JAMCJ Appl Math ComputDOI 10.1007/s12190-014-0752-y

O R I G I NA L R E S E A R C H

On second-order nonlinearity and maximum algebraicimmunity of some bent functions in PS+

Brajesh Kumar Singh

Received: 31 October 2013© Korean Society for Computational and Applied Mathematics 2014

Abstract The rth-order nonlinearity and algebraic immunity of Boolean functionplay a central role against several known attacks on stream and block ciphers.Since its maximum equals the covering radius of the rth-order Reed-Muller code,it also plays an important role in coding theory. The computation of exact value orhigh lower bound on the rth-order nonlinearity of a Boolean function is very com-plected/challenging problem, especially when r > 1. In this article, we identify asubclass of D0 type bent functions constructed by modifying well known Dillon func-tions having sharper bound on their second-order nonlinearity. We further, identify asubclass of bent functions in PS+ class with maximum possible algebraic immunity.The result is proved by using the well known conjecture proposed by Tu and Deng(Des. Codes Cryptogr. 60(1):1–14, 2011). To obtain rth-order nonlinearity (r > 2),that is, whole nonlinearity profile of the constructed bent functions is still an openproblem.

Keywords Boolean function · Bent function · Dillon functions · D0 type bents ·Algebraic immunity · Second-order nonlinearities

Mathematics Subject Classification 94A60 · 94C10 · 06E30

1 Introduction

Boolean functions are the building blocks for the design and the security of sym-metric cryptographic systems and for the definition of some kinds of error correctingcodes, sequences and designs. The r th-order nonlinearity of a Boolean function f

B.K. Singh (B)Department of Mathematics, School of Allied Sciences, Graphic Era Hill University, Dehradun248002, Uttarakhand, Indiae-mail: bksingh0584@gmail.com

B.K. Singh

is defined by the minimum Hamming distance of f to all the Boolean functions ofalgebraic degrees at most r . It is an important parameter which measures the resis-tance of the function against various low-order approximation attacks [11, 18, 19].In cryptographic framework, within a trade-off with the other important criteria, ther th-order nonlinearity must be as large as possible [7, 14, 20, 26, 28]. Since, themaximal r th-order nonlinearity of all Boolean functions equals the covering radiusof RM(r,n)—Reed-Muller code (RM(r,n) := {f ∈ Bn : deg(f ) ≤ r}) of length 2n

and order r [7], it plays an important role in coding theory. Besides these applications,an interesting connection between the r th-order nonlinearity and the fast algebraic at-tacks has been introduced, recently in [28] which claims that a cryptographic Booleanfunction should have high r th-order nonlinearity to resist the fast algebraic attack.

The first order nonlinearity (r = 1) of f is simply referred to as nonlinearity off and is denoted by nl(f ). The functions achieving maximum possible nonlinearity,2n−1 − 2n/2−1 (exists only for even n) are said to be bent functions, introduced byRothaus [25]. These functions are nice combinatorial objects, directly related to dif-ference sets, and they allow constructing optimal error correcting codes and designs.As their algebraic degree is at most n/2, and so, they do not allow resisting fast al-gebraic attacks. Bent functions have been extensively studied in many articles [7, 8,13].

Unlike nonlinearity there is no efficient algorithm to compute second-order non-linearities for n > 11. Most efficient algorithm is introduced by Fourquet and Tav-ernier [15] which works for n ≤ 11 and, upto n = 13 for some special functions.Thus, to identify a class of Boolean function with high r th-order non linearity, evenfor r = 2, is a very relevant area of research. In 2008, Carlet have devolved a tech-nique to compute r th-order nonlinearity recursively in [4]. Based on this technique,the researchers found only some specific classes of Boolean functions for which ther th-order nonlinearity, for r ≥ 2, is obtained. For details on classes of functions hav-ing good second-order nonlinearity, we refer to [4–6, 15–17, 19], and the referencestherein.

In recent years, algebraic attack has become an important method in cryptographicanalyzing stream and block cipher systems, see e.g. [1, 3, 10]. A new cryptographicproperty: the algebraic immunity which measures the ability of the designed Booleanfunction to resist such kind of attack, has been introduced and studied several researchpapers, see [2, 3, 10, 12, 23] and the references therein. The core of the analysis isto identify low degree annihilators of f or of 1 ⊕ f . Boolean functions with optimalalgebraic immunity were found subsequently in many articles. Unfortunately, mostof the functions do not present high nonlinearity where as the others are unbalanced,see e.g. [2, 12] and the reference therein. Further constructions with high nonlinear-ity were found in [9, 24, 27, 29, 30]. Further, a series of construction methods forBoolean functions fulfilling several cryptographic criteria, based on some modifica-tions of a certain class of bent functions called partial spreads [13], has been proposed[27, 30]. The main idea behind the constructions of such type of functions is the useof a particular subclass of functions from PSap and extend the support set, that is,the domain set of these functions so that it would give a rise to some new classesof Boolean functions which possess in particular, an optimal resistance to standardalgebraic cryptanalysis (it may possibly not to fast algebraic cryptanalysis).

