Highly Nonlinear Mappings - Institute for Mathematical Sciences
advertisement
Highly Nonlinear Mappings
Claude Carlet a and Cunsheng Ding b
a
INRIA Projet Codes, Domaine de Voluceau, BP 105, 78153 Le Chesnay Cedex,
France. Also at University of Paris 8 and GREYC-Caen.
Claude.Carlet@inria.fr
b Department of Computer Science, Hong Kong University of Science and
Technology, Clear Water Bay, Kowloon, Hong Kong, China.
cding@cs.ust.hk
Abstract
Functions with high nonlinearity have important applications in cryptography, sequences and coding theory. The purpose of this paper is to give a well-rounded
treatment of non-Boolean functions with optimal nonlinearity. We summarize and
generalize known results, and prove a number of new results. We also present open
problems about functions with high nonlinearity.
Key words: Functions, nonlinearity, cryptography, coding, sequences, dierence
partition, dierence matrices, dierence sets, almost dierence sets, generalized
Hadamard matrices.
1 Introduction
Functions with high nonlinearity have important applications in cryptography
3,14,24,65,66,68,69], sequences 71] and coding theory 11,55,63,77]. In cryptography, functions with high nonlinearity are necessary for achieving confusion. They are used to construct keystream generators for stream ciphers,
S-boxes for block ciphers, building blocks for hash algorithms, and authentication codes. In coding theory, they permit to construct good error correcting
codes. In sequences, they are used to obtain good autocorrelation for CDMA
communication systems.
During the last twenty years, there has been a lot of studies of Boolean functions with high nonlinearity. See for example, 10], 12], 13], 14], 15], 17],
18], 19], 37], 38], 39], 40], 69], 73]. Non-Boolean functions have also important applications in cryptography 8,9,66], sequences 57,70] and coding
Preprint submitted to Elsevier Preprint
theory 43,71], but they have been less studied. It turns out that functions
with optimum nonlinearity correspond to certain combinatorial designs. Thus
the study of functions with optimum nonlinearity could lead to new problems
in combinatorics.
The purpose of this paper is to give a well-rounded treatment of non-Boolean
functions with optimum or almost optimum nonlinearity. We summarize the
known results on this subject, which have been presented in a large number of papers. We generalize several of them and we prove new results. We
present open problems about functions with high nonlinearity, and propose
new problems in combinatorics by establishing relations between functions
with optimum nonlinearity and certain subjects of combinatorics.
2 Preliminaries
Let f be a function from an abelian group (A +) of order n to another abelian
group (B +) of order m. f is linear if and only if f (x + y) = f (x)+ f (y) for all
x y 2 A. A function g is a ne if and only if g = f + b, where f is linear and b is
a constant. Clearly, the zero function is linear. If f is a nonzero linear function
from A to B , let H = fx 2 Aj f (x) = 0g. Then H is a subgroup of A, f (A) is
a subgroup of B and, denoting by jS j the size of a set S , jf (A)j jH j = n. In
the case that n is odd and m is a power of 2, the only linear function from A
to B is the zero function, since if f 6= 0, then jf (A)j is even, a contradiction
with the fact that n is odd thus all ane functions are constant functions.
The (Hamming) distance between two functions f and g from A to B , denoted
by d(f g), is dened to be
d(f g) = jfx 2 Ajf (x) ; g(x) 6= 0gj:
One way of measuring the nonlinearity of a function f from (A +) to (B +)
is to use the minimum distance between f and all ane functions from (A +)
to (B +). With this approach the nonlinearity of f is dened to be
Nf = min
d(f l)
l 2L
(1)
where L denotes the set of all ane functions from (A +) to (B +). This
measure of nonlinearity is related to linear cryptanalysis (cf. 65]) but it is not
useful in some general cases. For example, as pointed out above, in the case
jAj is odd and jB j is a power of 2, this measure makes little sense as there are
no non-constant ane functions from (A +) to (B +).
2
A robust measure (cf. 68]) of the nonlinearity of functions is related to dierential cryptanalysis (cf. 5]) and uses the derivatives Daf (x) = f (x + a) ; f (x).
It may be dened by
Pf = 0max
max Pr(Da f (x) = b)
6=a2A b2B
(2)
where Pr(E ) denotes the probability of the occurrence of event E . The smaller
the value of Pf , the higher the corresponding nonlinearity of f (if f is linear,
then Pf = 1). In some cases, it is possible to nd the exact relation between the
two measures on nonlinearity. We will come back to this later. Note that both
nonlinearity measures are relative to the two operations of the two abelian
groups.
3 Functions with perfect nonlinearity
Let f be a function from (A +) to (B +). For any b 2 B dene
Cb = f ;1 (b) = fa 2 Ajf (a) = bg:
(3)
We have the following property.
Lemma 1 Let f be a function from (A +) to (B +). Then, for every a 2 A
and every b 2 B
Pr(Da f (x) = b) =
P
z2B jCz \ (Cz+b ; a)j :
jAj
PROOF. We have
jfx 2 AjDa f (x) = bgj
=
=
=
z2B
z2B
X
z 2B
fx 2 Ajf (x) = z and f (x + a) = z + bg
(Cz \ (Cz+b ; a))
jCz \ (Cz+b ; a)j :
2
The conclusion then follows.
3
Notice that, for every a 2 A, the sets fx 2 AjDa f (x) = bg constitute a partition of A, and thus we have the following lemma.
Lemma 2 For every a 2 A, we have
jAj =
X
b2B
jfx 2 AjDa f (x) = bgj :
Note that the maximum of a sequence of numbers is greater than or equal to
its mean. It then follows that, for every a 2 A,
jfx 2 AjDa f (x) = bgj 1
max
Pr(
D
f
(
x
)
=
b
)]
=
max
:
a
b2B
b2B
jAj
jB j
Then
Pf jB1 j :
(4)
This lower bound can be considered as an upper bound for the nonlinearity
of f . For applications in coding theory and cryptography we wish to nd
functions with the smallest possible Pf .
Denition 3 A function f : A ! B has perfect nonlinearity if Pf = jB1 j .
Since the maximum of a sequence of numbers equals its mean if and only if
the sequence is constant, inequality (4) is an equality if and only if, for every
b 2 B and every a 2 A = A n f0g, the quantity jfx 2 AjDa f (x) = bgj has
value jjBAjj .
Denition 4 A function g : A ! B is balanced if the size of g;1(b) is the
same for every b 2 B (this size is then
jAj
jB j ).
Theorem 5 A function f : A ! B has perfect nonlinearity if and only if, for
every a 2 A = A n f0g, the derivative Daf is balanced (this is possible only if
jB j divides jAj).
In the case of Boolean functions (i.e. functions from GF (2)n to GF (2), where
GF (2) is the two-element eld), perfect nonlinear functions are also called
bent (cf. 73]). We recall at Subsection 3.6 the denitions and properties of
bent functions.
4
3.1 Stability of the set of perfect nonlinear functions under actions of general
a ne groups
The addition of any perfect nonlinear function from (A +) to (B +) and any
ane function from (A +) to (B +) is clearly a perfect nonlinear function.
Theorem 6 Assume that f (x) is a function from (A +) to (B +) with per-
fect nonlinearity and l(x) is a linear or an a ne permutation from (A +) to
(A +), then the composition f l is another function from (A +) to (B +)
with perfect nonlinearity.
PROOF. If l(x) is a linear permutation, then f (l(x + a)) ; f (l(x)) is equal
to f (l(x) + l(a)) ; f (l(x)) and is balanced for every a 6= 0 since l(a) 6= 0 if
and only if a 6= 0. If l(x) is a translation, say l(x) = x + u, then f (l(x + a)) ;
f (l(x)) = f (x + u + a) ; f (x + u) is balanced. The conclusion then follows by
composition.
2
Theorem 7 Let f : (A +) ! (B +) have perfect nonlinearity, and let l :
(B +) ! (C +) be a linear onto function. Then the composition l f is a
function from (A +) to (C +) with perfect nonlinearity.
PROOF. Since l is linear, we have
l(f (x + a)) ; l(f (x)) = l(f (x + a) ; f (x)):
The conclusion then follows from the facts that l is linear and onto and that
f has perfect nonlinearity.
2
Theorem 7 leads to a construction of perfect nonlinear functions which is
rather useful, as justied by the results of Proposition 41.
3.2 Perfect nonlinear functions and dierence partitions
Perfect nonlinear functions are naturally related to the combinatorial notion
of dierence partition. Let (A +) and (B +) be two abelian groups of orders
n and m respectively. Assume that fCbjb 2 B g is a partition of A. We call
fCb jb 2 B g an (n m ) dierence partition of (A +) with respect to (B +) if
5
X
z 2B
jCz \ (Cz+b ; a)j (5)
for all b 2 B and all nonzero elements a of A, and if for at least one pair (a b)
the equality of (5) is achieved. Note that for a dierence partition fCbjb 2
B g some Cb may be empty. The dierence partitions dened here are quite
dierent from the dierence families that have been studied in combinatorics
4, Chapter VII].
Since fCz \ (Cz+b ; a)jz b 2 B g is a partition of A, we have
m n:
The case of equality corresponds to perfect nonlinear functions.
(6)
Proposition 8 Let (A +) and (B +) be abelian groups of orders n and m
respectively. Let fCb jb 2 B g be an (n m ) dierence partition of (A +) with
respect to (B +). Let f be the function from A to B de
ned by f (x) = b, for
every x 2 Cb. Then Pf = n . Thus, f has perfect nonlinearity if and only if m
divides n and fCb(f )jb 2 B g is an (n m n=m) dierence partition of (A +)
with respect to (B +).
PROOF. It follows from Lemma 1.
2
If fCb(f )jb 2 B g is an (n m n=m) dierence partition of (A +) with respect
to (B +), then the equality in (5) holds for all b 2 B and all nonzero elements
a of A.
There are some restrictions on the possible sizes of the sets Cb .
Theorem 9 Let (A +) and (B +) be abelian groups of orders n and m respectively, where m divides n. If an (n m n=m) dierence partition fCbjb 2 B g
of A with respect to B exists, then for any nonzero b 2 B
8P
>
n2 +(m;1)n
2
>
z
2B kz =
m
>
<P
n(n;1)
z2B kz kz+b = m
>
>
>
: Pz2B kz = n
(7)
where kz = jCz j for each z 2 B .
PROOF. If fCbjb 2 B g is an (n m n=m) dierence partition, we have Pz2B kz =
n and
6
X
z 2B
jCz \ (Cz+b ; a)j =
n
m
for all b 2 B and all nonzero elements a of A. It then follows that for any
nonzero b 2 B
n(n ; 1) = X X jC \ (C ; a)j
z
z+b
m
a2Anf0g z2B
X X
=
jCz \ (Cz+b ; a)j
z2B a2Anf0g
X
= jfx 2 A a 2 A jf (x) = z and f (x + a) = z + bgj
z2B
X
= jfx 2 A a 2 Ajf (x) = z and f (x + a) = z + bgj
z2B
X
= kz kb+z :
z2B
Similarly, we obtain
n(n ; 1) = X X jC \ (C ; a)j
z
z
m
a2Anf0g z2B
X X
=
jCz \ (Cz ; a)j
z2B a2Anf0g
X
= jfx 2 A a 2 A jf (x) = z and f (x + a) = zgj
z2B
X
= kz (kz ; 1)
z2B
X
X
= kz2 ; kz
z2B
X 2 z2B
= kz ; n:
z2B
2
This completes the proof.
