Combinatorics of p-ary Bent Functions Steven Walsh April 25, 2014
advertisement
Combinatorics of p-ary Bent Functions
Steven Walsh∗
April 25, 2014
Abstract
In this paper, we investigate, from a combinatorical perspective,
a class of functions called p-ary bent functions, which are a class of
non-linear functions over finite fields that can be used to construct
more secure stream cipher cryptosystems. We will also examine partial difference sets, association schemes, and Schur rings. Ultimately,
we seek to explore the correlation between properties of weighted partial difference sets and bentness (see Question 12) and the correlation
between properties of Schur rings (and their association schemes) and
bentness (see Question 23). Finally, in our main result, we will prove
a partial characterization of bent functions in Theorem 25.
Contents
1 Introduction
2
2 Background and Definitions
3
3 Main Results
16
2
3.1 GF (3) → GF (3) . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.2 GF (3)3 → GF (3) . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.3 Proof of Theorem 25 . . . . . . . . . . . . . . . . . . . . . . . 20
4 Acknowledgements
∗
22
Honors thesis, United States Naval Academy Mathematics Department, 2014
1
1
Introduction
A linear feedback shift register (LFSR) is a shift register in which inputs are
linear functions of their previous states. LFSRs are very easy to implement;
all they require is an initial state and a recursive function that utilizes the
values it generates. One example of a LFSR is the Fibonacci sequence (mod
2), which is defined by the initial state x0 = 0, x1 = 1 and the recursive
function xn = xn−1 + xn−2 . The Fibonacci sequence (0, 1, 1, 2, 3, 5, 8, 13,
21...) is converted to binary code (0, 1, 1, 0, 1, 1, 0, 1, 1...) to produce a
repeating sequence. LFSRs are especially useful because they can be used to
generate pseudo-random sequences of numbers, which can be very helpful in
areas such as electronic communications and crpytography. One specific application of LFSRs is the generation of keystreams in stream cipher systems.
In a stream cipher system, the keystream is a pseudo-random sequence of elements of some abelian group which is added coordinate-wise to the plaintext,
which is also comprised of elements from the same group. This forms the
ciphertext, which the sender sends to the recipient. The sender and recipient
of the plaintext both have access to the keystream and the recipient simply
has to subtract each symbol of the keystream from the ciphertext to recover
the original message. Most stream cipher systems will utilize modular arithmetic so that the coordinate-wise differences of the elements in the plaintext
and the elements in the ciphertext are difficult to determine. We can start
with a plaintext message (for example, 0, 0, 1, 0, 1, 1, 0, 0, 0...) and add the
binary Fibonacci sequence bit-wise to produce the ciphertext (0, 1, 0, 0, 0,
0, 0, 1, 1...).
+
001011000
011011011
010000011
These pseudo-random sequences, although seemingly random, and hence
secure, can be broken relatively easily using the Berlekamp-Massey algorithm. This algorithm was first discovered in 1968 by Elwyn Berlekamp and
was used to decode BCH codes; the algorithm was refined by James Massey
to decode stream ciphers. If a binary LFSR of key length k has maximal
length period of 2k − 1, then the Berlekamp-Massey algorithm requires only
2n consecutive terms of the sequence in order to find the coefficients of the
smallest LFSR that will generate that sequence. Again we will use the Fibonacci sequence as an example. Recall the equation that generates the
2
sequence: xn = xn−1 + xn−2 . The key is (1, 1), thus it has length 2. The
binary sequence generated has period 3 = 22 −1. Therefore, any 4-bit portion
of the sequence can be used to determine that the coefficients of the function
are both 1. This particular LFSR can be broken by brute force by testing
the only other recurrence relation of length 2 over GF (2), xn = xn−2 . It can
also be broken with simple linear algebra: choose a 4-bit subsequence (say,
(0,1,1,0)) and use the equation xn = c1 xn−1 + c2 xn−2 to solve for c1 and c2
and thus, determine the key (c1 , c2 ):
1 = c1 (1) + c2 (0) ⇒ c1 = 1
0 = c1 (1) + c2 (1) = 1(1) + c2 (1) ⇒ c2 = 1
As we can see, some LFSRs are very susceptible to easy decryption.
One way to prevent the decryption of an LFSR is to extend the period
of the sequence to a very large length, which will slightly complicate the
use of the Berlekamp-Massey algorithm. However, this will only delay an
inevitable decryption. A better method to produce a pseudo-random sequence that is difficult to decrypt is to use a bent, or perfectly non-linear,
function as a “filter”. Sequences yielded by bent functions lose the periodicity of LFSRs, so these sequences are much more resistant to linear
cryptanalysis, therefore keeping messages and transactions more secure. To
demonstrate this, we will return to the Fibonacci sequence (mod 2). Let
f : GF (3)2 → GF (3) be defined by f (x0 , x1 ) = x0 x1 . Then we can use the
filter (f (x0 , x1 ), f (x1 , x2 ), f (x2 , x3 ), ...), where the xi are the elements of the
Fibonacci sequence (mod 2), to produce the sequence (0, 1, 0, 0, 1, 0, 0, 1,
0...) and use it as a keystream. This filtering is done as follows:
f (0, 1) = 0 · 1 = 0
f (1, 1) = 1 · 1 = 1
f (1, 0) = 1 · 0 = 0
2
Background and Definitions
Here we introduce the Dillon correspondence: John Dillon proved in his PhD
thesis [D] that when p = 2, a function f : GP (2)n → GF (2) is bent if and
only if the level curve f −1 (1) = {v ∈ GF (2)n | f (v) = 1} yields a difference
set in GF (2)n (more specifically, a Hadamard difference set). We will consider bent functions f : GP (p)n → GF (p), where p is a prime number, and
3
explore the level curves f −1 (i) = {v ∈ GF (p)n | f (v) = i} to try to achieve
analogous results.