On second-order nonlinearity and maximum algebraic immunity

In the present article, we study the second-order nonlinearity of a subclass of D0type bent functions: constructed by modifying Dillon functions of the form Trm1 (αx

y)

where α ∈ F∗2m . Further, a subclass of bent functions of maximum algebraic degree in

PS+ with maximum algebraic immunity is constructed. The subclass is constructedby modifying the PSap type bent functions.

The remainder of the article is organized as follows: In Sect. 2 some basic defi-nitions and notations required for the subsequent sections are reviewed. In Sect. 3,a lower bound on second-order nonlinearity of D0 type bent functions constructedby modifying Dillon functions is deduced. Algebraic immunity of the constructedfunction is derived in Sect. 4. Finally, Sect. 5 concludes the article.

2 Preliminaries

Let F2n be the finite field consisting of 2n elements, and Z be the set of integers. Thegroup of units of F2n is F∗

2n = F2n \ {0} forms a cyclic group. An element x ∈ F2n canbe uniquely associated to an element x = (x1, x2, . . . , xn) ∈ F

n2 once a basis of F2n is

fixed, and so, Fn2 is isomorphic to F2n as F2-vector spaces. Thus, a function from F2n

(or Fn2) to F2 is said to be a Boolean function on n variables, the set of such functions

is denoted by Bn. The truth-table of f ∈ Bn is a binary string of length 2n tabu-lated as [f (0, . . . ,0,0), f (0, . . . ,0,1), f (0, . . . ,1,0), . . . , f (1, . . . ,1,1)]. The addi-tions in both Z and F2n are denoted by ‘+’ while ‘⊕’ denotes the addition in F

n2. The

Hamming weight of x ∈ Fn2 is defined by wH (x) := ∑n

i=1 xi . The binary representa-tion of an integer d ∈ Z is

d = dm−12m−1 + dm−22m−2 + · · · + d12 + d0, (1)

where d0, d1, . . . , dm−1 ∈ {0,1}. Once the order in which the exponents of 2 appear in(1) is fixed the finite sequence (dm−1, . . . , d0) is referred to as the binary representa-tion of d . The Hamming weight of an integer d is wH (d) = ∑m−1

i=0 di . The algebraicnormal form (ANF) of f ∈ Bn is defined by

f (x1, x2, . . . , xn) =⊕

a=(a1,...,an)∈Fn2

μa

(n∏

i=1

xai

i

)

, μa ∈ F2. (2)

The algebraic degree of f as represented in (2), is defined by deg(f ) := max{wH (a) :μa �= 0,a ∈ F

n2}. Every Boolean function h : F2m × F2m → F2 can be expressed in

terms of a polynomial of two variables on F2m as

h(x, y) =2m−1∑

i=0

2m−1∑

j=0

hi,j xiyj , where hi,j ∈ F2m, (3)

and deg(h) is the largest positive integer w for which wH (i) + wH (j) = w andhi,j �= 0. The Hamming distance between f,g ∈ Bn is defined by dH (f,g) = |{x ∈F2n |f (x) �= g(x)}|, where |S| is the cardinality of any set S. The support of a

B.K. Singh

function f ∈ Bn is defined by supp(f ) := {x ∈ F2n : f (x) = 1}, and the numberwH (f ) = |{x ∈ F2n : f (x) = 1}| is said to be Hamming weight of f .

The Walsh–Hadamard transform (WHT) of f ∈ Bn at λ ∈ F2n is defined byWf (λ) := ∑

x∈F2n(−1)f (x)+Trn1(λx), where Trn1(x) = ∑n−1

i=0 x2iis a trace function

from F2n to F2. For f : F2m × F2m → F2, the WHT at (λ,μ) ∈ F2m × F2m is

Wf (λ,μ) =∑

(x,y)∈F2m×F2m

(−1)f (x,y)+Trm1 (λx+μy).

The Walsh-Hadamard spectrum of f ∈ Bn, the set {Wf (λ) : λ ∈ F2n}, satisfies Parse-val’s identity:

∑

λ∈F2n

W 2f (λ) = 22n. (4)

The nonlinearity of f ∈ Bn in terms of WHT is given by

nl(f ) = 2n−1 − 1

2maxλ∈F2n

|Wf (λ)|.

For any even positive integer n = 2m ∈ Z, there exist Boolean functions with “flat”Walsh–Hadamard spectra. These functions are said to be bent and as a consequence of(4), a function f ∈ Bn (for n = 2m) is bent if and only if |Wf (λ)| = 2m for all λ ∈ F2n .

The dual, f , of a bent function f ∈ B2m which is defined by Wf (x) := (−1)f (x)2m

for all x ∈ F22m , is also bent.The derivative of f ∈ Bn with respect to a ∈ F2n is defined by Daf (x) := f (x) +

f (x + a) for all x ∈ F2n . For further details on higher derivatives, see [7]. The r th-order nonlinearity of f ∈ Bn is defined as

nlr (f ) = minh∈RM(r,n)

dH (f,h) = 2n−1 − 1

2max

h∈RM(r,n)

∣∣∣∣∣∣

∑

x∈F2n

(−1)f (x)+h(x)

∣∣∣∣∣∣,

The sequence of values {nlr (f )}n−1r=1 is said to be the nonlinearity profile of f .

nl1(f ) = nl(f ) denotes the nonlinearity of f . In this article, we use the followingproposition to compute our bound (for r = 2).

