Combinatorics of p-ary Bent Functions
MIDN 1/C Steven Walsh
United States Naval Academy
25 April 2014
Objectives
I
Introduction/Motivation
I
Definitions
I
Important Theorems
I
Main Results: Connecting Bent Functions to Combinatorical
Structures
I
Conclusion
Introduction/Motivation
I
Linear feedback shift register: a shift register in which inputs
are linear functions of their previous states
I
Can be used to generate pseudo-random sequences that can
be used as keystreams in a stream cipher system
I
Example: Fibonacci sequence (mod 2), defined by initial state
s0 = 0, s1 = 1 and recursive function sn = sn−1 + sn−2
(0,1,1,2,3,5,8,13,21...) → (0,1,1,0,1,1,0,1,1...)
I
LFSRs can be broken using the Berlekamp-Massey algorithm
Berlekamp-Massey algorithm
I
For a binary LFSR with key length n and maximal length
period 2n − 1, only 2n consecutive terms of the sequence are
required to determine the coefficients of the LFSR
I
Example: Fibonacci sequence mod 2, key length is 2 and
period is 3, so 4 digits are required to decode the LFSR
Example: choose a 4-bit subsequence (say, (0,1,1,0)) and use
the equation sn = c1 sn−1 + c2 sn−2 to solve for c1 and c2 and
thus, determine the key (c1 , c2 ):
1 = c1 (1) + c2 (0) ⇒ c1 = 1
0 = c1 (1) + c2 (1) = 1(1) + c2 (1) ⇒ c2 = 1
Implementing more secure cipher stream systems
LFSRs are very susceptible to decryption through various
techniques, including Berlekamp-Massey algorithm and brute force
attacks
To construct more secure keystreams, utilize bent, or perfectly
non-linear, functions
I
non-linearity will generate more random sequences
I
resistant to linear cryptanalysis
Definitions and Examples
Walsh-Hadamard transform
For f : GF (p)n → GF (p), the Walsh-Hadamard transform of f is a
complex-valued function on GF (p)n defined by:
P
Wf (u) =
ζ f (x)−hu,xi
x∈GF (p)n
where ζ = e 2πi/p (the pth root of unity).
f : GF (p)n → GF (p) is bent if
|Wf (u)| = p n/2
for all u ∈ GF (p)n .
Partial difference sets
I
Let G be a finite abelian group of order v
I
Let D be a subset of G with cardinality k
D is a (v , k, λ)-difference set if the multiset {d1 d2−1 | d1 , d2 ∈ D}
contains every non-identity element of G exactly λ times
D is a (v , k, λ, µ)-partial difference set (PDS) if the multiset
{d1 d2−1 | d1 , d2 ∈ D} contains every non-identity element of D
exactly λ times and every non-identity element of G \ D exactly µ
times
Cayley graphs
Constructing a Cayley graph:
I
Let G be a group, let D ⊂ G such that 1 ∈
/D
I
Let the vertices of the graph be elements of G
I
Two vertices g1 and g2 are connected by a directed edge from
g1 to g2 if g2 = dg1 for some d ∈ D
For a (v , k, λ, µ)-PDS D, the Cayley graph X (G , D) is a
srg-(v , k, λ, µ) if:
I
X (G , D) has v vertices such that each vertex is connected to
k other vertices
I
Distinct vertices g1 and g2 share edges with either λ or µ
common vertices
Bent function correspondences
Two known ways to determine whether a function is bent (for
p = 2)
I
Dillon correspondence: f : GP(2)n → GF (2) is bent if and
only if the level curve
f −1 (1) = {v ∈ GF (2)n | f (v ) = 1}
yields a difference set in GF (2)n with parameters
(v , k, λ) = (4m2 , 2m2 ± m, m2 ± m) for some integer m
I
Bernasconi correspondence: f : GF (2)n → GF (2) is bent if
and only if the Cayley graph of f is a srg-(2n , k, λ, µ), where
λ = µ and k = |{v ∈ GF (2)n | f (v ) 6= 0}|
Weighted partial difference sets
Let G be a finite abelian multiplicative group of order v and let D
be a subset of G of cardinality k. Decompose D into a union of
disjoint subsets
D = D1 ∪ D2 ∪ · · · ∪ Dd
and assume 1 ∈
/ D. Let |Di | = ki .