Some essential definitions follow.
Definition 1. Every GF (p)-valued function over GF (p)n can be expressed
as a polynomial. In particular, there is a unique polynomial g(x) of minimal degree called the algebraic normal form (analogous to the LaGrange
interpolation theorem). Let f : GF (p)n → GF (p). Then
g(x) =
X
v∈GF (p)n
f (v)
n−1
Y
i=0
!
p−1
Y
1
(j + vi − xi )
(p − 1)! j=1
(1)
This definition is explored more thoroughly in [CJMPW].
Definition 2. For a function f : GF (p)n → GF (p), the Walsh-Hadamard
transform of f is a complex-valued function on GF (p)n defined by:
X
Wf (u) =
ζ f (x)−hu,xi
(2)
x∈GF (p)n
where ζ = e2πi/p (i.e. the pth root of unity).1
Definition 3. A function f : GF (p)n → GF (p) is bent if
|Wf (u)| = pn/2
for all u ∈ GF (p)n .
Definition 4. Let G be a finite abelian multiplicative group of order v and
let D be a subset of G with order k. D is a (v, k, λ)-difference set if the
multiset {d1 d−1
| d1 , d2 ∈ D} represents every non-identity element of G
2
exactly λ times.
Remark 5. A Hadamard difference set has the parameters (v, k, λ) = (4n2 , 2n2 ±
n, n2 ± n) for some integer n.
1
This function is well-defined because if x1 , x2 are integers such that x1 ≡ x2 (mod p),
then we can say x2 = kp + x1 , k ∈ Z; then ζ x2 = ζ kp ζ x1 = ζ x1
4
Definition 6. Let G be a finite abelian multiplicative group of order v and
let D be a subset of G with order k. D is a (v, k, λ, µ)-partial difference
set (PDS) if the multiset {d1 d−1
2 | d1 , d2 ∈ D} represents every non-identity
element of D exactly λ times and every non-identity element of G \ D exactly
µ times.
Remark 7. The complement of a partial difference set is a partial difference
set. (see [MW])
Notation: For any subsets S1 and S2 of a group G, S1−1 = {−s1 | s1 ∈
S1 }, and S1 S2 = {s1 s2 | s1 ∈ S1 , s2 ∈ S2 }. As elements of C[G], the product
S1 S2 is similar.
In order to reach many of our conclusions, it is also required that D =
D−1 .
Definition 8. The Cayley graph X(G, D) is a graph constructed as follows:
from a subset D of G, let the vertices of the graph be the elements of the
group G. Two vertices g1 and g2 are connected by a directed edge from g1
to g − 2 if g2 = dg1 for some d ∈ D.
If D is a partial difference set such that λ 6= µ, then D = D−1 . Thus,
if g2 = dg1 , then g1 = d−1 g2 , so the Cayley graph X(G, D) is an undirected
graph.
Definition 9. For a (v, k, λ, µ)-PDS D, the Cayley graph X(G, D) is a
(v, k, λ, µ)-strongly regular graph if:
• X(G, D) has v vertices such that each vertex is connected to k other
vertices
• Distinct vertices g1 and g2 share edges with either λ or µ common
vertices
The neighborhood of a vertex g is the set N (g) = {g 0 ∈ G | g and g 0 are
connected}.
Here we introduce the Bernasconi correspondence: Bernasconi et al proved
in [BC] and [BCV] that when p = 2, a function f : GF (p)n → GF (p) is bent
if and only if the Cayley graph of f is a strongly regular graph having parameters srg(2n , k, λ, µ), where λ = µ and k = |supp(f )|.
5
The following theorem is a known fact; we will prove it to enforce understanding.
Theorem 10. Let G be an abelian multiplicative group and let D ⊆ G be
a subset such that 1 6∈ D. D is a (v, k, λ, µ)-PDS such that D = D−1 if and
only if the associated Cayley graph X(G, D) is a (v, k, λ, µ)-strongly regular
graph.