Proposition 1 [4, Prop. 3] Let f ∈ Bn and r be a positive integer (r < n), then

nlr (f ) ≥ 2n−1 − 1

2

√

22n − 2∑

a∈F2n

nlr−1(Daf ).

A Boolean function g ∈ Bn is said to be an annihilator of f ∈ Bn if and only if g

is not identically zero and g(x)f (x) = 0 for all x ∈ F2n (g �= 0 and gf = 0, in short).Let AN (f ) be the set of all annihilators of f ∈ Bn, that is

AN (f ) = {g ∈ Bn : g �= 0, gf = 0}.

On second-order nonlinearity and maximum algebraic immunity

Definition 2 The algebraic immunity, AI(f ), of f ∈ Bn is defined as

AI(f ) = min{deg(g) : g ∈ AN (f ) ∪AN (f )},where f denotes the complement of the function f .

Suppose gf = h where deg(g) and deg(h) both are at most d , and g �= h, then f

has an annihilator with algebraic degree at most d and hence AI(f ) ≤ d [23, Prop.1]. It is proved by Courtois and Meier [10, Thm. 6.0.1] that for every f ∈ Bn, there isa function g ∈ Bn with g �= 0 of degree at most n

2 � such that gf is of degree at mostn

2 �. Since f f = 0, and so, AI(f ) ≤ deg(f ). Thus, for any f ∈ Bn

AI(f ) ≤ min{

deg(f ),⌈n

2

⌉}.

3 Second-order nonlinearities of D0 type functions

A function f : F2m × F2m → F2 defined as f (x, y) = Trm1 (xπ(y)) + �(y) for all(x, y) ∈ F2m × F2m , where π is a permutation on F2m and � ∈ Bm, is bent. The set ofsuch bent functions is referred to as Maiorana-McFarland class (M). A bent functionh : F2m × F2m → F2 in a subclass D0 of D [8] is defined by

h(x, y) = Trm1 (xπ(y)) +m∏

i=1

(xi ⊕ 1), for all x, y ∈ F2m, (5)

where π is a permutation on F2m .

Proposition 3 [16, Thm. 3.1] Let h ∈ B2m as defined in (5), and f (x, y) =Trm1 (xπ(y)), then

|WD(a,b)h(μ,η)| ≤ |WD(a,b)f (μ,η)| + 4|Wa·π (η)|, for all a, b ∈ F2m.

It is obvious that WD(0,b)h(μ,η) = WD(0,b)f (μ,η).

Using Proposition 3, Gangopadhyay and Singh obtained the lower bounds onsecond-order nonlinearities of two classes [16] of D0 type bent functions constructedby modifying the cubic Maiorana-McFarland type bent functions. It is observed thateven the constructed functions are bent having maximum algebraic degree and goodsecond-order nonlinearities but their algebraic immunity is still remain at most 4 forall n, that is, could not be improved.

3.1 Second-order nonlinearity of the functions obtained by modifying Trm1 (αxy

)

In this section, we study the lower bound of second-order nonlinearity of D0 typefunctions constructed by modifying Dillon functions: Trm1 (αx

y), α ∈ F

∗2m .

The function Finv : F2m → F2m defined by Finv(x) := 1x

= x2m−2 is said to beinverse function. It is a permutation because of gcd(2m − 2,2m − 1) = gcd(2m−1 −1,2m − 1) = 2gcd(m,m−1) − 1 = 1. Lachaud and Wolfmann proved the following

B.K. Singh

Lemma 4 [21, Theorem 3.4] For any positive integer m, the Walsh-Hadamard spec-trum of Trm1 ( 1

x) defined on F2m can take any value divisible by 4 in the range

[−2m/2+1 + 1,2m/2+1 + 1].

Now, define gα(x) = Trm1 (αx), α ∈ F

∗2m . Being the Boolean functions gα , α ∈ F

∗2m

affine equivalent to each other, the functions have same nonlinearity profiles [4]. Iftm = max{t : t ∈ [−2

m2 +1 + 1,2

m2 +1 + 1], t = 0( mod 4)}, then

maxλ∈F2m

∣∣Wgα(λ)

∣∣ = tm

The lower bound of nonlinearities of the derivatives of the constructed functionsat (a, b) ∈ F2m × F2m is presented in the following

Lemma 5 Let hα : F2m × F2m → F2 be a Boolean function expressed as

hα(x, y) = fα(x, y) +m∏

j=1

(xj ⊕ 1), for all x, y ∈ F2m, (6)

where fα(x, y) = Trm1 (αxy

) and α ∈ F∗2m . Then the nonlinearity of the derivative

D(a,b)hα of the function hα at (a, b) ∈ F2m × F2m is at least

nl(D(a,b)fα) − 2tm, whenever a �= 0

Therefore,

nl(D(a,b)hα) ≥

⎧⎪⎪⎨

⎪⎪⎩

0, if a = 0, b = 0,

22m−1 − 2m+1−ζ , if a = 0, b ∈ F∗2m,

22m−1 − 2m+1−ζ − 2tm, if a, b ∈ F∗2m,

22m−1 − tm(2m−1 + 2), if a ∈ F∗2m, b = 0.