Weighted partial difference sets
D is a weighted partial difference set (PDS) if the following
properties hold:
I
The multiset
Di Dj−1 = {d1 d2−1 | d1 ∈ Di , d2 ∈ Dj }
represents every non-identity element of Dl exactly λi,j,l times
and every non-identity element of G \ D exactly µi,j times
(1 ≤ i, j, l ≤ d)
I
For each i ∈ {1, 2, ..., d}, ∃ j ∈ {1, 2, ..., d} such that
Di−1 = Dj (if Di−1 = Di for all i, then the weighted PDS is
symmetric)
Weighted Cayley Graphs
Construction of a weighted Cayley graph Xw (G , D) is similar to
that of a standard Cayley graph
I
Let G be a group, D a subset of G
I
Decompose D into a union of subsets D1 ∪ D2 ∪ · · · ∪ Dd
I
The vertices of the graph are the elements of G
I
Two vertices g1 and g2 are connected by an edge of weight k
if g1 = dg2 for some d ∈ Dk
PDS Example
I
G = GF (3)[x]/(x 2 + 1) =
{0, 1, 2, x, x + 1, x + 2, 2x, 2x + 1, 2x + 2} (GF (9), +)
I
D = {1, 2, x, 2x}
I
{d1 d2−1 | d1 , d2 ∈ D} = {0, 2, 1 + 2x, 1 + x, 0, 1, 2x + 2, x +
2, 0, x + 2, x + 1, 2x, 0, 2x + 2, 2x + 1, x}
So D is a (9,4,1,2) partial difference set.
Weighted PDS Example
I
G = GF (3)[x]/(x 2 + 1) =
{0, 1, 2, x, x + 1, x + 2, 2x, 2x + 1, 2x + 2} (additive group)
I
D1 = {1, 2}, D2 = {x, 2x}
I
{d1 d2−1 | d1 , d2 ∈ D1 } = {0, 2, 0, 1}
I
{d1 d2−1 | d1 ∈ D1 , d2 ∈ D2 } = {2x + 1, x + 1, x + 2, 2x + 2}
I
{d1 d2−1 | d1 , d2 ∈ D2 } = {0, 2x, 0, x}
λ1,1,1 = 1, λ1,1,2 = 0, µ1,1 = 0
λ1,2,1 = 0, λ1,2,2 = 0, µ1,2 = 1
λ2,2,1 = 0, λ2,2,2 = 1, µ2,2 = 0
Corresponding Cayley Graph
Using Level Curves as Weighted Partial Difference Sets
Let f : GF (p)n → GF (p) be a function. One possible way to
generate a weighted partial difference set is as follows:
I
G = GF (p)n
I
D0 = {0}
I
Di = f −1 (i) for i = 1, 2, ..., p − 1
I
Dp = f −1 (0) − {0}
Association schemes
I
S is a finite set
I
R0 , R1 , . . . , Rd binary relations on S
I
R0 = {(x, x) ∈ S × S | x ∈ S}
I
Ri∗ = {(x, y ) ∈ S × S | (y , x) ∈ Ri }
Then (S, R0 , R1 , . . . , Rd ) is a d-class association scheme if:
I
S × S = R0 ∪ R1 ∪ · · · ∪ Rd , with Ri ∩ Rj = ∅ for all i 6= j.
I
For each i, ∃ j such that Ri∗ = Rj
I
For all i, j and all (x, y ) ∈ S × S, define
pij (x, y ) = |{z ∈ S | (x, z) ∈ Ri , (z, y ) ∈ Rj }|.
For all k and for all (x, y ) ∈ Rk , pij (x, y ) is a constant,
denoted pijk .