Proof. Suppose D is a (v, k, λ, µ)-PDS such that D = D−1 . Then X(G, D)
has v vertices. D has k elements, and each vertex g of X(G, D) has neighbors
dg, d ∈ D. Therefore, X(G, D) is regular, degree k. Let g1 and g2 be distinct
vertices in X(G, D). Let x be a vertex that is a common neighbor of g1 and
g2 , i.e. x ∈ N (g1 ) ∩ N (g2 ). Then x = d1 g1 = d2 g2 for some d1 , d2 ∈ D,
−1
−1
which implies that d1 d−1
2 = g1 g2 . If g1 g2 ∈ D, then there are exactly λ
ordered pairs (d1 , d2 ) that satisfy the previous equation (by Definition 3). If
g1−1 g2 ∈
/ D, then g1−1 g2 ∈ G \ D, so there are exactly µ ordered pairs (d1 , d2 )
that satisfy the equation. If g1−1 g2 ∈ D, then g2 = dg1 for some d ∈ D, so g1
and g2 are adjacent. By a similar argument, if g1−1 g2 ∈ G \ D, then g1 and
g2 are not adjacent. So X(G, D) is a (v, k, λ, µ)-strongly regular graph.
Conversely, suppose X(G, D) is a (v, k, λ, µ)-strongly regular graph. If
X(G, D) is undirected, then for vertices g1 and g2 , there is an edge from g1
to g2 if and only if there is an edge from g2 to g1 . This means that g1 = d1 g2
if and only if g2 = d2 g1 , for some d1 , d2 ∈ D. This implies that d2 = d−1
1 ,
so D = D−1 . By definition, g1 and g2 are connected by an edge if and only
if g1 = dg2 , d ∈ D. Since X(G, D) is (v, k, λ, µ)-strongly regular, it is kregular, so the order of D is k. Let x be a vertex in X(G, D) such that
x ∈ N (g1 ) ∩ N (g2 ). Then x = d1 g1 = d2 g2 for some d1 , d2 ∈ D, which implies
that d1 d−1
= g1−1 g2 . If g1 and g2 are adjacent, then g1−1 g2 ∈ D, so there
2
are exactly λ ordered pairs (d1 , d2 ) that satisfy the previous equation. If g1
and g2 are not adjacent, then g1−1 g2 ∈ G \ D, so there are exactly µ ordered
pairs (d1 , d2 ) that satisfy the equation. Therefore, D is a (v, k, λ, µ)-PDS and
D = D−1 . This notion of a partial difference set can be further explored by constructing “weighted partial difference sets”.
Let G be a finite abelian multiplicative group of order v and let D be a
subset of G of order k. Decompose D into a union of disjoint subsets
D = D1 ∪ D2 ∪ · · · ∪ Ds
6
and assume 1G ∈
/ D. Let ki = |Di |.
Definition 11. D is a weighted (v, k, λ, µ)-PDS if the following properties
hold:
• The multiset
Di Dj−1 = {d1 d−1
2 | d1 ∈ Di , d2 ∈ Dj }
represents every non-identity element of Dl exactly λi,j,l times and every
non-identity element of G − D exactly µi,j times (1 ≤ i, j, l ≤ s).
• For each i ∈ {1, 2, ..., s}, there exists a j ∈ {1, 2, ..., s} such that Di−1 =
Dj (if Di−1 = Di for all i, then the weighted PDS is symmetric).
For an even function f : GF (p)n → GF (p) (i.e. a function such that
f (x) = f (−x)), one possible method of constructing a weighted partial difference set on GF (p)n is to use the level curves of the function. In other
words, we can construct each individual Di as the set f −1 (i), (1 ≤ i ≤ p − 1),
and produce a weighted partial difference set. This does not work for all
cases; with some functions, some of the level curves are empty, and these
functions do not behave as well as those where all of the level curves are
non-empty.
Next we will introduce one of the questions that we will explore in this
paper.
Question 12. For an even function f : GF (p)n → GF (p) such that the
sets Di = f −1 (i) form a weighted partial difference set on GF (p)n , what
properties of this weighted partial difference set imply that f is bent?
Note: to clarify, we take D0 to be the set containing only the zero element
of GF (p)n , while Dp is the set GF (p)n \ (D0 ∪ D1 ∪ . . . ∪ Dp−1 ). In other
words, Dp contains all of the elements v besides the zero element such that
f (v) = 0.
Weighted partial difference sets can be reformulated in terms of the more
familiar concept of association schemes.
Definition 13. Let S be a finite set and let R0 , R1 , . . . , Rs denote binary
relations on S (subsets of S × S). The dual of a relation R is the set
7
R∗ = {(x, y) ∈ S × S | (y, x) ∈ R}.
Assume R0 = ∆S = {(x, x) ∈ S × S | x ∈ S}. We say (S, R0 , R1 , . . . , Rs ) is
a s-class association scheme on S if the following properties hold.
• We have a disjoint union
S × S = R0 ∪ R1 ∪ · · · ∪ Rs ,
with Ri ∩ Rj = ∅ for all i 6= j.
• For each i there is a j such that Ri∗ = Rj (and if Ri∗ = Ri for all i then
we say the association scheme is symmetric).
• For all i, j and all (x, y) ∈ S × S, define
pij (x, y) = |{z ∈ S | (x, z) ∈ Ri , (z, y) ∈ Rj }|.
For all k and for all (x, y) ∈ Rk , pij (x, y) is a constant, denoted pkij .
Definition 14. Let S be a finite set {s1 , s2 , · · · , sm } (of cardinality m) and
define R0 , R1 , · · · , Rs as above. The adjacency matrix of a set Rl is the m×m
matrix Al whose (i, j)th entry is 1 if (si , sj ) ∈ Rl or 0 otherwise.