(7)

where ζ = m (mod 2) and tm = max{t |t ∈ [−2m/2+1 +1,2m/2+1 +1], t = 0 (mod 4)}.

Proof By Proposition 3, the nonlinearity of D(a,b)hα , for a �= 0 is

nl(D(a,b)hα) = 2n−1 − 1

2max

(λ,μ)∈F2m×F2m

|WD(a,b)hα |

≥(

22m−1 − 1

2max

(λ,μ)∈F2m×F2m

|WD(a,b)fα |)

− 2 maxμ∈F2m

|Wgaα(μ)|

= nl(D(a,b)fα) − 2tm, (8)

where gaα (y) = Trm1 ( aα

y), and aα = aα, and

nl(D(0,b)hα) = nl(D(0,b)fα). (9)

On second-order nonlinearity and maximum algebraic immunity

The nonlinearity of the first derivative D(a,b)fα of a Dillon function fα at (a, b) ∈F2m × F2m is obtained in [6, Lemma 4] by Carlet as

nl(D(a,b)fα) =⎧⎨

⎩

0, if a = 0, b = 0,

22m−1 − 2m+1−ζ , if a ∈ F2m, b ∈ F∗2m,

22m−1 − tm2m−1, if a ∈ F∗2m, b = 0.

(10)

where ζ = m (mod 2) and tm = max{t |t ∈ [−2m/2+1 +1,2m/2+1 +1], t = 0 (mod 4)},and so tm = 2m/2+1 for m even.

Using Eq. (10) in Eq. (9) and (8), we have

nl(D(a,b)hα) ≥

⎧⎪⎪⎨

⎪⎪⎩

0, if a = 0, b = 0,

22m−1 − 2m+1−ζ , if a = 0, b ∈ F∗2m,

22m−1 − 2m+1−ζ − 2tm, if a, b ∈ F∗2m,

22m−1 − tm(2m−1 + 2), if a ∈ F∗2m, b = 0. �

Theorem 6 The second-order nonlinearity of the Boolean function hα as defined in(6) is given by

nl2(hα) ≥⎧⎨

⎩

2n−1 − 12

√

23n2 +1 − 2n + 5tm(2n − 2

n2 ), if m = 1 (mod 2),

2n−1 − 12

√

23n2 +2 − 3 · 2n + 10(2

5n4 − 2

3n4 ), if m = 0 (mod 2).

Proof Using (7) we have

∑

a,b∈F2m

nl(D(a,b)hα)

= nl(D(0,0)hα) +∑

b∈F∗2m

nl(D(0,b)hα) +∑

a∈F∗2m

nl(D(a,0)hα) +∑

a,b∈F∗2m

nl(D(a,b)hα)

≥ (2m − 1)(22m−1 − 2m+1−ζ ) + (2m − 1)(22m−1 − tm(2m−1 + 2))

+ (2m − 1)(2m − 1)(22m−1 − 2m+1−ζ − 2tm)

= 2m(2m − 1)(22m−1 − 2m+1−ζ ) − 2tm(22m − 2m+1 + 1)

+ (2m − 1)(22m−1 − 2tm(2m−2 + 1))

= 24m−1 − 23m+1−ζ + 22m+1−ζ − 22m−1 − 5tm(22m−1 − 2m−1)

Using Proposition 1 we have

nl2(hα)

≥ 2n−1 − 1

2

√

22n − 2∑

(a,b)∈F2m×F2m

nl(D(a,b)hα)

= 22m−1 − 1

2

√24m − 2(24m−1 − 23m+1−ζ + 22m+1−ζ − 22m−1 − 5tm(22m−1 − 2m−1))

B.K. Singh

= 22m−1 − 1

2

√23m+2−ζ − 22m+2−ζ + 22m + 10tm(22m−1 − 2m−1)

= 2n−1 − 1

2

√

23n2 +2−ζ − (2n+2−ζ − 2n) + 5tm(2n − 2

n2 ).

Since ζ = m (mod 2), and tm = 2m/2+1 for even m, and therefore

nl2(hα) ≥⎧⎨

⎩

2n−1 − 12

√

23n2 +1 − 2n + 5tm(2n − 2

n2 ), if m = 1 (mod 2),

2n−1 − 12

√

23n2 +2 − 3 · 2n + 10(2

5n4 − 2

3n4 ), if m = 0 (mod 2). �

Carlet deduced the whole nonlinearity profile of Dillon functions [5]. The lowerbound of second-order nonlinearity of Dillon functions fα is

nl2(fα) ≥ 2n−1 − 1

2

√

23n2 +2 + 2

5n4 +1 − 2

3n4 +1 − 2n − 2

n2 +1, (11)

and this bound was further improved in [6] as

nl2(fα) ≥⎧⎨

⎩

2n−1 − 12

√

23n2 +1 − 2n + tm(2n − 2

n2 ), if m = 1 (mod 2),

2n−1 − 12

√

23n2 +2 − 3 · 2n + 2

5n4 +1 − 2

3n4 +1, if m = 0 (mod 2).