Remark: Theorem 9 may be deduced from know results on relative dierence
sets, but our proof is elementary.
Theorem 10 Let (A +) and (B +) be abelian groups of orders n and m
respectively, where n is a multiple of m. If f is a function from A to B with
perfect nonlinearity Pf = m1 , then for any b 2 B
s
s
n ; (m ; 1)n k n + (m ; 1)n
b
m
m
m
m
7
where kz = jfx 2 Ajf (x) = zgj. Furthermore,
s
s
(m ; 1)n ; (m ; 1)n N (m ; 1)n + (m ; 1)n :
f
m
m
m
m
If B has exponent 2, i.e., 2b = 0 for any b 2 B , then for any b 2 B
p
p
n ; (m ; 1) n k n + (m ; 1) n
b
m
m
where kz = jfx 2 Ajf (x) = zgj. Furthermore,
p
p
(m ; 1)n ; (m ; 1) n N (m ; 1)n + (m ; 1) n :
f
m
m
PROOF. We prove the rstPconclusion. Set kb = n=m + b. It follows from
the last equation of (7) that
one of (7) yields
b b
X
b
q (m;1)n
= 0. Combining this equality and the rst
2b = (m ;m 1)n :
Hence jbj m . This proves the conclusion on kb . The lower and upper
bounds on Nf then follow from the bounds on kb and the fact that the sum of a
function with perfect nonlinearity is again a function with perfect nonlinearity.
We now prove the bounds for the case that B has exponent 2. For any nonzero
b 2 B , by (7)
P (k ; k )2 = P k2 ; 2 P k k + P k2
z+b
z2B z
z2B z
z2B z z+b
z 2B z +b
= 2 n +(mm;1)n ; 2 n(nm;1)
= 2n:
2
Since B has exponent 2, in the summation
X
z2B
(kz ; kz+b)2
both (kz ; kz+b)2 and (kz+b ; kz )2 occur as terms. Then by (8)
2(kz ; kz+b)2 = (kz ; kz+b)2 + (kz+b ; kz )2 2n
8
(8)
and hence
p
p
; n kz ; kz+b n:
(9)
It follows that
X
p
p
;(m ; 1) n (m ; 1)kz ; kz+b (m ; 1) n:
b6=0
Note that Pb6=0 kz+b = n ; kz . We have
p
p
n ; (m ; 1) n k n + (m ; 1) n :
z
m
m
The bounds on Nf follow from those on kb and the fact that the sum of a
function with perfect nonlinearity and any ane function gives also a function
with perfect nonlinearity.
2
For the existence of functions with perfect nonlinearity, we have the following
result.
Theorem 11 Assume that there is a function with perfect nonlinearity from
an abelian group of order n to another abelian group of order m, where m
divides n. If m is even, then n is a square. If m is odd, then
z2 = nx2 + (;1)(m;1)=2 my2
has a nontrivial solution in integers.
Theorem 11 is a direct consequence of Lemma 24 below, which was stated in
6,7] for the existence of generalized Hadamard matrices.
3.3 Functions with perfect nonlinearity and dierence matrices
It is known that Boolean functions with perfect nonlinearity (i.e. bent functions) are related to Hadamard matrices (cf. 73]). More generally, functions
with perfect nonlinearity are related to the so-called dierence matrices and
generalized Hadamard matrices.
9
Let (G +) be a group of order m. An (m k ) dierence matrix is a k m
matrix D = (dij ) with entries from G, so that for each 1 h < j k, the list
fdhl ; djl j1 l mg
contains times every element of G. Similarly, dierence matrices can be dened over nonabelian groups 4,22]. A generalized Hadamard matrix GH(m )
is a (m m ) dierence matrix. Hence Hadamard dierence matrices are
special dierence matrices. In particular, a Hadamard matrix H (4n) is a
GH(2 2n) over the group (f1 ;1g ).
Theorem 12 Let f be a function from an abelian group (A +) of order n to
another one (B +) of order m, where m divides n. Let A = fa0 a1 : : : an;1 g,
and de
ne an n n matrix D as
0
1
BB f (a0 + a0) f (a0 + a1) f (a0 + an;1) CC
BB f (a1 + a0) f (a1 + a1) f (a1 + an;1) CC
CC :
D=B
BB ..
.
.
.
.
.
.
CC
.
. .
B@ .
A
f (an;1 + a0 ) f (an;1 + a1 ) f (an;1 + an;1)
Then f has perfect nonlinearity Pf = m1 if and only if D is a GH(m n=m),
i.e., an n n generalized Hadamard matrix.
PROOF. By Theorem 5, f has perfect nonlinearity if and only if Daf (x) =
f (x + a) ; f (x) takes on each element of B exactly n=m times for each nonzero
element a of A. The conclusion then follows.
2
Remarks:
(a) Any k rows of the matrix D of Theorem 12 gives an (m k n=m) difference matrix over B . Theorem 12 shows that every function with perfect nonlinearity gives generalized Hadamard matrices. But clearly, many
generalized Hadamard matrices do not give functions with optimum nonlinearity.
(b) Theorem 12 is a rather straightforward result, which traces back to at
least 28].
Example 13 Dene the function f (x) from GF (q)2t to GF (q) as
f (x1 x2 : : : x2t ) = x1 x2 + x3 x4 + : : : + x2t;1 x2t :
10
We will show in Theorem 39 that this function is perfect nonlinear. Then the
matrix D of Theorem 12 is a (q q2t q2t;1) dierence matrix, i.e., a generalized
Hadamard matrix GH(q q2t;1).
Remark: It is shown by de Launey that for any group G of prime power order
q and any integer t > 0, there is a GH(q q2t;1) over G 27]. Here G may not
be elementary abelian. It remains to be checked whether the construction of
Corollary 13 is the same as the one of de Launey 27].
3.4 A characterization of perfect nonlinearity by means of Fourier transform
We denote by e the exponent of A it is the maximum order of elements of A
it is also called the characteristic of A since A is in additive representation.
A homomorphism between A and a multiplicative group G is any mapping from A to G such that
(a + a0) = (a)(a0 ) for all a a0 2 A:
A character of A is any homomorphism from A to the multiplicative group of
all complex e-th roots of unity. The multiplicative group A^ of characters of A
is isomorphic to the group A (cf. 46]). We x some isomorphism from A to
A^ and we denote by the image of 2 A by this isomorphism. 0 is the
trivial character, i.e. the constant function 1.
For every a 6= 0, we have P2A (a) = 0 indeed, there exists 0 2 A such
that 0 (a) 6= 1 then the equality
X
2A
(a) =
implies P2A (a) = 0.
X
2A
+0 (a) = 0 (a)
X
2A
(a)
Let E be any subgroup of A. Denote by E ? the subgroup of A of elements such that (a) = 1 for all a 2 E . Then
X
a2 E
and
(a) = 0 8 2= E ?
(10)
(a) = 0 8a 2= E:
(11)
X
2E ?
11
The characters satisfy the orthogonality relation
8
>
< 0 if 1 6= 2
X
h1 2 i = 1 (a)2 (a) = >
: jAj if 1 = 2
a 2A
where 2 (a) denotes the complex conjugate of 2 (a).
The Fourier transform of any complex-valued function ' on A is dened by
'b() =
X
a2A
'(a)(a):
A direct consequence of property (11) is that for every elements 0 and a0 in
A and for every subgroup E of A, we have
X
20 +E ?
(a0)'b() = jE ?j 0 (a0 )
X
a2;a0 +E
0 (a)'(a):
(12)
Indeed,
X
20 +E ?
(a0 )'b() =
X
0 +(a0 )'b(0 + )
X X
=
'(a)0 +(a0 + a)
?
a
2
A
2E
0
1
X
X
= '(a)0 (a0 + a) @
(a0 + a)A
?
a2A
X 2E
?
= jE j 0 (a0 )
0 (a)'(a):
2E ?
a2;a0 +E
The Fourier transform of the product of two functions '1 and '2 equals the
normalized convolution of the Fourier transforms of '1 and '2:
1 'c 'c () = 1 X 'c (0)'c ( ; 0):
'd
(13)
1 '2 () =
2
jAj 1 2
jAj 0 2A 1
Equality (13) with '2 = '1 and = 0 gives Parseval's relation:
X
1 X j'b()j2:
j'(a)j2 =
jAj 2A
a2A
The inverse Fourier transform is determined by the equality:
X
'(a) = jA1 j 'b()(a):
2A
12
Note that ' satises '(a) = 0, for every a 6= 0, if and only if 'b is constant
and that ' is constant if and only if 'b() = 0, for every 6= 0.
Let f be a function from A to a group B . We denote by e0 the exponent of B
and we x again an isomorphism between B and B^ (the group of homomorphisms from B to the multiplicative group of all complex e0 -th roots of unity)
we denote by 0 the image of 2 B by this isomorphism. For every 2 B ,
we denote by f the complex-valued function 0 f and we have, for every
2 A,
X
fc () = 0 f (a) (a):
Parseval's relation on f gives
a2A
X c 2
jf ()j = jAj2 :
2A
We give in Theorem 16 a characterization of perfect nonlinearity by means of
Fourier transform, which generalizes results given in 73] for Boolean functions,
in 1] for functions dened over nite elds and in 16] for functions dened
over residue class rings. We need rst to characterize balanced functions and
to recall a classical property of Fourier transform.
Proposition 14 Let f be any function from A to B . Then f is balanced if
and only if, for every 2 B we have
fc (0) = 0:
PROOF. We have
X
X
fc (0) = 0 f (a) = jCbj 0 (b):
a2A
b2B
(14)
Thus, if f is balanced and 6= 0, then fc (0) = jjBAjj Pb2B 0 (b) = 0. Conversely,
if , for every 2 B we have fc (0) = 0, then, according to relation (14), the
integer-valued
function b 7! jCbj admits as Fourier transform the function
8
>
< 0 if 6= 0
7! >
, and according to the properties of the Fourier transform
: jAj if = 0
recalled above, it is constant.
2
Lemma 15 Let f : A ! B and Daf (x) = f (x + a) ; f (x). Let
ACf (a) be the
P
value at 0 of the Fourier transform of (Da f ) : ACf (a) = x2A 0 (Da f (x)).
Then, ACf has Fourier transform jfc j2 .
13
PROOF.
XX 0
df () = X Dd
AC
(f (x + a))0 (f (x)) (a) =
a f (0) (a) =
XX
a2A
a2A x2A
a2A x2A
0 (f (x + a))0 (f (x)) (x + a) (x) = fc ()fc ():
2
ACf is often called the autocorrelation function of f . When only one nonzero
exists, i.e. when B = GF (2), it is also called the autocorrelation function of
f.
Theorem 16 Let f be any function from an abelian group A to an abelian
group B . Then f has perfect nonlinearity
if and only if, for every 2 B and
q
every 2 A, fc () has magnitude jAj.
PROOF. According to Theorem 5, f has perfect nonlinearity if and only if
for every a 6= 0 the function Daf (x) = f (x + a) ; f (x) is balanced. Thus,
according to Proposition 14, f has perfect nonlinearity if and only if for every
a 2 A and every 2 B we have ACf (a) = 0. Thus, according to the
properties of the Fourier transform recalled above, f has perfect nonlinearity
if and only if for every 2 B , ACf has constant Fourier transform (this
constant value must be jAj). Lemma 15 completes the proof.