Corresponding Weighted Partial Difference Sets to
Association Schemes
Let G be a group with a weighted partial difference set
D = D1 ∪ D2 ∪ · · · ∪ Dd
Construct an association scheme as follows:
I
S =G
I
R0 = {(g , g ) ∈ G × G | g ∈ G }
I
Ri = {(g , h) ∈ G × G | gh−1 ∈ Di , g 6= h} (for i = 1, 2, ..., d)
I
Rd+1 = {(g , h) ∈ G × G | gh−1 ∈
/ D, g 6= h}
Schur rings
I
G a finite abelian group
I
C0 , C1 , . . . , Cd finite subsets of G
I
identify each Ci as a formal sum of its elements in C[G ]
The subalgebra of C[G ] generated by C0 , C1 , . . . , Cd is a Schur
ring if:
I
C0 = {1}, the singleton containing the identity
I
G = C0 ∪ C1 ∪ · · · ∪ Cd , with Ci ∩ Cj = ∅ for all i 6= j
I
for each i, ∃ j such that Ci−1 = Cj
I
for all i, j,
Ci · Cj =
d
X
k=0
for some integers pijk
pijk Ck ,
Schur ring example
Let G = {ζ k | k ∈ Z, 0 ≤ k ≤ 5}, where ζ = e 2πi/6
D0 = {ζ 0 } = {1} , D1 = {ζ 2 , ζ 4 }, D2 = {ζ, ζ 3 , ζ 5 }
D1 · D2 = (ζ 2 + ζ 4 ) · (ζ + ζ 3 + ζ 5 )
= ζ3 + ζ5 + ζ7 + ζ5 + ζ7 + ζ9
= 2ζ + 2ζ 3 + 2ζ 5 = 2D2
By this same process,
D1 · D1 = 2D0 + D1
D2 · D2 = 3D0 + 3D1
Therefore, the intersection numbers for this Schur ring are:
0 = 2, p 1 = 1, p 2 = 0
p11
11
11
0 = 0, p 1 = 0, p 2 = 2
p12
12
12
0 = 3, p 1 = 3, p 2 = 0
p22
22
22
Adjacency matrices
I
I
S a finite set {s1 , s2 , · · · , sm }
R0 , R1 , · · · , Rd defined as above
The adjacency matrix of Rl is the m × m matrix Al whose (i, j)th
entry is 1 if (si , sj ) ∈ Rl or 0 otherwise We say that a subring
A1 , . . . , Ad of C[Mm×m (Z)] is an adjacency ring or Bose-Mesner
algebra if:
I
I
I
I
I
for each i ∈ {0, . . . , d}, Ai is a (0, 1)-matrix,
Pd
i=0 Ai = J (the all 1’s matrix),
for each i ∈ {0, . . . , d}, t Ai = Aj , for some j ∈ {0, . . . , d},
P
there is a subset J ⊂ {0, . . . , d} such that j∈J Aj = I , and
there is a set of non-negative integers
{pijk | i, j, k ∈ {0, . . . , d}} such that
Ai Aj =
d
X
k=0
for all such i, j.
pijk Ak ,
Constructing Adjacency Matrices
Constructing an adjacency matrix Ak from a weighted partial
difference set
I
Let G be a group of order v , D = D1 ∪ · · · ∪ Dd a weighted
PDS
I
Ak is a v × v matrix
(i, j)th entry = 1 if ~i − ~j ∈ Dk , 0 otherwise
I
Constructing an adjacency matrix Ak from a weighted Cayley
graph Xw (G , D):
I
Ak is a v × v matrix, where v = |G |
I
(i, j)th entry = 1 if vertices gi and gj are connected by an
edge of weight k
Adjacency Matrices for GF (9) Example







A1 = 












A2 = 





0
1
1
0
0
0
0
0
0
1
0
1
0
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
1
0
1
0
0
0
0
0
0
1
1
0
0
0
0
0
0
0
0
0
0
0
1
1
0
0
0
0
0
0
1
0
1
0
0
0
0
0
0
1
1
0

0
0
0
1
0
0
1
0
0
0
0
0
0
1
0
0
1
0
0
0
0
0
0
1
0
0
1
1
0
0
0
0
0
1
0
0
0
1
0
0
0
0
0
1
0
0
0
1
0
0
0
0
0
1
1
0
0
1
0
0
0
0
0
0
1
0
0
1
0
0
0
0
0
0
1
0
0
1
0
0
0

























Important Theorems
Intersection number-matrix theorem
G a finite abelian group, D0 , · · · , Dd ⊆ G such that Di ∩ Dj = ∅ if
i 6= j, and
I
G is the disjoint union of D0 ∪ · · · ∪ Dd
I
for each i there is a j such that Di−1 = Dj , and
l
P
pijk Dk for some positive integer pijk .