(12)

3.2 Comparison

In Table 1, we present numerical comparison of our bounds obtained in Theorem 6with the bounds obtained for associated Dillon functions fα , and that for cubic Nihobent functions as represented in Proposition 7 below

Proposition 7 [17] Let f (x) = Trn1(α1xd1 + α2x

d2), where α1, α2 ∈ F2n , with α1 +α1 = ‖α2‖, e be a positive integer such that n = 2e, and d1 = (2e − 1) 1

2 + 1 andd2 = (2e − 1) 1

4 + 1 are Niho exponents. Then

nl2(f ) ≥ 2n−1 − 23n+e−3

4 . (13)

It is observed from Table 1 that the bound of second-order nonlinearity the func-tions considered in Theorem 6 is improved upon the bound obtained by Garg andGangopadhyay [17] for all n > 8. Moreover, the ratio of the value obtained by (12) tothe value by Theorem 6 decreases as n increases, and the limiting value of this ratiois 1. This concludes that the bounds obtained in Theorem 6 is asymptotically equalto that of associated Dillon functions (12).

Open problem: The lower bounds of r th-order nonlinearities for r > 2 of the con-structed functions, hα as represented in Theorem 6, is still a challenging problem.

On second-order nonlinearity and maximum algebraic immunity

Table 1 Comparison of the lower bounds of second-order nonlinearities of bent functions in D0 classwith that of Niho functions (13) and the associated Dillon functions (11), (12)

n (11) (12) (13) Theorem 6

6 8 14 10 10

8 60 61 52 50

10 324 374 256 336

12 1521 1523 1188 1466

14 6713 7125 5296 6988

16 28610 28,614 23028 28372

18 119362 122,705 98304 122048

20 491269 491,277 414070 490278

22 2003965 2,030,904 1726426 2028196

24 8125450 8,125,466 7141634 8121418

26 32810943 33,027,271 29360128 33015954

4 Bent functions with optimal algebraic immunity in PS

Throughout this section n = 2m. The class of partial spreads type bent functions(PS), introduced by Dillon [13], is divided into two subclasses: PS− and PS+ de-pending on the size of the supports. A function f ∈ B2m is in PS− if its support is aunion of 2m−1 “disjoint” m-dimensional subspaces of F22m with the vector 0 ∈ F22m

is discarded, where “disjoint” means that any pair of these subspaces intersects onlyin 0. The function is in PS+ if its support is a union of 2m−1 + 1 “disjoint” m-dimensional subspaces of F22m . It is to be noted that, depending on the choice ofthese m-dimensional flats it might be the case that the support of a bent function f

in PS− (or in PS+) is such that f is not in PS+ (or in PS−). The algebraic degreeof f ∈ B2m in PS− is always equal to m whereas this is not the case for functions inPS+ whose degrees may be less than m, see e.g. [13].

The algebraic representation of the bent functions in the PS class appears to behard. Dillon [13] exhibits one explicit representation of a subclass of PS−, denotedby PSap , consisting of function f : F2m × F2m → F2 defined as:

f (x, y) = g

(x

y

)

, x, y ∈ F2m,

where g ∈ Bm is any balanced Boolean function such that g(0) = 0. Since 1y

= y2m−2,

and so, 1y

read as 0 at y = 0. It was shown [27] that the selection of the support of g

is of great importance. Indeed, if we consider a balanced g : F2m → F2 defined by

supp(g) = {αs,αs+1, . . . , αs+2m−1−1} = �(say), (14)

for some integer s ≥ 0 and a primitive element α ∈ F2m , then AI (f ) = m [27, Con-struction 1]. This result was proved using the famous BCH bound and Conjecture 1below proposed by Tu and Deng [27].

B.K. Singh

Conjecture 1 [27, Conjecture 1] For any t ∈ Z2m−1 \ {0}, if

St = {(a, b) ∈ Z2m−1 ×Z2m−1, a + b = tmod (2m − 1),wH (a) + wH (b) ≤ m − 1},then |St | ≤ 2m−1.

Theorem 8 (The BCH bound [22]) Let α be a primitive n-root of unity. Let Φ bea cyclic code of length n and with a generator polynomial g(x) such that for someintegers b ≥ 0, δ ≥ 1

g(αb) = g(αb+1) = · · · = g(αb+δ−2) = 0,

that is, the code has string of δ − 1 consecutive powers of α as zeroes, then theminimal distance of Φ is at lest δ.

Definition 9 A cyclic code of length n over Fq is a BCH code of designed distanceδ if, for some integer b ≥ 0

g(x) = lcm{m(b)(x),m(b+1)(x), . . . ,m(b+δ−2)(x)},that is, g(x) is the lowest degree monic polynomial over Fq having αb,αb+1, . . .,αb+δ−2 as zeroes, when m(i) is the minimal polynomial of αi over Fq .

A natural question whether there exists a class of bent functions in PS+ havingmaximum algebraic immunity. We answer this in affirmative by considering a sub-class of bent functions as mentioned in the following section.