2
Theorem 16 states that f has perfect nonlinearity if and only if, for every
2 B , f is bent in the sense of Logachev, Salnikov and Yashchenko. We
recall at Subsection 3.6 the original notion of bent functions and its successive
generalizations.
3.5 Obtaining functions with perfect nonlinearity from known ones
At Subsection 3.1, we have seen obvious ways of obtaining perfect nonlinear
functions from known ones. Another one is as follows: let A, A0 and B be
three abelian groups. Let f : A 7! B and g : A0 7! B be two perfect nonlinear
mappings. Then f g : A A0 7! B dened by (f g)(x y) = f (x) + g(y)
is perfect nonlinear. We give now a non-trivial similar construction. Theorem
17 and the remark which follows it generalize the most part of the theorem in
12], which was stated for Boolean bent functions.
Theoremq17 Assume that the size of A is a square. Let E be a subgroup of
A of size jAj. Assume that f (x) is a function from (A +) to (B +) with
14
perfect nonlinearity and that f takes constant value on E . Then every function
obtained from f by choosing another constant value for f on E has also perfect
nonlinearity.
PROOF. Let b be any element of B . Dene g(x) = f (x) if x 2= E g(x) =
f (x) + b if x 2 E . Let be any nonzero element of B . Denote by ! the
constant value of f on E . Recall that we denote by E ? the set of elements of A such that (a) = 1 for all a 2 E .
? . According to relation
Let us rst prove that fc () = ! jE j for every 2 EX
(12) applied to ' = f and to a0 = 0 = 0, we have
fc () = ! jE ?j jE j.
2E ?
q
Since, according to Theorem 16, fcq() has magnitude jE j = jAj for every
, we deduce that fc () equals ! jAj for every 2 E ?.
We have
X
gc () = fc () + ! (0 (b) ; 1) (a):
a2E
Thus gc ()qequals fc () for every
2= E ?. Andqfor every 2 E ? we have
q
gc () =q! jAj + ! (0 (b) ; 1) jAj = ! 0 (b) jAj. Thus, gc () has magnitude jAj for every 2 A and every 2 B , and g has therefore perfect
nonlinearity.
2
Remarks:
(a) The same proof shows that if ' is bent on A in the sense of Logachev,
Salnikov and Yashchenko (see Subsection 3.6) and if it is constant on E ,
then 'b is constant on E ? and ' remains bent if we change its constant
value on E .
(b) Since fc is constant on E ?, applying
X property (12) to fc and to 0 = 0
shows that for every a0 2= E :
f (a) = 0. This is equivalent to the
a2a0 +E
fact that f is balanced on every coset of E in A, according to Proposition
14.
X c
(c) According to property (12), we have also
f () = 0 for every
20 +E ?
q
0
If there exists a function g from A to B such that fc = jAj g
(using the same terminology as Kumar, Scholtz and Welch in 57], we can
say that f is regular-bent), this implies that g is balanced on every coset
of E ?.
(d) Theorem 17 is still valid if we only assume that the restriction of f to
E is ane and if we change the values of f on E by adding a constant
2= E ?.
15
(apply Theorem 17 to f + l where f is ane). It is also valid if E is a
coset of a subgroup (change f (x) into f (x + u)).
(e) We give after Theorem 39 an example of application of Theorem 17. In
the case
q of this example, there exists a function g from A to B such that
c
f = jAj g .
3.6 Bent functions and perfect nonlinearity
Let A be the abelian group GF (2)n, B = GF (2) and f a function from A to
B
notation of Subsection 3.4, we have f1(a) = (;1)f (a) and fc1 () =
P. Usingnthe
f (a)+a where a = 1 a1 + : : : + n an is the usual inner product
a2GF (2) (;1)
in GF (2)n. The Fourier transform of f1 = (;1)f is often called the Walsh
transform of f . The notion of binary bent
function, introduced by Rothaus
P
in 73], is related to Parseval's Prelation 2GF (2)n jfc1 ()j2 = 22n: a function
f : GF (2)n ! GF (2) is bent if a2GF (2)n (;1)f (a)+a has constant magnitude
for every 2 GF (2)n, or equivalently if the maximum of jfc1()j2 equals its
mean 2n (this is equivalent to say that f lies at maximum Hamming distance
from the set of ane functions) this is possible only if n is even. As shown
by Rothaus, and also according to Theorem 16, this notion is equivalent to
perfect nonlinearity. More information on binary bent functions can be found
in the survey paper 14] and in Canteaut, Carlet, Charpin and Fontaine 10],
Carlet 12{15], Carlet and Guillot 17,18], Dobbertin 37], Hou and Langevin
49], and Wolfmann 77].
Logachev, Salnikov and Yashchenko have adapted this notion in 62] to the
general case of functions ' from any nite abelian group A to the set of
complex numbers of qmagnitude 1 (see also Hou 48]): ' is bent if 'b() has
constant magnitude jAj for every 2 A.
The notion of binary bent function has been generalized to functions from a
nite abelian group A to a nite abelian group B in two directions:
- Kumar, Scholtz and Welch 57] have generalized it to functions f from
Znq to Zq = Z=qZ, where q is any positive number.
The function f1 equals
p
f
then
!q = exp(2i=q) (where i = ;1) and we have fc1 () =
P n!!q ,f (where
a
)+a
. Kumar, Scholtz and Welch called generalized bent any funca2Zq q
p
tion f from Znq to Zq such that fc1 has constant magnitude qn, i.e. such that
f1 is bent in the sense of Logachev, Salnikov and Yashchenko. Obviously, a
stronger notion could also be considered: for every 6= 0, f is bent in the
sense of Logachev, Salnikov and Yashchenko. But this notion does not deserve
a specic denomination since, as shown in 16] and also according to Theorem
16, it is equivalent to perfect nonlinearity.
- Ambrosimov 1] considers functions f from GF (q)n to GF (q) where q is a
16
power of a prime p, and GF (q) is the nite eld of order q. For every 2
GF (q), f equals !pTr(f ) where Tr is the trace function
from GF (q) to GF (p)
P
c
and where !p = exp(2i=p). Then f () equals a2GF (q)n !pTr(f (a)+a) . The
function f is called
by Ambrosimov if, for every nonzero , fc has conp bent
stant magnitude qn , i.e. if f = !pTr(f ) is bent in the sense of Logachev,
Salnikov and Yashchenko. As shown by Ambrosimov and according to Theorem 16, this notion is equivalent to perfect nonlinearity.
The notions of bent functions by Kumar, Scholtz and Welch and by Ambrosimov, when they both apply, that is when q is a prime, have dierent denitions
but are in fact equivalent, as shown in 57].
4 Binary functions with optimum nonlinearity
In this section, we consider the case (B +) = (GF (2) +) and functions from A
to B . If (A +) is cyclic, then functions from A to B with optimal nonlinearity
are the same as binary sequences with optimal autocorrelation, i.e., perfect
sequences. The main references for this section are 24,34,52].
Let n = jAj. For a function f from A to B , the autocorrelation function of f
is
ACf (a) =
X
(;1)f (x+a);f (x) :
x2A
The support of f is the set
Sf = fx 2 Ajf (x) = 1g:
The weight of f is dened to be jSf j, and denoted by wf . We also say that f
is the characteristic function of Sf .
Considering the Fourier transform of Da f at vector 0, we have, according to
Lemma 15
X
a2A
ACf (a) = (n ; 2wf )2:
(15)
For any subset H of A, we dene the dierence function
dH (a) = j(H + a) \ H j
(16)
17
where H + a = fx + ajx 2 H g.
The following easy result plays an important role in the sequel.
Theorem 18 Let f be a function from A to B , and let k be the weight of f .
Then for any nonzero a 2 A,
8 n;2(k;dS (a))
>
f
<
b=0
Pr(Da f (x) = b) = > 2(k;dSnf (a))
: n
b = 1:
PROOF. This is a generalization of Theorem 4.4 in 34] (see also Theorem
6.3.1 in 24]). We have Pr(Da f (x) = 1) = n1 wDaf = n1 (2 wf ; 2 dSf (a)) and
Pr(Da f (x) = 0) = 1 ; Pr(Da f (x) = 1).
2
4.1 The case n 0 (mod 4)
Let (G +) be an abelian group with v elements, and let D be a k-subset of G.
Then D is called a (v k ) dierence set of G if the equation x ; y = g has
exactly solutions (x y) 2 D D for every nonzero element g 2 G. A trivial
necessary condition for the existence of a (v k ) dierence set is
k(k ; 1) = (v ; 1):
(17)
Theorem 19 Let D be a (v k ) dierence set of an abelian group (A +)
with v elements, and let fD (x) be the function with support D. Then
(a) for any nonzero a 2 A,
8
>
< v ; 2(k ; )]=v b = 0
Pr(fD (x + a) ; fD (x) = b) = >
: 2(k ; )=v b = 1:
n v;2(k;) 2(k;) o
(b) PfD = max
v
v
.
PROOF. This is a generalization of Theorem 4.5 in 34] (see also Theorem
6.3.2 in 24]). The conclusion follows from Theorem 18.
18
2
Theorem 20 Let f be a function from A to B . Then the following three
conclusions are equivalent:
(A) Pf = 12 (B) ACf (a) = 0 for every nonzero element a of A
(C) the support Sf is a (4u2 2u2 u u(u 1)) dierence set of A, where
n = 4u2.
PROOF. According to Theorem 5 and Proposition 14, (A) and (B) are equiv-
alent. By Theorem 19, (C) implies (A). If (B) is true, then for every nonzero a,
the function f (x) f (x + a) has constant weight and the support Sf is therefore
a dierence set. According to Theorem 19, v 0 (mod 4). It is well known
that a symmetric design with v = 4u can only exist if u is a perfect square
and the parameters of Sf have the form (4u2 2u2 u u(u 1)) (see Jungnickel
51, p. 282]).
2
It follows from Theorem 20 that (4u2 2u2 u u(u 1)) dierence sets, called
Hadamard dierence set, of an abelian group A give all binary functions with
perfect nonlinearity. Detailed information about Hadamard dierence sets can
be found in 52]. We just mention the following.
Lemma 21 53] Let G be any group which is a direct product of an abelian
group of order 2e and exponent at most e, where e = 2d + 2 for some nonnegative integer d, with groups of the type Z2mi , where each mi is a power of
3, and groups of the type Z4pj , where the pj are (not necessarily distinct) odd
primes. Then G contains a Hadamard dierence set.
Combining Theorem 20 and Lemma 21 proves the following.
Theorem 22 Let
A = Z22d+2 Z2m1 : : : Z2mt Z4p1 : : : Z4ps
(18)
where each mi is a power of 3, the pj are (not necessarily distinct) odd primes,
s 0 and t 0. Then there are binary functions from A to B with perfect
nonlinearity.
As recalled at Subsection 3.6, Boolean functions (i.e. functions from GF (2)n
to GF (2)) have perfect nonlinearity if and only if they are bent.
Numerous binary functions with perfect nonlinearity from the set A of (18)
to B = GF (2) can be constructed as indicated in Theorem 22 by using the
actual constructions of the Hadamard dierence sets indicated in Lemma 21:
19
for details, we refer to Arasu, Davis, Jedwab, Sehgal 2], Chen 21], Kraemer
56], Turyn 76], and Xia 78].