Di · Dj =
I
k=0
Then the matrices Pk = (pijk )0≤i,j≤d satisfy the following
properties:
I
P0 is a diagonal matrix with entries |D0 |, · · · , |Dd |
I
For each k, the jth column of Pk has sum |Dj | (j = 0, · · · , d).
Likewise, the ith row of Pk has sum |Di | (i = 0, · · · , d).
Intersection number-trace theorem
Let f : GF (p)n → GF (p) be a function, Γ be its Cayley graph.
Assume Γ is a weighted strongly regular graph. Let A = (ak,l ) be
i ) be the (0, 1)-matrix
the adjacency matrix of Γ. Let Ai = (ak,l
where
(
1 if ak,l = i
i
ak,l =
0 otherwise
for each i = 1, 2, . . . , p − 1. Let A0 = I . Let Ap be the
(0, 1)-matrix such that A0 + A1 + · · · + Ap−1 + Ap = J. The
intersection numbers pijk defined by
Ai Aj =
p
P
k=0
pijk Ak
satisfy the formula
pijk
=
for all i, j, k = 1, 2, . . . , p.
1
p n |Dk |
Tr (Ai Aj Ak )
Connections between intersection numbers
Let G = GF (p)n . Let D0 , · · · , Dd ⊆ G such that Di ∩ Dj = ∅ if
i 6= j, and
I
G is the disjoint union D0 ∪ · · · ∪ Dd
I
for each i there is a j such that Di−1 = Dj , and
l
P
Di · Dj =
pijk Dk for some positive integer pijk .
I
k=0
i .
Then, for all i, j, k, |Dk |pijk = |Di |pkj
Main Results
First result: even bent functions f : GF (3)2 → GF (3)
If f is an even, bent function such that f (0) = 0 and the level
curves f −1 (i) yield a weighted PDS then one of the following
occurs:
We have |D1 | = |D2 | = 2, and the intersection numbers pijk are
given as follows:
pij0
0
1
2
3
0
1
0
0
0
1
0
2
0
0
2
0
0
2
0
3
0
0
0
4
pij1
0
1
2
3
0
0
1
0
0
1
1
1
0
0
2
0
0
0
2
3
0
0
2
2
pij2
0
1
2
3
0
0
0
1
0
1
0
0
0
2
2
1
0
1
0
3
0
2
0
2
pij3
0
1
2
3
0
0
0
0
1
1
0
0
1
1
2
0
1
0
1
3
1
1
1
1
We have |D1 | = |D2 | = 4, D3 = ∅, and the intersection numbers
pijk are given as follows:
pij0
0
1
2
0
1
0
0
1
0
4
0
2
0
0
4
pij2
0
1
2
0
0
0
1
1
0
2
2
2
1
2
1
pij1
0
1
2
0
0
1
0
1
1
1
2
2
0
2
2
no pij3
Since D3 = ∅, there are no i, j such that Di Dj will produce
elements of D3 .