Definition 15. Let (S, R0 , . . . , Rs ) denote a tuple consisting of a finite
abelian group S of order m with relations Ri for which we have a disjoint
union
S × S = R0 ∪ R1 ∪ · · · ∪ Rs ,
with Ri ∩ Rj = ∅ for all i 6= j. Let Ai denote the m × m adjacency matrix
of Ri , i = 0, 1, . . . , s.
We say that a subring of C[Mm×m (Z)] (where Mm×m (Z) is the ring of all
integer-valued m × m matrices) is an adjacency ring (also called the BoseMesner algebra) provided the set of adjacency matrices satisfies the following
properties:
• for each integer i ∈ [0, d], Ai is a (0, 1)-matrix,
Ps
•
i=0 Ai = J (the all 1’s matrix),
8
• for each integer i ∈ [0, d], t Ai = Aj , for some integer j ∈ [0, d],
P
• there is a subset J ⊂ G such that j∈J Aj = I, and
• there is a set of non-negative integers {pkij | i, j, k ∈ [0, . . . , d]} such
that
Ai Aj =
d
X
pkij Ak ,
k=0
for all such i, j.
It is well-known that a PDS (G, D) is naturally associated to a 2-class
association scheme, namely (G, R0 , R1 , R2 ) where
R0 = ∆G = {(g, g) | g ∈ G},
R1 = {(g, h) | gh−1 ∈ D},
R2 = {(g, h) | gh−1 ∈
/ D}.
To verify this, consider the “Schur ring.”
For the following definition, we identify any subset S of G with the formal
sum of its elements in C[G].
Definition 16. Let G be a finite abelian group and let C0 , C1 , . . . , Cs denote
finite subsets of G. The subalgebra of C[G] generated by C0 , C1 , . . . , Cs is
called a Schur ring over G if it satisfies the following conditions:
• C0 = {1} is the singleton containing the identity.
• We have a disjoint union
G = C0 ∪ C1 ∪ · · · ∪ Cs ,
with Ci ∩ Cj = ∅ for all i 6= j.
• for each i there is a j such that Ci−1 = Cj (and if Ci−1 = Ci for all i
then we say the Schur ring is symmetric).
9
• for all i, j, we have
Ci · Cj =
d
X
pkij Ck ,
k=0
for some integers pkij (these are sometimes referred to as the intersection
numbers).
Example 17. Let G = {ζ k | k ∈ Z, 0 ≤ k ≤ 5}, where ζ = e2πi/6 (G is the
set of the 6th roots of unity). Define
D0 = {ζ 0 } = {1} , D1 = {ζ 2 , ζ 4 }, D2 = {ζ, ζ 3 , ζ 5 }.
Clearly G is the disjoint union D0 ∪ D1 ∪ D2 and each Di is symmetric.
We compute D1 D2 , for instance, as follows:
D1 · D2 = (ζ 2 + ζ 4 ) · (ζ + ζ 3 + ζ 5 )
= ζ3 + ζ5 + ζ7 + ζ5 + ζ7 + ζ9
= 2ζ + 2ζ 3 + 2ζ 5 = 2D2
By this same process,
D1 · D1 = 2D0 + D1
D2 · D2 = 3D0 + 3D1
Therefore, the intersection numbers for this Schur ring are:
p011 = 2, p111 = 1, p211 = 0
p012 = 0, p112 = 0, p212 = 2
p022 = 3, p122 = 3, p222 = 0
Example 18. For another example of a Schur ring, we return to the PDS,
(G, D). Let
D0 = G \ (D ∪ {1}).
Note that
10
D · D = (k − µ) · I + (λ − µ) · D + µ · G,
(3)
D · D0 = (−k + µ) · 1 + (−1 − λ + µ) · D + (k − µ) · G.
(4)
and
With these equations, one can verify that a PDS naturally yields an associated Schur ring, generated by D, D0 , and D0 = {1} in C[G], and a 2-class
association scheme.
We will now state a more general proposition concerning weighted partial
difference sets.
Proposition 19. Let G be a finite abelian group. Let D0 , · · · , Ds ⊆ G such
that Di ∩ Dj = ∅ if i 6= j, and
• G is the disjoint union D0 ∪ · · · ∪ Ds
• for each i there is a j such that Di−1 = Dj , and
• Di · Dj =
l
P
pkij Dk for some positive integer pkij .
k=0
Then the matrices Pk = (pkij )0≤i,j≤l satisfy the following properties:
• P0 is a diagonal matrix with entries |D0 |, · · · , |Ds |
• For each k, the jth column of Pk has sum |Dj | (j = 0, · · · , l). Likewise,
the ith row of Pk has sum |Di | (i = 0, · · · , l).
Proof. We begin by taking the sum
Di · Dj =
l
P
pkij Dk
k=0
over all i, 0 ≤ i ≤ l.