4.1 Algebraic immunity of bent functions obtained by modifying Dillon functions

In this section, we identify a subclass of bent functions belonging to PS+ obtainedby modifying the functions in PSap which have the maximum algebraic immunity.

Construction 1 Let n = 2m and α be a primitive element of F2m . Let g ∈ Bm and �

are same as in (14). If the support of the Boolean function f : F2m × F2m → F2 isdefined as

supp(f ) = {(0, y) : y ∈ F2m} ∪ {(γy, y) : y ∈ F∗2m, γ ∈ �}.

Then f ∈ PS+ and AI(f ) = m.

Theorem 10 Let f ∈ Bn as defined in Construction 1, then AI(f ) = m.

Proof To prove that f have algebraic immunity m, it is sufficient to prove that bothf and f have no annihilators of algebraic degrees less than m.

Let us suppose h ∈ B2m be a non zero function as expressed in (3) with deg(h) < k

and f h = 0, then we will show that h = 0. By assumption, we have h(x, y) = 0 forall (x, y) ∈ supp(f ) = {(0, y) : y ∈ F2m} ∪ {(γy, y) : y ∈ F

∗2m, γ ∈ �}, and hi,j = 0 if

wH (i) + wH (j) ≥ m.

On second-order nonlinearity and maximum algebraic immunity

h(0, y) = 0 for all y ∈ F2m implies that h0,t = 0 for all 0 ≤ t ≤ 2m − 1. Also,h(γy, y) = 0 for all y ∈ F

∗2m and γ ∈ �.

h(γy, y) =2m−1∑

i=0

2m−1∑

j=0

hi,j (γy)iyj =2m−1∑

i=0

2m−1∑

j=0

hi,j γiyi+j = h0,0 +

2m−1∑

t=0

ht (γ )yt ,

where

ht (γ ) =t∑

i=0

hi,t−iγi +

2m−1∑

i=t

hi,2m−1+t−iγi .

It is observed from [27] that wH (i) + wH (2m − 1 − i) = m which implies thath2m−1 = 0 and ht,2m−1 = h2m−1,t = 0 for all t . Using these values in the above equa-tion, we have

ht (γ ) =t∑

i=0

hi,t−iγi +

2m−2∑

i=t+1

hi,2m−1+t−iγi,

which implies that

h(γy, y) = h0,0 +2m−2∑

i=1

ht (γ )yt .

For some fixed γ ∈ �, since h(γy, y) = 0 for all y ∈ F∗2m , it follows that

h0,0 = 0 and ht (γ ) = 0,1 ≤ t ≤ 2m − 1, for all γ ∈ �.

By the definition of BCH code, (h0,t , h1,t−1, . . . , ht,0, ht+1,2m−2, . . . , h2m−2,t+1) bea codeword in some BCH code of length 2m − 1 over F2m , having the elements in� as zeros and with designed distance 2m−1 + 1. If this codeword is nonzero, thenby definition of BCH bound the weight should be greater than or equal to 2m−1 + 1.Further, from Conjecture 1 and h0,t = 0, the weight should be strictly less than 2m−1,leads a contradiction. Hence, h = 0. It means that there exist no annihilator of f

having algebraic degree strictly less than m.Now, we will prove that f also have no annihilator of algebraic degree strictly less

than m.Let us suppose h : F2m × F2m → F2 be a non zero function with deg(h) < m and

f h = 0, then we will show that h = 0. It can be easily observed that

supp(f ) = {(γy, y) : y ∈ F∗2m, γ ∈ F

∗2m \ �} ∪ {(x,0) : x ∈ F

∗2m}.

h(x,0) = 0 for all x ∈ F∗2m which implies that ht,0 = 0 for all 1 ≤ t ≤ 2m − 1.

Similarly h(γy, y) = 0 for all y ∈ F∗2m and γ ∈ F

∗2m \ �. It follows that h0,0 =

0 and ht (γ ) = 0, 1 ≤ t ≤ 2m − 2 for all γ ∈ F∗2m \ �. Thus we can see that

(h0,t , h1,t−1, . . . , ht,0, ht+1,2m−2, . . . , h2m−2,t+1) be a codeword in some BCH code

of length 2m − 1 over F2m , having the elements in F∗2m \ � = {α2m−1

, α2m−1+1, . . . ,

B.K. Singh

α2m−2} as zeros and with designed distance 2m−1. If this codeword is nonzero, thenby definition of BCH bound the weight should be greater than or equal to 2m−1. Fur-ther, from Conjecture 1 and ht,0 = 0, the weight should be strictly less than 2m−1,leads a contradiction, this implies that h = 0.

Thus, neither f nor f has an annihilator of degree strictly less than m. This com-pletes the theorem. �

The support of the function f as defined in Construction 1 is the union of 2m−1 +1disjoint subspaces, and so, it is PS+ type bent. The dual of this function is providedin the following

Theorem 11 The dual f of the function f as defined in Construction 1 is given by

supp(f ) = {(x, γ x) : x ∈ F∗2m, γ ∈ �} ∪ {(x,0) : x ∈ F2m}.

