︸ ︷︷ ︸0

Using Proposition 3 we have

AI(h) ≤ max0≤i<n

wH(r + d2−i)

= wH(r + d2−(l−1)) = l +⌈nl

⌉. (20)

Thus we obtainAI(f) ≤ l +

⌈nl

⌉.

We note that this bound is the same as that obtained byNawaz, Gong and Gupta [21] for a class of monomial tracefunctions with Niho exponents.

V. CONCLUSION

By using a technique developed by Nawaz, Gong and Gupta[21] we have identified a class of functions in PSap which donot have maximum algebraic immunity. We further identify aclass of Niho functions with two trace terms and demonstratethat the functions in this class do not have maximum algebraicimmunity. The question whether these bounds can be furtherimproved remains open.Acknowledgment: This work is supported by Indo–SlovenianS & T program of cooperation in Science & Technologysupported by Department of Science and Technology Indiaand Ministry of Higher Education, Science and TechnologySlovenia and Slovenian Research Agency. BKS thanks CSIR,India for financial support.

REFERENCES

[1] A. Braeken and B. Preneel, On the algebraic immunity of symmetricBoolean functions, INDOCRYPT 2005, LNCS 3797, pp. 35–48, 2005.

[2] A. Canteaut, Open problems related to algebraic attacks on streamciphers, WCC 2005, LNCS 3969, pp 120–134, 2006.

[3] C. Carlet, Improving the algebraic immunity of resilient andnonlinear functions and constructing bent functions, available at:http://eprint.iacr.org/2004/276.

[4] C. Carlet, “Boolean functions for cryptography and error correctingcodes,” Chapter of the monograph, “Boolean Models and Methods inMathematics, Computer Science and Engineering,” Cambridge Univ.Press, Y. Crama, P. Hammer (eds.), pp. 257–397, 2010.

[5] C. Carlet and P. Gaborit, Hyper–bent functions and cyclic codes , Journalof Combinatorial Theory, Series A 113 (2006), 466–482.

[6] C. Carlet, Two new classes of bent functions, in Proc. EUROCRYPT’93, LNCS vol. 765, Springer, 1994, pp. 77–101.

[7] P. Charpin and G. Gong, Hyperbent functions, Kloosterman sums andDickson polynomials, IEEE Trans. Inform. Theory 54(9) (2008), 4230–4238.

[8] N. Courtois, Fast algebraic attacks on stream ciphers with linearfeedback, CRYPTO 2003, LNCS 2729, pp. 176–194, 2003.

[9] N. Courtois and W. Meier, Algebraic attacks on stream ciphers withlinear feedback, EUROCRYPT 2003, LNCS 2656, pp. 346–359, 2003.

[10] N. Courtois and W. Meier, Algebraic attacks on stream ci-phers with linear feedback, Extended version of [9], available at:http://cryptosystem.net/stream.

[11] G. Cohen and J-P. Flori, On a generalized combinatorial conjecture in-volving addition mod 2k−1, available at: http://eprint.iacr.org/2011/400.

[12] D. K. Dalai, K. C. Gupta and S. Maitra, Cryptographically significantBoolean functions: construction and analysis in terms of algebraicimmunity, FSE 2005, LNCS 3557, pp. 98–111, 2005.

[13] D. K. Dalai, S. Maitra and S. Sarkar, Basic theory in construction ofBoolean functions with maximum possible annihilator immunity, Des.Codes Cryptography, 40 (1) (2006), 41–58.

[14] J. F. Dillon, Elementary Haddamard difference sets, Ph. D. thesis,University of Maryland, U.S.A., 1974.

[15] H. Dobbertin, G. Leander, A. Canteaut, C. Carlet, P. Felke and P. Ga-borit, Construction of bent functions via Niho power functions, Journalof Combinatorial Theory, Series A, 113 (2006), 779–798.

[16] S. Gangopadhyay and S. Maitra, Further results related to generalizednonlinearity, INDOCRYPT 2002, LNCS 2551, pp. 260–274, 2002.

[17] S. W. Golomb and G. Gong, Signal design for good correlation: forwireless communication, cryptography and radar, Cambridge UniversityPress, ISBN 0521821045, 2005.

[18] K. C. Gupta, Y. Nawaz and G. Gong, Upper bound for algebraicimmunity on a subclass of Maiorana-McFarland class of bent functions,Information Processing Letters 111 (2011), 247–249.

[19] F. J. MacWilliams and N. J. A. Sloane, The theory of error correctingcodes, North-Holland, Amsterdam, 1977.

[20] W. Meier, E. Pasalic, and C. Carlet, Algebraic attacks and decompositionof Boolean functions, EUROCRYPT 2004, LNCS 3027, pp. 474–491,2004.

[21] Y. Nawaz, G. Gong and K. Gupta, Upper bounds on algebraic immunityof Boolean power functions, FSE 2006, LNCS 4047, pp. 375–389, 2006.

[22] L. Qu, K. Feng, F. Liu and L. Wang, Constructing symmetric Booleanfunctions with maximum algebraic immunity, IEEE Trans. Inform.Theory, 55 (5) (2009), 2406–2412.

[23] O. S. Rothaus, On bent functions. Journal of Combinatorial Theory,Series A, vol. 20:300–305, 1976.

[24] T. W. Cusick and P. Stanica, Cryptographic Boolean functions andApplications, Elsevier–Academic Press, 2009.

[25] Z. Tu and Y. Deng, A conjecture about binary strings and itsapplications on constructing Boolean functions with optimal algebraicimmunity, Des. Codes Cryptography, 60 (1) (2011), 1–14.

[26] G. Vega, Some precisions on PS bent functions, InternationalMathematical Forum, 5 (2010), 537–544.

[27] A. M. Youssef and G. Gong, Hyper-bent functions, EUROCRYPT 2001,LNCS 2045, pp. 406–419, 2001.

[28] X. Zeng, C. Carlet, J. Shan and L. Hu, More balanced Boolean functionswith optimal algebraic immunity and good nonlinearity and resistance tofast algebraic attacks. IEEE Trans. on Inform. Theory, IT-57(9):6310–6320, 2010.

383