G · Dj =
l P
l
P
( pkij )Dk
k=0 i=0
We know that G · Dj = |Dj | · G, and all the Dk are disjoint. As an identity
in the Schur ring, each element of G must occur |Dj | times on each side of
this equation. Therefore,
11
|Dj | =
l
P
pkij .
i=0
So the sum of the elements in the jth row of Pk is |Dj | for each j and k. The
analogous claim for the row sums is proven similarly. We will begin a series of propositions concerning intersection numbers
with the Matrix Walk theorem. Suppose we have an edge-weighted graph,
with weighted adjacency matrix A = (aij ), where aij = w if (i, j) is an edge
of the graph with weight w, and aij = 0 otherwise. Here, i, j run over all
vertices of the graph. For each weight w, let Aw = (aij (w)), where aij (w) = 1
if (i, j) is an edge of weight w, and aij (w) = 0 otherwise. Clearly, for w 6= w0 ,
the non-zero entries of Aw are distinct from the non-zero entries of Aw0 . Let
Aw Aw0 = (aij (w, w0 )). Then aij (w, w0 ) is the number of walks of length 2 from
i to j, where the first edge has weight w and the second edge has weight w0 ,
and aij (w, w0 ) = 0 if there is no such walk.
Theorem 20. Let f : GF (p)n → GF (p) be a function and let Γ be its
Cayley graph. Assume Γ is a weighted strongly regular graph. Let A = (ak,l )
be the adjacency matrix of Γ. Let Ai = (aik,l ) be the (0, 1)-matrix where
(
1 if ak,l = i
aik,l =
0 otherwise
for each i = 1, 2, . . . , p − 1. Let A0 be the pn × pn identity matrix. Let Ap
be the (0, 1)-matrix such that A0 + A1 + · · · + Ap−1 + Ap = J, the pn ×
pn matrix with all entries 1. Let R denote the matrix ring generated by
{A0 , A1 , · · · , Ap }. The intersection numbers pkij defined by
p
P
Ai Aj =
pkij Ak
k=0
satisfy the formula
pkij
=
1
pn |Dk |
for all i, j, k = 1, 2, . . . , p.
12
T r(Ai Aj Ak )
Proof. By the Matrix-Walk Theorem, Ai Aj can be considered as counting
walks along the Cayley graph of specific edge weights. Supposed (u, v) is an
edge of Γ with weight k. If k = 0, then u = v and the edge is a loop. If
k = p, then (u, v) is technically not an edge in Γ, but we will label it as an
edge of weight p.
The (u, v)-th entry of Ai Aj is the number of walks of length 2 from u to
v where the first edge has weight i and the second edge has weight j; the
entry is 0 if no such walk exists. If we consider the (u, v)-th entry on each
side of the equation
p
P
pkij Ak
Ai Aj =
k=0
pkij
we can deduce that
is the number of walks of length 2 from u to v where
the first edge has weight i and the second edge has weight j (it equals 0 if
no such walk exists) for any edge (u, v) with weight k in Γ.
Similarly, the Matrix-Walk Theorem implies that T r(Ai Aj Ak ) is the total
number of walks of length 3 having edge weights i, j, k. We claim that if
4 is any triangle with edge weights i, j, k, then by subtracting an element
v ∈ GF (p)n , we will obtain a triangle in Γ containing the zero vector as a
vertex with the same edge weights. Suppose 4 = (u1 , u2 , u3 ), where (u1 , u2 )
has edge weight i, (u2 , u3 ) has edge weight j, and (u3 , u1 ) has edge weight k.
Let 40 = (0, u2 − u1 , u3 − u1 ). We compute the edge weights of 40 :
edge weight of (0, u2 − u1 ) = f ((u2 − u1 ) − 0) = f (u2 − u1 ) = i
edge weight of (u2 − u1 , u3 − u1 ) = f ((u3 − u1 ) − (u2 − u1 ) = f (u3 − u2 ) = j
edge weight of (u3 − u1 , 0) = f (0 − (u3 − u1 )) = f (u1 − u3 ) = k
Thus the claim is proven.
Therefore,
1
|GF (p)n |
T r(Ai Aj Ak ) =
1
pn
T r(Ai Aj Ak )
is the number of closed walks of length 3 having edge weights i, j, k and containing the zero vector as a vertex, incident to the edge of weight i and the
edge of weight k.
13
There are |Dk | edges incident to the zero vector, so
1
1
T r(Ai Aj Ak )
pn
|Dk |
is the number of walks of length 2 from the zero vector to any neighbor of it
along an edge of weight k. This is equivalent to the definition of the number
pkij in the Matrix-Walk Theorem. The following proposition is from [CvL] (page 202).
Proposition 21. Let G = GF (p)n . Let D0 , · · · , Ds ⊆ G such that Di ∩Dj =
∅ if i 6= j, and
• G is the disjoint union of D0 ∪ · · · ∪ Ds
• for each i there is a j such that Di−1 = Dj , and
• Di · Dj =
l
P
pkij Dk for some positive integer pkij .
k=0
Then, for all i, j, k, |Dk |pkij = |Di |pikj .
Proof. For all i, j, k, we have the following identity of adjacency matrices:
Tr(Ai Aj Ak ) = pn |Dk |pkij
where pn is the order of G and pkij is an intersection number. Since Tr(AB)
= Tr(BA) for all matrices A and B, Tr(Ai Aj Ak ) = Tr(Ak Aj Ai ), and the
proposition follows. We can apply this concept to a weighted partial difference set and achieve
similar results. If G is a set and D = D1 ∪ D2 ∪ · · · ∪ Ds (all Di distinct) is
a weighted partial difference set of G, then we can construct an association
scheme as follows:
• Define R0 = ∆G = {(x, x) ∈ G × G | x ∈ G}.