4.2 The case n 3 (mod 4)
In this section, let (A +) be an abelian group of order n 3 (mod 4), and
B = GF (2). The following theorem is the function version of perfect sequences
52].
Theorem 23 Let f be a function from A to B . Then the minimum possible
value for Pf is 21 + 21n and the following two conclusions are equivalent:
(A) Pf = 12 + 21n (B) the support Sf is an n
n;1 n;3
2
4
or n
n+1 n+1
2
4
dierence set of A.
PROOF. Let k be the weight of f . Note that n ; 2(k ; dSf (a))] + 2(k ;
dSf (a)) = n. By Theorem 18, to minimize Pf we need to minimize the maximum magnitude of
n ; 2(k ; dSf (a))] ; 2(k ; dSf (a)) = n ; 4(k ; dSf (a))
where a ranges over A. Since n ;1 (mod 4), the minimal possible magnitude of n ; 4(k ; dSf (a)) corresponds to n ; 4(k ; dSf (a)) = ;1. Thus, Pf
n+1
is minimal
if dSf (a) = k ; 4 for every nonzero a 2 A, i.e., if Sf
if andn+1only
is an n k k ; 4 dierence set of A. It then follows from the equation
k(k ; 1) = (n ; 1) k ; n +4 1
2
that k = n2 1 , and the minimal value for Pf is 12 + 21n .
We say that f has optimum nonlinearity if Pf achieves the minimum value
(here 21 + 21n ).
n+1
Since the complement of any n n;2 1 n;4 3 dierence set is an n n+1
2
4
dierence
and vice versa, we consider only dierence sets with parameters
n;1 n;set
n 2 4 3 . Dierence sets of this type are called Paley-Hadamard dierence
sets. Any Paley-Hadamard dierence set of A gives a function from A to B
with optimum nonlinearity.
20
Paley-Hadamard dierence sets include the following classes:
(1) with parameters (2t ; 1 2t;1 ; 1 2t;2 ; 1), for description of dierence sets
with these parameters see Dillon 31], Dillon and Dobbertin 32], Gordon,
Mills and Welch 42],Pott 72],
Xiang 79]
(2) with parameters n n;2 1 n;4 3 , where n = q(q + 2) and both q and q + 2
are prime powers. These are generalizations of the twin-prime dierence
sets, and may be dened as
f(g h) 2 GF (q ) GF (q + 2) : g h 6= 0 and (g )(h) = 1g
f(g 0) : g 2 GF (q )g
where (x) = +1 if x is a nonzero square in the corresponding eld, and
(x) = ;1 otherwise
n;53]
(3) with parameters n 2 1 n;4 3 , where n = q is a prime power congruent
to 3 (mod 4). They are Paley dierence sets and just consist of all the
squares in GF (q) 53]
(4) with parameters n n;2 1 n;4 3 , where n = q is a prime power of the form
q = 4s2 + 27. They are cyclotomic dierence sets and can be described
as 51]
D = D0(6q) D1(6q) D3(6q)
where D0(6q) denotes the multiplicative group generated by 6, Di(6q) =
iD0(6q) denotes the cosets, and is a primitive element of GF (q).
4.3 The case n 2 (mod 4)
As before let (A +) be an abelian group of order n. Let C be a k-subset of A.
The set C is an (n k t) almost dierence set of A if dC (a) = j(C + a) \ C j
takes on the value altogether t times and the value +1 altogether n ; 1 ; t
times when a ranges over all the nonzero elements of A.
Two kinds of almost dierence sets were introduced in 26] and 33,34] (see
also 24, p. 140] and 35]). They were generalized and unied in 36].
For (n k t) almost dierence sets of A we have the following basic relation
k(k ; 1) = t + (n ; 1 ; t)( + 1):
(19)
The following lemma due to Bruck, Chowla and Ryser will be needed later.
21
Lemma 24 Let D be an (n k ) dierence set in a group G.
(i) If n is even, then k ; is a square.
(ii) If n is odd, then the equation
x2 = (k ; )y2 + (;1) n;2 1 z2
(20)
has a solution in integers x, y , z , not all zero.
We consider now functions f from A to B with optimum nonlinearity. As
before, let Sf and k be the support and weight of f respectively. When A is
cyclic, the rst part of the following theorem is the function version of the
corresponding results about perfect sequences 52].
Theorem 25 The minimum possible value for Pf is 21 + n1 . Furthermore,
Pf = 21 + n1 if and only if
(a) the support Sf is a dierence set with parameters
!
p
p
n
3n ; 2 n + 2 2 3n ; 2
n
2
4
(21)
(b) or the support Sf is an almost dierence set with parameters
!
n
+
2
4
nk
; 4k2 ; (n ; 1)(n ; 2)
:
n k k; 4
4
(22)
PROOF. The minimum discrepancy between n ; 2(k ; dSf ()) and 2(k ;
dSf ()) is 2, since n 2 (mod 4). By Theorem 18, the nonlinearity measure
Pf achieves its minimum value if and only if one of the following three cases
happens:
(A) n ; 2(k ; dSf ())] ; 2(k ; dSf ()) takes on only value 2 when ranges
over all nonzero elements of A
(B) n ; 2(k ; dSf ())] ; 2(k ; dSf ()) takes on only value ;2 when ranges
over all nonzero elements of A
(C) n ; 2(k ; dSf ())] ; 2(k ; dSf ()) takes on both values 2 and ;2 when
ranges over all nonzero elements of A.
In all three cases the minimum value for Pf is 12 + n1 .
If (A) happens, then Sf is an n k k ; n;4 2 dierence set. Hence we obtain
k(k ; 1) = (n ; 1) k ; n ;4 2 :
22
Whence
p
k = n 23n ; 2 :
p
Hence Sf is an n n 23n;2
p
n+22 3n;2
4
dierence set.
We now
prove that
(B) cannot happen. Suppose that (B) happens. Then Sf
n
+2
is an n k k ; 4 dierence set. Hence we obtain
n + 2
k(k ; 1) = (n ; 1) k ; 4 :
Whence
2 n ; 2
n
k ; 2 + 4 = 0:
This is impossible.
By denition, (C) happens if and only if
dSf () = k ; n 4 2
which is equivalent to Sf being an n k k ; n+2
4 t almost dierence set of
A. It then follows from (19) that
2
t = 4nk ; 4k ; (4n ; 1)(n ; 2) :
(23)
2
Remarks:
(I) Note that 1 t n ; 2. It follows from (23) that
q
q
n ; 3(n ; 2)
n + 3(n ; 2)
k
(24)
2
2
if f has optimum nonlinearity. This means that in the case n 2
(mod 4) the weight k of functions with optimum nonlinearity is more exible, compared with the two cases n 0 (mod 4) and n 3 (mod 4).
23
(II) The condition of (17) and Lemma 24 cannot be used to rule out the exis-
tence of dierence sets with parameters of (21). For examples, (66 40 24)
and (902 477 252) are such parameters. However, it is known that no difference sets with parameters (66 40 24) exist 51]. No dierence set with
the parameters of (21) is known. In the cyclic case, more information on
the existence can be found in 52].
Open Problem 26 Construct dierence sets with the parameters of (21) or
show that dierence sets with such parameters do not exist.
We describe now the classes of binary functions with optimum nonlinearity
which correspond to the known almost dierence sets with the parameters
of (22). To this end, we need to dene cyclotomic classes and numbers. Let
GF (q) be a nite eld, and let d divide q ; 1. For a primitive element of
GF (q), dene D0(dq) = (d), the multiplicative group generated by d, and
Dh(dq) = hD0(dq) for h = 1 2 : : : d ; 1:
These Dh(dq) are called cyclotomic classes of order d. The cyclotomic numbers
of order d with respect to GF (q) are dened as
(h j ) = Dh(dq) + 1 \ Dj(dq) :
Clearly, there are at most d2 dierent cyclotomic numbers of order d.
The cyclotomic classes of order 4 can be used to describe several classes of
binary functions with optimum nonlinearity. Consider the nite eld GF (q),
where q 5 (mod 8). It is known that q has a quadratic partition q = s2+4t2 ,
with s 1 (mod 4). Let Dh(4q) be the cyclotomic classes of order 4.
Theorem 27 Let h j l 2 f0 1 2 3g be three pairwise distinct integers, and
de
ne
h
i h
i
C = f0g Dh(4q) Dj(4q) f1g Dl(4q) Dj(4q) :
Then C is an n n;2 2 n;4 6 3n4;6 almost dierence set of A = GF (2) GF (q )
if
(1) t = 1 and (h j l) 2 f(0 1 3) (0 2 1)g or
(2) s = 1 and (h j l) 2 f(1 0 3) (0 1 2)g:
Theorem 27 is a generalization of two results in 36]. The proof given in 36]
can be slightly modied to give a proof of Theorem 27 by using cyclotomic
numbers of order 4 for general nite elds 74].
24
It follows from Theorems 25 and 27 that the characteristic functions fC of
the several classes of almost dierence sets C described in Theorem 27 have
optimum nonlinearity. Furthermore these functions have weight n;2 2 , where
n = 2q. So we say that they are almost balanced.
Theorem 28 Let h j l 2 f0 1 2 3g be three pairwise distinct integers, and
de
ne
h
i h
i
C = f0g Dh(4q) Dj(4q) f1g Dl(4q) Dj(4q) f0 0g:
Then C is an n
n n;2 3n;2
2
4
4
almost dierence set of A = GF (2) GF (q) if
(1) t = 1 and (h j l) 2 f(0 1 3) (0 2 3) (1 2 0) (1 3 0)g or
(2) s = 1 and (h j l) 2 f(0 1 2) (0 3 2) (1 0 3) (1 2 3)g:
Theorem 28 is also a generalization of two results in 36]. The proof given
in 36] can also be slightly modied to give a proof of Theorem 28 by using
cyclotomic numbers of order 4 for general nite elds 74].
It follows from Theorems 25 and 28 that the characteristic functions fC of the
two classes of almost dierence sets C described in Theorem 28 have optimum
nonlinearity. Furthermore these functions have weight n2 , where n = 2q. Hence
they are balanced.
We now describe another class of functions with optimum nonlinearity. Let
q 3 (mod 4). Let Dh(2q) denote the cyclotomic classes of order 2 with
respect to GF (q) and let be the primitive element employed to dene the
cyclotomic classes of order 2.
Theorem 29 De
ne a function from (Zq;1 +) to (GF (2) +) as
8
>
< 1 if h 2 (D1(2q) ; 1)
f (h) = >
: 0 otherwise.
Then f has optimum nonlinearity.
Theorem 29 is the function-oriented version of a result about binary sequences
with optimum autocorrelation given in 60]. The support of the function f
dened in Theorem 29 is of course an almost dierence set by Theorem 25.
25
4.4 The case n 1 (mod 4) and n > 1
In this section we assume that n 1 (mod 4) and consider binary functions
f from A to B with optimum nonlinearity. As before, let Sf and k be the
support and weight of f respectively.
Theorem 30 The possible minimum value for Pf is 12 + 21n . Furthermore,
Pf = 21 + 21n if and only if the support Sf is a dierence set with parameters
!
p
p
n
2n ; 1 n + 1 2 2n ; 1
n
:
2
4
PROOF. The proof is similar to that of Theorem 25 and is omitted.