Chart of even bent functions
GF (3)2
b1
b2
b3
b4
b5
b6
b7
b8
b9
b10
b11
b12
b13
b14
b15
b16
b17
b18
(0, 0)
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
(1, 0)
1
2
1
2
0
1
0
2
0
2
0
2
1
1
0
0
2
1
(2, 0)
1
2
1
2
0
1
0
2
0
2
0
2
1
1
0
0
2
1
(0, 1)
1
1
2
0
2
0
1
0
2
2
0
1
2
0
1
0
1
2
(1, 1)
2
0
0
1
1
2
2
0
0
1
2
2
2
0
0
1
1
1
(2, 1)
2
0
0
0
0
0
0
1
1
1
1
1
1
2
2
2
2
2
(0, 2)
1
1
2
0
2
0
1
0
2
2
0
1
2
0
1
0
1
2
(1, 2)
2
0
0
0
0
0
0
1
1
1
1
1
1
2
2
2
2
2
(2, 2)
2
0
0
1
1
2
2
0
0
1
2
2
2
0
0
1
1
1
Second result: even bent functions f : GF (3)3 → GF (3)
If f is an even, bent function such that f (0) = 0 and the level
curves f −1 (i) yield a weighted PDS then one of the following
occurs:
We have |D1 | = 6, |D2 | = 12, and the intersection numbers pijk are
given as follows:
pij0
0
1
2
3
0
1
0
0
0
1 2 3
0 0 0
6 0 0
0 12 0
0 0 8
pij1
0
1
2
3
0
0
1
0
0
1
1
1
4
0
2
0
4
4
4
3
0
0
4
4
pij2
0
1
2
3
0
0
0
1
0
1
0
2
2
2
pij3
0
1
2
3
0
0
0
0
1
1
0
0
3
3
2
0
3
6
3
3
1
3
3
1
2
1
2
5
4
3
0
2
4
2
We have |D1 | = 12, |D2 | = 6, and the intersection numbers pijk are
given as follows:
pij0
0
1
2
3
0 1 2 3
1 0 0 0
0 12 0 0
0 0 6 0
0 0 0 8
pij1
0
1
2
3
0
0
1
0
0
1
1
5
2
4
2
0
2
2
2
3
0
4
2
2
pij2
0
1
2
3
0
0
0
1
0
pij3
0
1
2
3
0
0
0
0
1
1
0
6
3
3
2
0
3
0
3
3
1
3
3
1
1
0
4
4
4
2
1
4
1
0
3
0
4
0
4
Preserving structures under function composition
Suppose:
I
f : GF (p)n → GF (p) is an even function such that f (0) = 0
I
Di = f −1 (i) for i ∈ GF (p)
I
φ : GF (p)n → GF (p)n is a linear map that is invertible (i.e.,
det φ 6= 0 mod p)
I
g =f ◦φ
If the collection of sets D1 , D2 , · · · , Dp−1 forms a weighted partial
difference set for GF (p)n then so does its image under the function
φ.
Additionally, the Schur ring associated to the weighted partial
difference set of f is isomorphic to the Schur ring associated to the
weighted partial difference set of g .
Group action
Let G be a multiplicative group and let X be a set. G acts on X
(on the left) if there exists a map ρ : G × X → X such that:
I
ρ(1G , x) = x for all x ∈ X
I
ρ(g , ρ(h, x)) = ρ(gh, x) for all g , h ∈ G , x ∈ X
An orbit is any set of the form {ρ(g , x)|g ∈ G }; we call this the
orbit of x.
Proof of second result
Consider the set E of all functions f : GF (3)3 → GF (3) such that
I
f is even
I
f (0) = 0
I
the degree of the algebraic normal form of f is at most 4
There are 312 = 531, 441 such functions
Let B ⊆ E be the subset of bent functions
Let G = GL(3, GF (3)) be the set of linear automorphisms
φ : GF (3)3 → GF (3)3 . f ∈ E is equivalent to g ∈ E if and only if
f is sent to g under some element of G .
Proof (cont.)
signature of f : sequence of cardinalities of the level curves f −1 (1)
and f −1 (2).
All of the functions in each equivalence class have the same
signature.
I
35 unique signatures across all functions on GF (3)3
Mathematica was used to find all equivalence classes of functions
in E; 281 total equivalence classes, but only 4 classes consist of
bent functions.
Call these classes B1 , B2 , B3 , B4 ; then B = B1 ∪ B2 ∪ B3 ∪ B4
Two equivalence classes had signature (6,12) and two classes had
signature (12,6)
I
x12 + x22 + x32 represents B1 , a class of 234 functions of
signature (6,12)
I
x1 x3 + 2x22 + 2x12 x22 represents B2 , a class of 936 functions of
signature (6,12)
I
B3 = −B1 , B4 = −B2
We conclude through calculation that B1 corresponds with the first
condition of the theorem, while B3 corresponds to the second
condition. B2 and B4 do not yield weighted partial difference sets.
Conclusions/Further Research
I
Main result is only a partial characterization
I
I
Certain constraints on the functions
Reverse claim?
I
Characterization in GF (5)n
I
Developing non-linear cryptanalysis