Proof Since supp(f ) = {(0, y) : y ∈ F2m} ∪ {(γy, y) : y ∈ F∗2m, γ ∈ �}. Therefore,

wH (f ) = 2m + 2m−1(2m − 1) = 22m−1 + 2m−1 which implies that Wf (0,0) = −2m.Let (a, b) ∈ F2m × F2m such that both a and b are not zero simultaneously. We com-pute,

Wf (a, b) =∑

(x,y)∈F2m×F2m

(−1)f (x,y)+Tr(ax+by)

= −2∑

(x,y)∈supp(f )

(−1)Tr(ax+by)

= −2∑

y∈F2m

(−1)Tr(by) − 2∑

γ∈�

∑

y∈F∗2m

(−1)Tr((aγ+b)y)

= −2m+1δ0(b) − 2∑

γ∈�

⎛

⎝∑

y∈F2m

(−1)Tr((aγ+b)y) − 1

⎞

⎠

= −2m+1δ0(b) + 2m − 2∑

γ∈�

∑

y∈F2m

(−1)Tr((aγ+b)y)

= −2m+1δ0(b) + 2m − 2m+1∑

γ∈�

δ0(aγ + b)

Consider the following cases

Case 1. If b = 0 and a �= 0 then aγ �= 0 for all γ ∈ � which implies that δ0(aγ ) = 0for all γ ∈ �. Therefore, Wf (a,0) = −2m+1 + 2m = −2m for all a ∈ F

∗2m .

Case 2. If a = 0 and b �= 0, clearly δ0(b) = 0. Therefore, Wf (0, b) = 2m for allb ∈ F

∗2m .

Case 3. If a, b ∈ F∗2m , then the equation aγ + b = 0, for given a, b ∈ F

∗2m have an

unique solution in F2m as F2m is finite additive group. Now, consider the followingtwo subcases.

On second-order nonlinearity and maximum algebraic immunity

(i) If (a, b) ∈ F∗2m ×F

∗2m such that aγ +b = 0 for some γ0 ∈ �, then δ0(aγ +b) = 0

for all γ ∈ � except γ0 = γ . This implies that Wf (a, b) = 2m − 2m+1 = −2m.(ii) If (a, b) ∈ F

∗2m ×F

∗2m such that there exists no element γ ∈ � so that aγ +b = 0,

that is δ0(aγ + b) = 0 for all γ ∈ �. This implies that Wf (a, b) = 2m.

Thus, we have

Wf (a, b) = 2m(−1)f (a,b)

for all (a, b) ∈ F2m × F2m , where the support of f is given by

supp(f ) = {(x, γ x) : x ∈ F∗2m, γ ∈ �} ∪ {(x,0) : x ∈ F2m}.

This completes the theorem. �

Corollary 12 The algebraic degree of the Boolean function f as defined in Con-struction 1 is m.

Proof It is well known that deg(f ) ≥ AI(f ) for all the Boolean functions. Sincethe algebraic immunity of f ∈ B2m as defined in Construction 1 is AI(f ) = m andtherefore deg(f ) ≥ m. Moreover, since f is bent which implies that deg(f ) = m. �

Remark 13 The function f as defined in Construction 1 is of the form

f (x, y) = g

(x

y

)

+m∏

j=1

(xj ⊕ 1), x, y ∈ F2m, (15)

where g ∈ Bm be a balanced Boolean function with g(0) = 0.

5 Conclusion

In this article, a subclass of PS+ type bent functions modifying bent functions inPSap is constructed, and by using the conjecture proposed in [27] and BCH bound[22] it is demonstrated that the constructed functions have maximum algebraic im-munity and hence algebraic degree. Further, using the technique proposed in [16,Thm. 3.1], we deduce a sharper lower bound on second-order nonlinearities someD0 type bent functions constructed by modifying Dillon functions [6], and hence aclass of bent functions of maximum algebraic degree that have good lower boundof second-order nonlinearities is identified. To obtain r th-order nonlinearity (r > 2),that is, whole nonlinearity profile of the constructed bent functions is still an openproblem.

Acknowledgements The author would like to thank the anonymous referees for their valuable com-ments and suggestions that have helped in improving the presentation of the paper. The work is supportedby Council of Scientific and Industrial Research, New Delhi, India.

B.K. Singh

References

1. Armknecht, F.: Improving fast algebraic attacks. In: 11th International Workshop on Fast SoftwareEncryption—FSE-2004. LNCS, vol. 3017, pp. 65–82 (2004)

2. Braeken, A., Preneel, B.: On the algebraic immunity of symmetric Boolean functions. In: IN-DOCRYPT 2005. LNCS, vol. 3797, pp. 35–48 (2005)

3. Canteaut, A.: Open problems related to algebraic attacks on stream ciphers. In: WCC 2005. LNCS,vol. 3969, pp. 120–134 (2006)

4. Carlet, C.: Recursive lower bounds on the nonlinearity profile of Boolean functions and their applica-tions. IEEE Trans. Inf. Theory 54(3), 1262–1272 (2008)

5. Carlet, C.: More vectorial Boolean functions with unbounded nonlinearity profile. Int. J. Found. Com-put. Sci. 22(6), 1259–1269 (2011)