(25)
2
Remarks:
p
(a) For any dierence set with parameters of (25), the number n 22n;1 must
be a square.
(b) The parameters of (25) satisfy the conditions of both (17) and Lemma
24. Note that
1
0s p
n
2
n
;
1
@
1 1A
2
is a solution to (20). Examples of parameters are
(13 9 6) (25 16 10) (41 25 15)
(61 36 21) (85 49 28):
But it is known that among the parameters above only dierence sets with
parameters (13 9 6) exist 51]. The set D = f2 4 5 6 7 8 10 11 12g is a
(13 9 6) dierence set in Z13 . It is known that no cyclic abelian dierence
set of this type exists for 13 < n 20201 52].
Open Problem 31 Construct new dierence sets with parameters of (25) or
show that dierence sets with such parameters do not exist for n > 20201.
(We are interested only in the case n > 20201 because of Remark (b) above.)
Theorem 32 Pf = 21 + 23n if and only if the support Sf is an almost dierence
set with parameters
26
!
n
+
3
4
nk
; 4k2 ; (n ; 1)2
n k k; 4
:
4
PROOF. The proof is similar to that of Theorem 25 and is omitted.
2
Similarly, we have the following bounds for the weight of f
p
p
n ; 2n ; 5 k n + 2n ; 5
2
2
(26)
if f has nonlinearity Pf = 21 + 23n .
Theorem 33 Let q 1 (mod 4) and let Dh(2q) denote the cyclotomic classes
of order 2. Then the function from (GF (q), +) to (GF (2), +) de
ned by
8
>
< 1 if x 2 D0(2q)
f (x) = >
: 0 otherwise
has nonlinearity Pf = 12 + 23n .
PROOF. It can be proved with the help of Theorem 18 and the cyclotomic
2
numbers of order 2 74].
Theorem 34 Let q = 4q(40 q+) 1 =(4xq2) + 4y2 be qa;1power
of an odd prime with
q;5 q;1
x 1 (mod 4). Then Dh Dj is an q 2 4 2 almost dierence
set if and only if q 0 is odd, y = 1, and (h j ) 2 f(0 1) (1 2) (2 3) (3 0)g.
Theorem 34 is a slight generalization of a class of almost dierence sets in 35].
The proof given in 35] can be slightly modied to give a proof of Theorem 34
by using cyclotomic numbers of order 4 for general nite elds 74].
It follows from Theorems 25 and 34 that the characteristic functions fC of the
class of almost dierence sets C described in Theorem 34 have nonlinearity
Pf = 12 + 23n . Furthermore these functions have weight q;2 1 , and thus are
balanced.
27
4.5 Minimum distance from a ne functions
In Sections 4.1 and 4.3, we have described binary functions from A to B with
optimum nonlinearity constructed from dierence sets in the two cases n 0
(mod 4) and n 2 (mod 4), where n is the order of A. In this section we
are concerned with the minimum distance of such a function with all ane
functions from A to B . We call the two constant functions 0 and 1 trivial
a ne functions.
Theorem 35 Suppose D is an (n k ) dierence set of A, and fD (x) is the
characteristic function of D. Assume that l(x) is any nontrivial a ne function
from A to B . Then
p
1
Pr(fD (x) = l(x)) = 2 21p;n c
where Pr(fD (x) = l(x)) denotes the probability of agreement between fD (x)
and l(x), and c = n;4(nk;) . Hence the distance between fD (x) and l(x) is
p
p
d(fD (x) l(x)) = n2 12; c n:
PROOF. This is a generalization of Theorem 4.8 in 34], see also Theorem
6.5.3 in 24]. The proof is essentially the same as the one given in 34] and
24], and is omitted.
2
If D is a Hadamard dierence set, then c = 0 and
p
d(fD (x) l(x)) = n 2 n :
Hence
the minimum distance Nf between fD (x) and all ane functions is
n;pn (and is optimal, according to Parseval's relation). This was known for
2
bent functions. It is shown here that this is also true for the characteristic
function of any Hadamard dierence sets.
28
5 Nonbinary functions with optimum nonlinearity
5.1 The case jB j = 3
Since the abelian group of order 3 is unique up to isomorphism, in the case
m = 3 we assume that (B +) = (Z3 +). In this case if fC0 C1 C2g is an
(n 3 n=3) dierence partition of A with respect to B , then the conditions of
(7) reduce to
2
k02 + k12 + k22 = n +3 2n
k0 + k1 + k2 = n
since these two equalities imply k0k1 + k1k2 + k2k0 = n23;n . For example,
p
p
p !
p
p
p !
(k0 k1 k2) = n + n n + n n ; 2 n
3
3
3
and
(k0 k1 k2) = n ;3 n n ;3 n n +32 n
are solutions to the two equations above. In fact, (n 3 n=3) dierence partitions of some A with respect to B , or equivalently, functions from some A to
B with perfect nonlinearity, do exit. When q = 3 Theorem 39 below gives a
large class of perfect nonlinear functions with jB j = 3.
5.2 The case jB j=4
When B = Z4 , we have the following constraints:
Theorem 36 Let (A +) be an abelian group of order n and let (B +) =
(Z4 +), where n is a multiple of 4. If an (n 4 n=4) dierence partition fCbjb 2
B g of A with respect to B exists, then
8
>
< k0 + k2 = n2pn
>
: k1 + k3 = n2pn
(27)
29
where kz = jCz j for each z 2 B .
PROOF. If fCbjb 2 B g is an (n 4 n=4) dierence partition, then the conditions of (7) reduce to
k0 k2 + k1k3 = n(n8; 1)
k0 + k1 + k2 + k3 = n
2
k02 + k12 + k22 + k32 = n +4 3n
since k0 k1 + k1k2 + k2k3 + k3k0 = k0k3 + k1k0 + k2k1 + k3k2 = (k0 + k1 + k2 +
k3)2 ; (k02 + k12 + k22 + k32 ) ; 2(k0k2 + k1k3). It then follows that
(k0 + k2)2 + (k1 + k3)2 = n22+n
(k0 + k2) + (k1 + k3) = n:
(28)
2
Solving the set of equations proves the conclusion.
We shall see at Subsection 6.5 that there exist perfect nonlinear functions from
A = Zn4 to B = Z4 , where n is any positive integer greater than 1.
Theorem 37 Let (A +) be an abelian group of order n and let (B +) be
either (Z2 Z2 +) or (GF (22) +) , where n is a multiple of 4. If an (n 4 n=4)
dierence partition fCbjb 2 B g of A with respect to B exists, then the vector
(k(00) k(01) k(10) k(11) ) must take on one of the following:
n+3pn n;pn n;pn
n;p4 n n;p4n n+34pn
n;43pn n+4 pn n+4pn
n+p4 n n+p4n n;34pn
4
4
4
n;pn n;pn
4
4
n;pn n;pn
4
n+4pn
n+pn
4
4
n+pn n+pn
4
4
n;pn n;pn n+3pn n+3pn n;pn ( n;pn 4
4
4
4
4
4
n+pn 4
n+pn n+pn n;3pn
4
4
n;3pn n+pn
4
4
(
(29)
4
where k(ij ) = jC(ij )j for each (i j ) 2 B .
PROOF. Note that (GF (22) +) is isomorphic to (Z2 Z2 +). We need to
consider B = Z2 Z2 only. If fCbjb 2 B g is an (n 4 n=4) dierence partition
of A with respect to B , then the conditions of (7) reduce to
30
8
n(n;1)
>
k
>
(00) k(01) + k(10) k(11) =
8
>
>
n
(
n
< k(00)k(10) + k(01) k(11) = 8;1)
>
>
k(00)k(11) + k(10) k(01) = n(n8;1)
>
>
n
: k(02 0) + k(02 1) + k(12 0) + k(12 1) = n2+3
4 :
(30)
Solving the set of equations above gives
8
>
< k(00) + k(01) = n2pn
>
: k(10) + k(11) = n2pn
8
>
< k(00) + k(10) = n2pn
>
: k(01) + k(11) = n2pn
8
p
>
< k(00) + k(11) = n2 n
>
: k(10) + k(01) = n2pn :
So there are eight cases. In each case, we obtain two solutions (k(00) , k(01) ,
k(10) , k(11)). Altogether we get the eight solutions of (29). It is checked that
they are indeed solutions of (30). This completes the proof.
2
Theorem 38 Let (A +) be an abelian group of order n and let (B +) be
either (Z2 Z2 +) or (GF (22) +) , where n is a multiple of 4. If f is a
function from A to B with perfect nonlinearity Pf = 41 , then
p
p
3
n
; 3 n 3n ; n
Nf =
or
4
4 :
PROOF. We consider only the case B = Z2 Z2 . For any ane function
l(x), g(x) = f (x) ; l(x) must have perfect nonlinearity Pg = 14 as f (x) has
perfect nonlinearity. Let k(ij) = jfx 2 Ajg(x) = (i j )g. By Theorem 37, (k(00) ,
k(01) , k(10) , k(11) ) must take on one of the eight vectors listed in Theorem 37.
The conclusion of this theorem then follows.
2
Remarks:
(1) The nonlinearity Nf measures the minimum distance between f and all
ane functions from A to B . Theorem 37 means that the best ane
approximation of any function from A to B with perfect nonlinearity is
very poor.
31
(2) The conditions of (28), those of (27), and Theorem 38 may suggest that
functions with optimum nonlinearity Pf may not have optimum nonlinearity Nf . In other words the two kinds of measures of nonlinearity are
not consistent for nonbinary functions. This is not strange, as sometimes
the nonlinearity measure Nf makes little sense.
(3) When q = 4, Theorem 39 below will give a large class of perfect nonlinear
functions with jB j = 4.
6 Constructions of functions with optimum nonlinearity
We give the basic constructions. They can be modied and combined by using
the results of Section 3.
6.1 Functions from (GF (q)n +) to (GF (q ) +)
Let p be a prime and q = pl . We have seen at Subsection 3.6 of Section 3
that for every 2 GF (q), f equals !pTr(f ) where Tr is the trace function
(p) and where !p = exp(2i=p). Thus, fc () equals
P fromn !GFTr((qf) (ato)+GF
a) .
a2GF (q) p
We extend now the known constructions of perfect nonlinear Boolean functions
(cf. 30]) to this more general framework.
Let (A +) = (GF (q)n +), where n is even. Then the following function f
from (A +) to (GF (q) +)
f (x1 x2 : : : xn) = x1 xn=2+1 + x2 xn=2+2 + : : : + xn=2 xn
has perfect nonlinearity Pf = 1q . Hence fCb(f )jb 2 GF (q)g is a (qn q qn;1)
dierence partition, where Cb(f ) = fx 2 Ajf (x) = bg.
More generally, we have the following result.
Theorem 39 Let n be any even positive integer and let be a bijective
mapping from GF (q )n=2 to GF (q)n=2 . We denote its coordinate functions by
1 : : : n=2. Let g be a function from GF (q)n=2 to GF (q). Then
f (x1 x2 : : : xn) = x1 1 (xn=2+1 : : : xn) + x2 2 (xn=2+1 : : : xn ) + : : : +
xn=2 n=2 (xn=2+1 : : : xn) + g(xn=2+1 : : : xn)
32
has perfect nonlinearity Pf = 1q
PROOF. Denote (x1 x2 : : : xn=2) by x and (xn=2+1 xn=2+2 : : : xn) by x0 .