• For 1 ≤ i ≤ s, define Ri = {(x, y) ∈ G × G | xy −1 ∈ Di , x 6= y}
• Define Rs+1 = {(x, y) ∈ G × G | xy −1 ∈
/ D, x 6= y}
14
Proposition 22. The collection (G, R0 , R1 , . . . , Rs , Rs+1 ) as defined above
produces an association scheme of class s + 1.
Proof. Consider the subring S of C[G] generated by D0 , · · · , Ds+1 , where
D0 = {1} and Ds+1 = G \ (D ∪ {1}). First, we show that S is a Schur ring.
−1
We know that for 0 ≤ i ≤ s, Di−1 = Dj for some j. Ds+1
= Ds+1 because (G, D) is a partial difference set if and only if (G, G \ D) is a partial
difference set.
We can then compute Di · Dj in C[G]; by the definition of a weighted partial
difference set,
s
P
Di · Dj = αij · 1 +
λi,j,l Dl + µi,j Ds+1
l=1
for some integer αij . So the Schur ring decomposition formula
Di · Dj =
s+1
P
pkij Dk
0
holds for some integer pkij .
Next, we will show that for all i, j, k ∈ {0, · · · , s + 1} and for (x, y) ∈ Rk ,
|{z ∈ G|(x, z) ∈ Ri , (z, y) ∈ Rj }|
is a constant that depends only on k (and i, j).
Choose (x, z) ∈ Ri , (z, y) ∈ Rj ; then xz −1 ∈ Di , zy −1 ∈ Dj . Consider
(xz −1 )(zy −1 ) = xy −1 ∈ Di · Dj . This is independent of z. There are exactly
pkij such elements z by the Schur ring structure identity, since every element
in Dk (e.g. xy −1 ) is repeated pkij times. With this additional structure on GF (p)n , we can ask another question.
Question 23. For an even function f : GF (p)n → GF (p), suppose that the
sets Di = f −1 (i) form a weighted partial difference set on GF (p)n . What
properties of the associated Schur ring and p-class association scheme imply
that f is bent?
15
We can begin exploring Question 1 with a table that displays the values
of all even bent functions GF (3)2 → GF (3) sending 0 to 0. There are exactly
18 such functions.
GF (3)2
b1
b2
b3
b4
b5
b6
b7
b8
b9
b10
b11
b12
b13
b14
b15
b16
b17
b18
(0, 0)
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
(1, 0)
1
2
1
2
0
1
0
2
0
2
0
2
1
1
0
0
2
1
(2, 0)
1
2
1
2
0
1
0
2
0
2
0
2
1
1
0
0
2
1
(0, 1)
1
1
2
0
2
0
1
0
2
2
0
1
2
0
1
0
1
2
(1, 1)
2
0
0
1
1
2
2
0
0
1
2
2
2
0
0
1
1
1
(2, 1)
2
0
0
0
0
0
0
1
1
1
1
1
1
2
2
2
2
2
(0, 2)
1
1
2
0
2
0
1
0
2
2
0
1
2
0
1
0
1
2
(1, 2)
2
0
0
0
0
0
0
1
1
1
1
1
1
2
2
2
2
2
(2, 2)
2
0
0
1
1
2
2
0
0
1
2
2
2
0
0
1
1
1
The algebraic normal form of these functions are:
b1 = x20 + x21 ,
b5 = −x0 x1 − x21 ,
b9 = x0 x1 − x21 ,
b2 = −x20 + x21 ,
b6 = x20 + x0 x1 ,
b10 = −x20 − x21 ,
b13 = x20 − x0 x1 − x21 ,
b16 = x0 x1 ,
b3 = x20 − x21 ,
b4 = −x20 − x0 x1 ,
b7 = x0 x1 + x21 ,
b11 = −x0 x1 ,
b14 = x20 − x0 x1 ,
b17 = −x20 + x0 x1 + x21 ,
b8 = −x20 + x0 x1 ,
b12 = −x20 − x0 x1 + x21 ,
b15 = −x0 x1 + x21 ,
b18 = x20 + x0 x1 − x21 .
The table and list of functions are from [CJMPW].
3
3.1
Main Results
GF (3)2 → GF (3)
By exhaustive case-by-case analysis, we have made an observation in the case
of functions from GF (3)2 to GF (3).
Theorem 24. Let f : GF (3)2 → GF (3) be an even bent function with
f (0) = 0. If the level curves of f ,
16
Di = {v ∈ GF (3)2 | f (v) = i},
yield a weighted PDS with intersection numbers pkij then one of the following
occurs.