6. Tang, D., Carlet, C., Tang, X.: On the second-order nonlinearities of some bent functions. Inf. Sci.223, 322–330 (2013)

7. Carlet, C.: Boolean functions for cryptography and error correcting codes. In: Crama, Y., Hammer, P.(eds.) Boolean Models and Methods in Mathematics, Computer Science and Engineering, pp. 257–397. Cambridge Univ. Press, Cambridge (2010)

8. Carlet, C.: Two new classes of bent functions. In: Advances in Cryptology—EUROCRYPT 1993.LNCS, vol. 765, pp. 77–101 (1994)

9. Carlet, C., Feng, K.: An infinite class of balanced functions with optimal algebraic immunity, goodimmunity to fast algebraic attacks and good nonlinearity. In: Advances in Cryptology, ASIACRYPT2008. LNCS, vol. 5350, pp. 425–440 (2008)

10. Courtois, N., Meier, W.: Algebraic attacks on stream ciphers with linear feedback. In: Advances inCryptology, EUROCRYPT 2003. LNCS, vol. 2656, pp. 345–359 (2003)

11. Courtois, N.: Higher order correlation attacks, XL algorithm and cryptanalysis of Toyocrypt. In: Inter-national Conference on Information Security and Cryptology. LNCS, vol. 2587, pp. 182–199 (2003)

12. Dalai, D.K., Maitra, S., Sarkar, S.: Basic theory in construction of Boolean functions with maximumpossible annihilator immunity. Des. Codes Cryptogr. 40(1), 41–58 (2006)

13. Dillon, J.F.: Elementary Haddamard Difference Sets. Ph. D. thesis, University of Maryland, USA(1974)

14. Ding, C., Xiao, G., Shan, W.: The Stability Theory of Stream Ciphers. LNCS, vol. 561. Springer,Berlin (1991)

15. Fourquet, R., Tavernier, C.: An improved list decoding algorithm for the second order Reed-Mullercodes and its applications. Des. Codes Cryptogr. 49, 323–340 (2008)

16. Gangopadhyay, S., Singh, B.K.: On second-order nonlinearities of some D0 type bent functions.Fundam. Inform. 114(3–4), 271–285 (2012)

17. Garg, M., Gangopadhyay, S.: A lower bound of the second-order nonlinearities of Boolean bent func-tions. Fundam. Inform. 111(4), 413–422 (2011)

18. Golic, J.: Fast low order approximation of cryptographic functions. In: Advances in Cryptology, EU-ROCRYPT 1996. LNCS, vol. 1070, pp. 268–282 (1996)

19. Iwata, T., Kurosawa, K.: Probabilistic higher order differential attack and higher order bent functions.In: Advances in Cryptology, ASIACRYPT 1999. LNCS, vol. 1716, pp. 62–74 (1999)

20. Knudsen, L., Robshaw, M.: Non-linear approximations in linear cryptanalysis. In: Advances in Cryp-tology, EUROCRYPT 1996. LNCS, vol. 1070, pp. 224–236. Springer, Berlin (1996)

21. Lachaud, G., Wolfmann, J.: The weights of the orthogonals of the extended quadratic binary Goppacodes. IEEE Trans. Inf. Theory 36(3), 686–692 (1990)

22. MacWilliams, F.J., Sloane, N.J.A.: The Theory of Error Correcting Codes. North-Holland, Amster-dam (1977)

23. Meier, W., Pasalic, E., Carlet, C.: Algebraic attacks and decomposition of Boolean functions. In:Advances in Cryptology, EUROCRYPT 2004. LNCS, vol. 3027, pp. 474–491 (2004)

24. Qu, L., Feng, K., Liu, F., Wang, L.: Constructing symmetric Boolean functions with maximum alge-braic immunity. IEEE Trans. Inf. Theory 55(5), 2406–2412 (2009)

25. Rothaus, O.S.: On bent functions. J. Comb. Theory, Ser. A 20, 300–305 (1976)26. Shimoyama, T., Kaneko, T.: Quadratic relation of S-box and its application to the linear attack of full

round DES. In: Advanced in Cryptology: CRYPTO 1998. LNCS, vol. 1462, pp. 200–211. Springer,Berlin (1998)

27. Tu, Z., Deng, Y.: A conjecture about binary strings and its applications on constructing Booleanfunctions with optimal algebraic immunity. Des. Codes Cryptogr. 60(1), 1–14 (2011)

On second-order nonlinearity and maximum algebraic immunity

28. Wang, Q., Johansson, T.: A note on fast algebraic attacks and higher order nonlinearities. In: IN-SCRYPT 2010. LNCS, vol. 6584, pp. 404–414. Springer, Berlin (2010)

29. Wang, Q., Peng, J., Kan, H., Xue, X.: Constructions of cryptographically significant Boolean functionsusing primitive polynomials. IEEE Trans. Inf. Theory 56(6), 3048–3053 (2010)

30. Zeng, X., Carlet, C., Shan, J., Hu, L.: More balanced Boolean functions with optimal algebraic immu-nity and good nonlinearity and resistance to fast algebraic attacks. IEEE Trans. Inf. Theory IT-57(9),6310–6320 (2010)