We have f (x x0) = x (x0 ) + g(x0). For every 0 6= 2 GF (q) and every
0 2 GF (q)n=2, we have
fc ( 0) =
X
xx0 2GF (q)n=2
!pTr(x(x0)+g(x0 )]+x+0x0)
where Tr is the P
trace function from GF
(q) to GF (p).
Tr
( x(x0 )+g(x0 )]+x+0 x0 )
The partial sum x2GF (q)n=2 !p
is null if (x0 )+ 6= 0.
Thus
X
fc ( 0) = qn=2
!pTr(g(x0)+0 x0)
x0 2;1 (;=)
and, since ;1(;=
) is a singleton, f has perfect nonlinearity according to
Theorem 16.
2
This class of functions is often called Maiorana-McFarland's class.
The functions f in the class of Maiorana-McFarland functions with constant
g can be modied using Theorem 17: take E = f0g GF (q)n=2 in this theorem denote by 0 the Dirac symbol (0 (x) = 1 if x = 0, 0 (x) = 0 otherwise) we have that, for every 2 GF (q), the function f (x1 x2 : : : xn) =
x1 1 (xn=2+1 : : : xn) + x22 (xn=2+1 : : : xn) + : : : + xn=2 n=2(xn=2+1 : : : xn) +
0 (x) + is perfect nonlinear.
Remark: Let q be an odd prime, then every polynomial function of de-
gree 2 from GF (q) to GF (q) is bent 57] and therefore perfect nonlinear.
Let q be a power of 2 and let b0 : : : b4 be elements of GF (q). Then, as
shown by Ambrosimov in 1], the function from GF (q)2 to GF (q): f (x1 x2) =
b0 + b1 x1 + b2 x2 + b3 x21 + b4 x22 + x1 x2 has also perfect nonlinearity.
Another adaptation of a classical construction is the following:
Theorem 40 Let p be a prime and q = pl . Let (A +) = (GF (q)n +), where
n is even. We identify GF (q)n=2 with the eld GF (qn=2). Let g be any balanced
function from GF (q n=2 ) to GF (q). Then the following function f from (A +)
to (GF (q ) +)
f (x x0) = g(x x0qn=2 ;2) x x0 2 GF (qn=2)
has perfect nonlinearity Pf = 1q .
33
PROOF. For every 0 6= 2 GF (q) and every 0 2 GF (qn=2), we have
X
fc ( 0) =
xx0 2GF (qn=2 )
!pTr( g(x x0q
n=2 ;2 ))+Tr0 ( x+0 x0 )
where Tr is the trace function from GF (q) to GF (p) and Tr0 is the trace
function from GF (qn=2) to GF (p). Writing x = x0 z for every x0 6= 0, we have
X
x2GF (qn=2 )x0 2GF (qn=2 )
!pTr( g(x x0q
X
z2GF (qn=2 )x0 2GF (qn=2 )
X
zx02GF (qn=2 )
n=2 ;2 ))+Tr0 ( x+0 x0 )
=
!pTr( g(z))+Tr0 (( z+0)x0) =
!pTr( g(z))+Tr0 (( z+0)x0 ) ;
X
z2GF (qn=2 )
!pTr( g(z)) :
Since g is balanced, we have Pz2GF (qn=2) !pTr( g(z)) = 0, according to Proposition 14. Thus
fc ( 0) =
X
x2GF (qn=2 )
!pTr( g(0))+Tr0 ( x) +
X
zx02GF (qn=2 )
!pTr( g(z))+Tr0 (( z+0)x0 ):
Tr( g(z))+Tr0 (( z+0 )x0 ) is null if z + 0 6= 0.
The partial sum Px02GF (qn=2 ) !X
p
If 6= 0, since the sum
!pTr( g(0))+Tr0 ( x) is null, we deduce that
x2GF (qn=2 )
magnitude qn=2 . And if = 0 and 0 6= 0,
has also magnitude qn=2. We deduce that fc (0
fc ( 0) has
then fc ( 0) =
qn=2!pTr( g(0))
0) has magnitude
n=
2
q as well, thanks to Parseval's relation. Thus, f has perfect nonlinearity
according to Theorem 16.
2
This class of functions is often called Dillon's class or Partial Spreads class
(when q = 2, the support of the function is a partial spread).
6.2 Functions from (GF (q )n +) to (GF (q)n +): perfect and almost perfect
nonlinear mappings
We consider now the case of mappings f from GF (q)n to GF (q)n where q = pl .
Since GF (q)n can be identied, as a vector space over GF (p) with GF (qn) =
GF (pln), this case reduces to that of mappings f from GF (pm) to GF (pm).
If p = 2, the minimum possible value of Pf is p2m , because the characteristic
of the eld being equal to 2, any solution x of the equation Da f (x) = b
34
can be paired with the solution x + a. If p > 2, then the minimum possible
value of Pf is p1m . A function f from GF (pm) to GF (pm) is called (cf. 68,69])
almost perfect nonlinear if Pf = p2m , and perfect nonlinear if Pf = p1m . Perfect
nonlinear mappings are also called planar functions. Perfect and almost perfect
nonlinear mappings have important applications in cryptography and coding
theory 3,11,24,44,69]. In this section we summarize known perfect and almost
perfect nonlinear functions.
Known almost perfect nonlinear power functions xs from GF (2m) to GF (2m)
are the following:
s = 2m ; 2 (Beth and Ding 3], Nyberg 69]).
s = 2h + 1 with gcd(h m) = 1, where 1 h (m ; 1)=2 if m is odd and
1 h (m ; 2)=2 if m is even (Nyberg 69], Gold 41]).
s = 22h ; 2h + 1 with gcd(h m) = 1, where 1 h (m ; 1)=2 if m is odd
and 1 h (m ; 2)=2 if m is even (Kasami 54], Janwa and Wilson 50]).
s = 2(m;1)=2 + 3, where m is odd (Dobbertin 39]).
s = 2(m;1)=2 + 2(m;1)=4 ; 1, where m 1 (mod 4) (Dobbertin 40]).
s = 2(m;1)=2 + 2(3m;1)=4 ; 1, where m 3 (mod 4) (Dobbertin 40]).
Known perfect nonlinear power functions xs from GF (pm) to GF (pm), where
p > 2, are the following (Coulter and Matthews 23], see also Helleseth and
Sandberg 45]):
s = 2.
s = pk + 1, where m= gcd(m k) is odd.
s = (3k + 1)=2, where p = 3, k is odd, and gcd(m k) = 1.
The case s = 2 was known earlier in 28] under the name of generalized
Hadamard matrices.
We deduce that if
s = 2, or
s = pk + 1, where m= gcd(m k) is odd, or
s = (3k + 1)=2, where p = 3, k is odd, and gcd(m k) = 1,
then the matrix D of Theorem 12 is a (q q 1) dierence matrix, i.e., a generalized Hadamard matrix GH(q 1).
The following proposition illustrates the idea of constructing new perfect nonlinear functions from known ones.
Proposition 41 De
ne f (x) = TrGF (pm)=GF (ph )(xs), where m and h are integers with 1 hjm, p is an odd prime, and TrGF (pm)=GF (ph ) is the trace function
35
from GF (pm ) to GF (ph ). If
s = 2, or
s = pk + 1, where m= gcd(m k) is odd, or
s = (3k + 1)=2, where p = 3, k is odd, and gcd(m k) = 1,
then
(a) f (x) is a function from GF (pm ) to GF (ph) with perfect nonlinearity, and
(b) the matrix D of Theorem 12 de
ned by f is a generalized Hadamard
matrix GH(ph pm;h).
PROOF. As made clear before, xs has perfect nonlinearity if s takes on one of
the three values above. The conclusion in part (a) then follows from Theorem
7. The conclusion of part (b) then follows from Theorem 12.
2
Known almost perfect nonlinear power functions xs from GF (pm) to GF (pm),
where p is odd, are the following (due to Helleseth and Sandberg 45], and
Helleseth, Rong, and Sandberg 44]):
s = pmm ; 2, where pm 2 (mod 3) 44].
s = p 2;1 ; 1, where p 3 7 (mod 20), pm > 7, pm 6= 27, and m is odd
45].
s = 3,m where mp 6= 3 44].
s = pm4+1 + p 2;1 , where pm 3 (mod 8) 44].
s = p 4+1 , where pm 7 (mod 8) 44].
s = pmm; 3, where n > 1 is odd and p = 3 44].
s = 2p 3;1 , where pm 2 (mod 3) 44].
s = pm=2 + 2, where p > 3 is prime and pm=2 1 (mod 3) 44].
s = p(m+1)=2 ; 1, where m is odd and p = 3 44].
s = 5k2+1 , where gcd(2m k) = 1 and p = 5 44].
Functions from GF (pm) to GF (pm) with high nonlinearity that are not perfect
or almost perfect nonlinear may be found in Beth and Ding 3], Dobbertin
38], Gold 41], Helleseth and Sandberg 45], Helleseth, Rong and Sandberg
44], Kasami 54], and Lachaud and Wolfmann 58].
Note that any power function is a group homomorphism. The perfect and
almost perfect nonlinear functions in this section illustrate an idea which will
be used again in Subsection 6.3.
36
6.3 Functions with optimum nonlinearity from linear functions
One way of getting functions with optimum nonlinearity with respect to a
pair of operations is to use linear functions with respect to another pair of
operations. The following theorem illustrates this idea ( 34, p. 125], see also
24, p. 296]).
Theorem 42 Any nonzero linear function f from (GF (qm), +) to (GF (q),
+) is a function from (GF (q m) , ) to (GF (q ), +) with optimum nonlinearity
with respect to the two operations and + and Pf = 1q + q(qm1;1) .
The idea of obtaining highly nonlinear functions from linear functions is by
far the most useful tool 24]. We now illustrate this idea further by looking at
the nonlinearity of group characters.
There are two nite abelian groups in a nite eld GF (q), i.e., the additive
group and multiplicative group of the eld. For applications, we need to make
an important distinction between the corresponding two kinds of characters.
We rst consider the additive group (GF (q), +). Let p be the characteristic of
GF (q), and q = pm. We identify the prime eld of GF (q) with Zp. As already
seen at Subsection 3.6, we can dene 1 by
1 (a) = e2i Tr(a)=p for all a 2 GF (q)
which is a character of the additive group (GF (q), +). We call the characters
of the group (GF (q), +) additive characters, and we call the above character
1 the canonical additive character of GF (q). For b 2 GF (q), the function b
with b(a) = 1(ba) for all a 2 GF (q) is an additive character of GF (q), and
every additive character of GF (q) is obtained in this way.
Characters of the multiplicative group GF (q) are called multiplicative characters of GF (q). Since GF (q) is a cyclic group of order q ; 1, its characters
can be easily determined. Let g be a xed primitive element of GF (q). For
each j = 0 1 : : : q ; 2, the function j with
j (gk ) = e2ijk=(q;1) k = 0 1 : : : q ; 2
denes a multiplicative character of GF (q), and every multiplicative character
of GF (q) is obtained in this way.
A multiplicative character is of course linear with respect to (GF (q), )
and (U ), where U is the set of complex numbers of absolute value 1. Let
ord() = d, and let Ud denote the dth roots of unity in the complex numbers.