1. We have |D1 | = |D2 | = 2, and the intersection numbers pkij are given
as follows:
p0ij
0
1
2
3
0
1
0
0
0
1
0
2
0
0
2
0
0
2
0
3
0
0
0
4
p1ij
0
1
2
3
0
0
1
0
0
1
1
1
0
0
2
0
0
0
2
3
0
0
2
2
p2ij
0
1
2
3
0
0
0
1
0
1
0
0
0
2
2
1
0
1
0
3
0
2
0
2
p3ij
0
1
2
3
0
0
0
0
1
1
0
0
1
1
2
0
1
0
1
3
1
1
1
1
2. We have |D1 | = |D2 | = 4, D3 = ∅, and the intersection numbers pkij are
given as follows:
p0ij
0
1
2
0
1
0
0
1
0
4
0
2
0
0
4
p2ij
0
1
2
0
0
0
1
1
0
2
2
2
1
2
1
p1ij
0
1
2
0
0
1
0
1
1
1
2
2
0
2
2
no p3ij
Since D3 = ∅, there are no i, j such that Di Dj will produce elements
of D3 .
17
3.2
GF (3)3 → GF (3)
We also pose the following theorem in the case of functions from GF (3)3 to
GF (3):
Theorem 25. Let f : GF (3)3 → GF (3) be an even bent function with
f (0) = 0. If the level curves of f ,
Di = {v ∈ GF (3)3 | f (v) = i},
yield a weighted PDS with intersection numbers pkij then one of the following
occurs.
1. We have |D1 | = 6, |D2 | = 12, and the intersection numbers pkij are
given as follows:
p0ij
0
1
2
3
0
1
0
0
0
1 2 3
0 0 0
6 0 0
0 12 0
0 0 8
p1ij
0
1
2
3
0
0
1
0
0
1
1
1
4
0
2
0
4
4
4
3
0
0
4
4
p2ij
0
1
2
3
0
0
0
1
0
1
0
2
2
2
p3ij
0
1
2
3
0
0
0
0
1
1
0
0
3
3
2
0
3
6
3
3
1
3
3
1
2
1
2
5
4
3
0
2
4
2
2. We have |D1 | = 12, |D2 | = 6, and the intersection numbers pkij are
given as follows:
18
p0ij
0
1
2
3
0 1 2 3
1 0 0 0
0 12 0 0
0 0 6 0
0 0 0 8
p1ij
0
1
2
3
0
0
1
0
0
1
1
5
2
4
2
0
2
2
2
3
0
4
2
2
p2ij
0
1
2
3
0
0
0
1
0
p3ij
0
1
2
3
0
0
0
0
1
1
0
6
3
3
2
0
3
0
3
3
1
3
3
1
1
0
4
4
4
2
1
4
1
0
3
0
4
0
4
Next, we examine the effect of the group action GL(n, GF (p)) (the group
of n × n invertible matrices with entries in GF (p)) on bent functions and the
corresponding weighted PDSs.
Proposition 26. Let f : GF (p)n → GF (p) be an even function such that
f (0) = 0 and define Di = f −1 (i) for i ∈ GF (p). Suppose φ : GF (p)n →
GF (p)n is a linear map that is invertible (i.e., det φ 6= 0 mod p). Define
the function g = f ◦ φ. If the collection of sets D1 , D2 , · · · , Dp−1 forms a
weighted partial difference set for GF (p)n then so does its image under the
function φ.
Proof. We can explore this question by utilizing the Schur ring generated by
the sets Di .
Recall that (D1 , D2 , · · · , Dp−1 ) forms a weighted partial difference set for
GF (p)n if and only if (C0 , C1 , C2 , · · · , Cp ) forms a Schur ring, where
C0 = {0}
C1 = D1 , · · · , Cp−1 = Dp−1
Cp = GF (p)n − (C0 ∪ · · · ∪ Cp−1 )
Ci · Cj =
p
P
ρkij Ck ,
k=0
for some intersection numbers ρkij . Note that f is even, so Ci = Ci−1 for all
i, where Ci−1 = {−x | x ∈ Ci }.
Define Si = g −1 (i) = {v ∈ GF (p)n | g(v) = i}. Di = f −1 (i) = (g ◦
19
φ−1 )−1 (i) = (φ · g −1 )(i) = φ(Si ). So the map φ sends Si to Di . φ can be
extended to a map from C[GF (p)n ] → C[GF (p)n ] such that φ(x1 + x2 ) =
φ(x1 ) + φ(x2 ) and φ(Si ) = Di . So φ is a homomorphism from the Schur
ring of g to the Schur ring of f . Therefore, the level curves of g give rise to
a Schur ring, and the weighted partial difference set generated by f is sent
to a weighted partial difference set generated by g under the map φ−1 . We
conclude that the Schur ring of g corresponds to a weighted partial difference
set for GF (p)n , which is the image of that for f . Remark 27. If f is bent, then g is the composition of a bent function and
an affine function, so it is also bent.
The above proof has the following corollary.
Corollary 28. Assuming the same hypothesis as in Proposition 26, the Schur
ring associated to the weighted partial difference set of f (as in the proof
above) is isomorphic to the Schur ring associated to the weighted partial
difference set of g.
Definition 29. Let G be a multiplicative group and let X be a set. G acts
on X (on the left) if there exists a map ρ : G × X → X such that:
• ρ(1G , x) = x for all x ∈ X
• ρ(g, ρ(h, x)) = ρ(gh, x) for all g, h ∈ G, x ∈ X
An orbit is any set of the form {ρ(g, x) | g ∈ G}; we call this the orbit of x.