37
Then is a mapping from GF (q) to Ud. We now extend to GF (q) by
dening
(0) = 1
where 0 is the zero element of GF (q), and 1 is the identity element of Ud. We
write ; for such an extended character of .
Lemma 43 75] Let q ; 1 = dl, and let q be an odd prime power. For the
cyclotomic numbers of order d with respect to GF(q) we have
8
>
< l ; 1 if k = 0
(h h + k) = >
:l
h=0
if 1 k < d:
dX
;1
Theorem 44 Consider the nonlinearity of the extended multiplicative char-
acter ; of order d with respect to (GF (q), +) and (Ud ). Let q be odd and
let ;1 2 Ds(dq) for some 0 s d ; 1, where the Dh(dq) are cyclotomic classes
of order d.
(1)
If d ; s 2k (mod d) has a solution k with 1 k d ; 1, then
P; = dll ++21 = d1 + 2ddq; 1 :
(2)
Otherwise
;1
:
P; = dll ++11 = d1 + d dq
In this case ; has optimal nonlinearity.
PROOF. Since ord() = d, = l . Dene = e2i=d . Then is a primitive
d-th root of unity. Clearly,
; D0(dq) f0g = 1
; Dh(dq) = h 1 h < d:
For any 0 6= a 2 GF(q) and b = k 2 Ud , let a;1 2 Dj(dq) . By Lemma 43
jfx 2 GF(q )jf (x + a)=f (x) = bgj
=
dX
;1
h=0
) (dq)
)
Dh(dq) \ Dk(dq
+ f;ag \ Dd(dq
+h ; a + fag \ Dk
;k
38
=
dX
;1
)
(h + j h + j + k) + fag \ Dk(dq) + f;ag \ Dd(dq
;k
h8=0
>
< l ; 1 + fa ;ag \ D0(dq)
if k = 0
=>
)
: l + fag \ Dk(dq) + f;ag \ Dd(dq
if 1 k < d:
;k
If d ; s 2k (mod d) has a solution k with 1 k d ; 1, then
(dq)
)
max
+ f;ag \ Dd(dq
;k = 2:
a fag \ Dk
Otherwise the maximum value is 1. The conclusions of this theorem then
follow.
2
This theorem says that the nonlinearity of the extended multiplicative character ; with respect to (GF (q), +) and (Ud ) is either optimal or almost
optimal.
Let be an additive character of GF (q), and let d be its order. Then we have
the trivial facts that d > 1 and djq. By denition is linear with respect to
(GF (q), +) and (Ud ). Writing ; for the restriction of to GF (q), we
consider now the nonlinearity of ; with respect to (GF (q), ) and (Ud ).
Theorem 45 For the nonlinearity of the additive character ; with respect
to (GF (q ), ) and (Ud ), we have
1:
Pf = d1 + qd
The proof of Theorem 45 can be found in 24, p. 301]. It says that the nonlinearity of the additive character ; with respect to (GF (q), ) and (Ud )
is optimal.
In general, any group homomorphism is called a group character. Similarly,
we may dene ring homomorphisms which may have high nonlinearity 24, p.
301].
6.4 Other functions from (GF (2m ) ) to (GF (2) +) with optimum nonlinearity
We have obtained at Theorem 42 functions from (GF (qm) ) to (GF (q) +)
with optimum nonlinearity. The most interesting practical case is when q = 2.
39
Several other examples of functions with optimum nonlinearity are known in
this case. Indeed, Boolean functions dened on GF (2m) and such that, for
every a 6= 1, the function f (x) + f (ax) is balanced are said to have ideal
autocorrelation and present much interest for the construction of good sequences for CDMA communications systems. So much work has been done
to obtain such functions.
Their restrictions to GF (2m) have optimum non1
2m;1
linearity Pf = 2m ;1 = 2 + 2(2m1;1) . Thus, as shown at Subsection 4.2, their
supports are cyclic dierence sets with the so-called \Singer parameters" (this
strengthens the reasons why these functions have been much studied).
We list now the known constructions. Note that, if f (x) has ideal autocorrelation, gcd(2m ; 1 ) = 1 and a 2 GF (2m) is nonzero, then f (ax ) has also
ideal autocorrelation.
Theorem 42 corresponds to the fact that the Boolean function on GF (2m )
equal to Tr(x), where Tr denotes the trace function from GF (2m) to GF (2)
has ideal autocorrelation (this can be generalized to any nite eld). We
have indeed:
X
x2GF (2m )
(;1)Tr(x)+Tr(ax) =
X
x2GF (2m )
(;1)Tr((1+a)x) = 0:
The support of this function is called a Singer cyclic dierence set. This
construction is generalized into GMW (Gordon-Mills-Welch) construction:
t f (x) = Tr TrGF (2m )=GF (2r )(x)
where r divides m and gcd(t 2m ; 1) = 1, TrGF (2m )=GF (2r ) is the trace
function from GF (2m) to GF (2r ), and Tr is the trace function from GF (2r )
to GF (2).
A second way to construct functions with ideal autocorrelation is by using
Maschietti's method (cf. 31,64]: nd such that gcd( 2m ; 1) = 1 and
such that the map x 7! x + x is 2 to 1 (i.e. such that for every y 2 GF (2m)
there exist either two or no x 2 GF (2m) such that y = x + x). Then
GF (2n) n fx + x x 2 GF (2n)g is the support of a function f with ideal
auto-correlation. Singer sets with = 1 correspond to = 2. For m odd,
= 6 (Segre case) and two other more complex cases also work (see 32]).
A third way is by using No et al. method (cf. 67]): f is then the indicator
of the set fxd + (x + 1)d x 2 GF (2n)g (if the mapping x 7! xd is not a
permutation) or of its complement (if it is a permutation), where gcd(d 2m ;
1) = 1 and where the map x 7! xd + (x + 1)d is 2 to 1. Take k such that
gcd(k m) = 1 and d = 22k ; 2k +1 (called Kasami exponent) then as shown
by Dillon and Dobbertin in 32] (see also 31]), f has ideal autocorrelation.
A last way is when 2m ; 1 is a prime to take for f the indicator of the set
of all elements t ( a primitive element of GF (2n)) such that t is not a
square mod 2m ; 1.
40
6.5 Functions from Znq to Zq
If q is not a prime, it has been shown in 16] that only one construction among
all known constructions of generalized bent functions can produce perfect
nonlinear functions. This construction, due to Hou 47], is a generalization of
Dillon's (i.e. Partial Spreads) construction of binary bent functions. It uses
the notion of Galois ring and can be specied to produce perfect nonlinear
functions from Znq to Zq where q is a power of a prime and n is even (cf. 16]).
The question whether functions with perfect nonlinearity exist on Znq for n
odd arises. A construction valid for A = Zn4 where n is any positive integer
greater than 1 and B = Z4 has been given in 16]. It uses also Galois rings.
Open Problem 46 Construct perfect nonlinear functions from Znq to Zq for
n odd and q 6= 4, q being not a prime.
6.5.0.1 Other perfect nonlinear functions from Zp to Zp
2
Theorem 47 De
ne f : Zp ! Zp by f (h + jp) = hj mod p for 0 h j p ; 1. Then f has perfect nonlinearity with respect to (Zp +) and (Zp +).
2
2
Theorem 48 Let f : Zp ! Zp be a mapping whose restriction to Zp is
a surjective homomorphism with respect to (Zp ) and (Zp +) and is zero
otherwise. Then f has perfect nonlinearity with respect to (Zp +) and (Zp +).
2
2
2
2
Theorem 47 and Theorem 48 are the functional versions of results about generalized Hadamard matrices due to de Launey 29] and Brock 7] respectively.
We now give one specic function of the type of Theorem 48.
Example 49 Let p be an odd prime, and let be a primitive root modulo
p2. Dene f as
8
>
< h (mod p) if x = h for some h
f (x) = >
:0
otherwise.
Then f satises the conditions of Theorem 48 and has thus perfect nonlinearity.
41
7 Concluding remarks
In this paper we gave a well-rounded treatment of non-Boolean functions with
optimal nonlinearity. We generalized many known results, and introduced the
notion of dierence partitions, and proved a number of new results on difference partitions and on nonlinear functions with perfect nonlinearity. We
presented several open problems on highly nonlinear functions. It should be
noted that functions with optimal nonlinearity always correspond to certain
subjects in combinatorics.
Acknowledgments
The authors are grateful to Harald Niedereitter and the Institute for Mathematical Sciences at the National University of Singapore for bringing them
together for one month in the summer of 2001.
References
1] A. S. Ambrosimov, Properties of bent functions of q-valued logic over nite
elds, Discrete Math. Appl. 4(4) (1994) 341{350.
2] K. T. Arasu, J. A. Jedwab and S. Sehgal, New constructions of Menon dierence
sets, J. Comb. Theory A 64 (1993) 329{336.
3] T. Beth and C. Ding, On almost perfect nonlinear permutations, in: Advances
in Cryptology { Eurocrypt'93, Lecture Notes in Computer Science, Vol. 765,
New York, Springer-Verlag, 1994, pp. 65{76.
4] T. Beth, D. Jungnickel and H. Lenz, Design Theory, Vol. 1, Second Edition,
Cambridge, Cambridge University Press, 1999.
5] E. Biham and A. Shamir, Dierential Cryptanalysis of DES-like Cryptosystems,
J. of Cryptology 4(1) (1991) 3{72.
6] B. W. Brock, Hermitian congruence and the existence and completion of
generalized Hadamard matrices, J. Combin. Theory A 49 (1988) 233{261.
7] B. W. Brock, A new construction of circulant GH( 2 Zp ), Discrete Math. 112
(1993) 249{252.
p
8] P. Camion and A. Canteaut, Construction of -resilient functions over a nite
alphabet, in: Advances in Cryptology, EUROCRYPT'96, Lecture Notes in
Computer Sciences, Springer Verlag, Vol. 1070, 1996, pp. 283{293.
t
42
9] P. Camion and A. Canteaut, Generalization of Siegenthaler inequality
and Schnorr-Vaudenay multipermutations, In: N. Koblitz Ed., Advances in
Cryptology - CRYPTO'96, Lecture Notes in Computer Science, Vol. 1109,
Springer-Verlag, 1996, pp. 372{386.
10] A. Canteaut, C. Carlet, P. Charpin and C. Fontaine, Propagation characteristics
and correlation-immunity of highly nonlinear Boolean functions, in: Proceedings
of Eurocrypt'00, Lecture Notes in Computer Science, Vol. 1807, Springer Verlag,
2000, pp. 507{520.
11] A. Canteaut, P. Charpin and H. Dobbertin, Weight divisibility of cyclic codes,
highly nonlinear functions on F2m , and crosscorrelation of maximum-length
sequences, SIAM J. Discrete Math. 13(1) (2000) 105{138.
12] C. Carlet, Two new classes of bent functions, in: Advances in Cryptology
{ Eurocrypt'93, Lecture Notes in Computer Sciences, Vol. 765, Heidelberg,
Springer Verlag, 1994, pp. 77{101.
13] C. Carlet, A construction of bent functions, in: Finite Fields and Applications,
London Mathematical Society Lecture Notes Series 233, Cambridge, Cambridge
University Press, 1996, pp. 47{58.
14] C. Carlet, Recent results on bent functions, in: Proceedings of the International
Conference on Combinatorics, Information Theory and Statistics, 1999, pp. 275291.
15] C. Carlet, On cryptographic propagation criteria for Boolean functions,
Information and Computation 151 (1999) 32{56.