3.3
Proof of Theorem 25
We will now prove Theorem 25.
Proof. One way to investigate this theorem is to partition the set of even functions into equivalence classes with respect to the group action of GL(3, GF (3)),
then pick a representative from each class and test for bentness. Once we
know which orbits under GL(3, GF (3)) are bent, we can check the conjecture
and the question for a representative from each orbit.
Consider the set E of all functions f : GF (3)3 → GF (3) such that
• f is even,
20
• f (0) = 0, and
• the degree of the algebraic normal form of f is at most 4.
We limit the degree to 4 because [CM] proved that this is the maximal
degree for bent functions.
Let B be the set of all bent functions in E. Recall the signature of f is
the sequence of cardinalities of the level curves
Di = {x ∈ GF (3)3 | f (x) = i}.
If f is bent, then so is f ◦ φ, for φ in G. We next note that the size
of the level curves f −1 (1) and f −1 (2) is the same for all functions in each
equivalence class. There are 120120 elements of E of signature (6, 12) or
(12, 6).
Mathematica was then used to find that there are a total of 281 equivalence classes of functions in E under the action of GL(3, GF (3)). Of these,
4 classes consist of bent functions.
There were two equivalence classes of bent functions of type |D1 | = 6 and
|D2 | = 12. The other two bent classes were of type |D1 | = 12 and |D2 | = 6
and consisted of the negatives of the functions in the first two classes. We
will call the classes B1 , B2 , B3 , and B4 :
B/G = B1 ∪ B2 ∪ B3 ∪ B4 .
Note the (6, 12) classes are negatives of the (12, 6) classes, so after a possible
re-indexing, we have B3 = −B1 and B4 = −B2 .
A representative of B1 is
f (x1 , x2 , x3 ) = x21 + x22 + x23 .
Note that the algebraic normal form of all these functions is quadratic.
A representative of B2 is
f (x1 , x2 , x3 ) = x1 x3 + 2x22 + 2x21 x22 .
After computing intersection numbers for the four equivalence class representatives, we have further seen that the equivalence class represented by
B1 corresponds to the first condition of Theorem 25 and the equivalence
class represented by B3 corresponds to the second condition. Meanwhile,
21
the equivalence classes represented by the functions B2 and B4 do not yield
weighted partial difference sets. In summary, we have defined bent functions, partial difference sets, Cayley graphs, association schemes, and Schur rings, and we have examined
several examples of bent functions in order to find information about their
corresponding algebraic structures. We have also provided a partial characterization of bent functions on GF (3)2 and GF (3)3 based on the sizes of the
level curves and the intersection numbers that correspond with the weighted
partial difference sets produced by these level curves.
With the final result in mind, there are some questions we can ask for
further research.
• Theorem 25 assumes a function is bent and shows that it yields certain
combinatorical structures. Is there a way to ”work backwards”, i.e.
use the combinatorical structures presented in this paper to determine
that a function is bent?
• Are there other combinatorical or algebraic structures that can be used
to characterize bent functions? Are bent functions generally conducive
to combinatorics or do they exhibit more ”random” behavior in that
regard?
• Is it better to use a bent function that has certain combinatorical structures as a filter function in a cipherstream system, or is it better to use
one that does not have this kind of organization?
4
Acknowledgements
I would like to thank Professor Joyner and Professor Melles of the USNA
Mathematics Department for their assistance with this project. Professor
Joyner was my main advisor throughout the project and Professor Melles
provided essential Mathematica calculations and general advice in proving
Theorem 25.
22
References
[BC] Anna Bernasconi and Bruno Codenotti, Spectral analysis of Boolean
functions as a graph eigenvalue problem, IEEE Transactions on Computers, 48:3 (1999) 345-351.
http://ilex.iit.cnr.it/codenotti/ps_files/graph_fourier.ps
[BCV] A. Bernasconi, B. Codenotti, J.M. VanderKam. A characterization
of bent functions in terms of strongly regular graphs, IEEE Transactions
on Computers, 50:9 (2001), 984-985.
[CJMPW] C. Celerier, D. Joyner, C. Melles, D. Phillips, S. Walsh Edgeweighted Cayley graphs and p-ary bent functions, preprint, 2014.
[CM] A. Cesmelioglu and W. Meidl, Bent functions of maximal degree, IEEE
Trans. Info. Theory 58(2012)1186-1190.
[CvL] P.J. Cameron, J.H. van Lint, Designs, Graphs, Codes, and their Links,
London Mathematical Society Student Texts 22, Cambridge University
Press (1991).
[D] J.F. Dillon, Elementary Hadamard difference sets, PhD thesis, University of Maryland, 1974.
[GK] M. Goresky, A. Klapper, Algebraic Shift Register Sequences, Cambridge
University Press (2012).
[MW] P. Magliaro, A. Weaver, Investigations into a possible new family of Partial Difference Sets, University of Richmond, 2003. http:
//www.mathcs.richmond.edu/~jad/summerwork/paper4.pdf
[PTFL] A. Pott, Y. Tan, T. Feng, S. Ling, Association schemes arising from
bent functions, Des. Codes Crypt. 59(2011)319-331.
23