16] C. Carlet and S. Dubuc, On generalized bent and -ary perfect nonlinear
functions, in: D. Jungnickel and H. Niederreiter Eds., Finite Fields and
Applications, Proceedings of Fq5, Springer Verlag, 2000, pp. 81-94.
17] C. Carlet and P. Guillot, A characterization of binary bent functions, Designs,
Codes and Cryptography 14 (1998) 130{140.
18] C. Carlet and P. Guillot, An alternate characterization of the bentness of binary
functions with uniqueness, J. Comb. Theory A 76 (1996) 328{335.
19] C. Carlet and P. Guillot, A new characterization of Boolean functions, in:
Proceedings of AAECC'13, Lecture Notes in Computer Science, Vol. 1719,
Springer Verlag, pp. 94{103.
20] F. Chabaud and S. Vaudenay, Links between Dierential and Linear
Cryptanalysis, in: Proceedings of EUROCRYPT'94, Advances in Cryptology,
Lecture Notes in Computer Science, Vol. 950, Springer Verlag, 1995, pp. 356{
365.
21] Y. Q. Chen, On the existence of abelian Hadamard dierence sets and a new
family of dierence sets, Finite Fields Appl. 3 (1997) 234{256.
22] C. J. Colbourn and W. de Launey, Dierence matrices, in: C. Colbourn and
J. H. Dinitz Eds., Handbook of Combinatorial Designs, New York, CRC Press,
1996, Chapter IV.11, pp. 287{297.
q
43
23] R. S. Coulter and R. Matthews, Planar functions and plans of the Lenz-Barlotti
class II, Designs, Codes and Cryptography 10 (1997) 165{195.
24] T. W. Cusick, C. Ding and A. Renvall, Stream Ciphers and Number Theory,
North-Holland Mathematical Library 55, Amsterdam, North-Holland/Elsevier,
1998.
25] T. W. Cusick and H. Dobbertin, Some new 3-valued crosscorrelation functions
of binary sequences, IEEE Trans. Inform. Theory 42 (1996) 1238{1240.
26] J. A. Davis, Almost dierence sets and reversible dierence sets, Arch. Math.
59 (1992) 595{602.
27] W. de Launey, Square GBRDs over non-abelian groups, Ars Combin. 27 (1989)
40{49.
28] W. de Launey, Generalized Hadamard matrices which are developed modulo a
group, Discrete Math. 104 (1992) 49{65.
29] W. de Launey, Circulant GH( 2 Zp ) exist for all primes , Graphs Combin. 8
(1992) 317{321.
30] J. F. Dillon, Elementary Hadamard Dierence sets, Ph.D Thesis, Univ. of
Maryland, 1974.
31] J. F. Dillon, Multiplicative dierence sets via additive characters, Designs,
Codes and Cryptography 17 (1999) 225{235.
32] J. F. Dillon and H. Dobbertin, Cyclic dierence sets with Singer Parameters,
Manuscript, 1999.
33] C. Ding, Binary cyclotomic generators, in: B. Preneel Ed., Fast Software
Encryption, Lecture Notes in Computer Science, Vol. 1008, New York, SpringerVerlag, 1995, pp. 29{60.
34] C. Ding, Cryptographic Counter Generators, TUCS Dissertations 4, Turku
Centre for Computer Science, Turku, Painosalama Oy, 1997.
35] C. Ding, T. Helleseth, and K. Y. Lam, Several classes of binary sequences with
three-level autocorrelation, IEEE Trans. Inform. Theory 45(7) (1999) 2601{
2606.
36] C. Ding, T. Helleseth and H. M. Martinsen, New families of binary sequences
with optimal three-level autocorrelation, IEEE Trans. Inform. Theory 47(1)
(2001) 428{433.
37] H. Dobbertin, Construction of bent functions and balanced Boolean functions
with high nonlinearity, in: B. Preneel Ed., Fast Software Encryption, Lecture
Notes in Computer Science, Vol. 1008, Heidelberg, Springer Verlag, 1995, pp.
61{74.
38] H. Dobbertin, One-to-one highly nonlinear functions on nite elds with
characteristic 2, Appl. Algebra Engrg. Comm. Comput. 9 (1998) 139{152.
p
p
44
39] H. Dobbertin, Almost perfect nonlinear power functions on
case, IEEE Trans. Inform. Theory 45 (1999) 1271{1275.
GF
40] H. Dobbertin, Almost perfect nonlinear power functions on
case, Information and Computation 151 (1999) 57{72.
(2n ): The Welch
GF
(2n ): The Niho
41] R. Gold, Maximal recursive sequences with 3-valued recursive crosscorrelation
functions, IEEE Trans. Inform. Theory 14 (1968) 154{156.
42] B. Gordon, W. H. Mills and L. R. Welch, Some new dierence sets, Canadian
J. Math. 14 (1962) 614{625.
43] A. R. Hammons Jr., P. V. Kumar, A. R. Calderbank, N. J. A. Sloane and P.
Sole, The 4 -linearity of Kerdock, Preparata, Goethals and related codes, IEEE
Trans. Inform. Theory 40(2) (1994) 301{319.
Z
44] T. Helleseth, C. Rong and D. Sandberg, New families of almost perfect nonlinear
power mappings, IEEE Trans. Inform. Theory 45(2) (1999) 475{485.
45] T. Helleseth and D. Sandberg, Some power mappings with low dierential
uniformity, Applicable Algebra in Engineering, Communication and Computing
8 (1997) 363{370.
46] E. Hewitt and K. Ross, Abstract Harmonic Analysis, Springer, Heidelberg, 1970.
47] X. D. Hou, -ary bent functions constructed from chain rings, Finite Fields and
their Applications 4 (1998) 55{61.
q
48] X. D. Hou, Bent functions, Partial dierence sets, and quasi-Frobenius local
rings, Designs, Codes and Cryptography 20 (2000) 251{268.
49] X. D. Hou and P. Langevin, Results on bent functions, J. Comb. Theory A 80
(1997) 232{246.
50] H. Janwa and R. Wilson, Hyperplane sections of Fermat varieties in 3 in char.
2 and some applications to cyclic codes, in: Proceedings AAECC-10, Lecture
Notes in Computer Science, Vol. 673, Berlin, Springer-Verlag, 1993, pp. 180{
194.
P
51] D. Jungnickel, Dierence sets, in: J. Dinitz and D. R. Stinson Eds.,
Contemporary Design Theory: A Collection of Surveys, John Wiley & Sons,
1992.
52] D. Jungnickel and A. Pott, Perfect and almost perfect sequences, Discrete
Applied Mathematics 95 (1999) 331{359.
53] D. Jungnickel and A. Pott, Dierence sets: an introduction, in: A. Pott, P.V.
Kumar, T. Helleseth and D. Jungnickel Eds., Dierence Sets, Sequences and
their Correlation Properties, Amsterdam, Kluwer, 1999, pp. 259{295.
54] T. Kasami, The weight enumerates for several classes of subcodes of the second
order binary Reed-Muller codes, Information and Control 18 (1971) 369{394.
45
55] A. M. Kerdock, A class of low-rate nonlinear codes, Information and Control
20 (1972) 182-187.
56] R. G. Kraemer, Proof of a conjecture on Hadamard 2-groups, J. Comb. Theory
A 63 (1993) 1{10.
57] P. V. Kumar, R. A. Scholtz and L. R. Welch, Generalized bent functions and
their properties, Journal of Combinatorial Theory A 40 (1985) 90{107.
58] G. Lachaud and J. Wolfmann, The weights of the orthogonal of the extended
quadratic binary Goppa codes, IEEE Trans. Inform. Theory 36 (1990) 686{692.
59] P. Langevin, On generalized bent functions, in: CISM Courses and Lectures 339
(Eurocode), 1992, pp. 147{157.
60] A. Lempel, M. Cohn and W. L. Eastman, A class of binary sequences with
optimal autocorrelation properties, IEEE Trans. Inform. Theory 23(1) (1977)
38{42.
61] R. Lidl and H. Niederreiter, Finite Fields, Encyclopedia of Mathematics and its
Applications, Vol. 20, Reading, Massachusetts, Addison-Wesley, 1983.
62] O. A. Logachev, A. A. Salnikov and V. V. Yashchenko, Bent functions on a
nite Abelian group, Discrete Math. Appl. 7(6) (1997) 547-564.
63] F. J. MacWilliams and N. J. A. Sloane, The Theory of Error-Correcting Codes,
Amsterdam, North Holland, 1977.
64] A. Maschietti, Dierence sets and hypherovals, Designs, Codes and
Cryptography 14 (1998) 89{98.
65] M. Matsui, Linear cryptanalysis method for DES cipher, in: Advances in
Cryptology - EUROCRYPT'93, Lecture Notes in Computer Science, Vol. 765.
Springer-Verlag, 1994, pp. 386{397.
66] A. Menezes, P. van Oorschot, and S. Vanstone, Handbook of Applied
Cryptography, CRC Press Series on Discrete Mathematics and Its Applications,
1996.
67] J.-S. No, S. W. Golomb, G. Gong, H.-K. Lee and P. Gaal, Binary pseudorandom
sequences of period 2m ; 1 with ideal autocorrelation generated by the
polynomial d + ( + 1)d , IEEE Trans. Information Theory 44(3) (1998) 12781282.
68] K. Nyberg, Perfect non-linear S-boxes, in: Advances in Cryptology,
EUROCRYPT'91, Springer Verlag, Lecture Notes in Computer Science, Vol.
547, Springer Verlag, 1992, pp. 378{386.
69] K. Nyberg, Dierentially uniform mappings for cryptography, in: Advances in
Cryptography { Eurocrypt'93, Lecture Notes in Computer Science, Vol. 765,
New York, Springer-Verlag, 1994, pp. 55{64.
70] J. D. Olsen, R. A. Scholtz and L. R. Welch, Bent function sequences, IEEE
Trans. Inform. Theory 28(6) (1982) 858{864.
z
z
46
71] V. S. Pless and W. C. Human, Handbook of Coding Theory, Amsterdam,
Elsevier, 1998.
72] A. Pott, Finite Geometry and Character Theory, Lecture Notes in Mathematics,
Vol. 1601, Berlin, Springer Verlag, 1995.
73] O. S. Rothaus, On bent functions, J. Comb. Theory A 20 (1976) 300{305.
74] T. Storer, Cyclotomy and Dierence Sets, Chicago, Markham, 1967.
75] T. W. Tze, S. Chanson, C. Ding, T. Helleseth and M. Parker, Logarithm
authentication codes, Information and Computation, to appear in 2003.
76] R. J. Turyn, A special class of Williamson matrices and dierence sets, J. Comb.
Theory A 36 (1984) 111{115.
77] J. Wolfmann, Bent functions and coding theory, in: A. Pott, P. V. Kumar,
T. Helleseth and D. Jungnickel Eds., Dierence Sets, Sequences and their
Correlation Properties, Amsterdam, Kluwer, 1999, pp. 393{417.
78] M. Xia, Some innite class of Williamson matrices and dierence sets, J. Comb.
Theory A 61 (1992) 230{242.
79] Q. Xiang, Recent results on dierence sets with classical parameters, in: A. Pott,
P. V. Kumar, T. Helleseth and D. Jungnickel Eds., Dierence Sets, Sequences
and their Correlation Properties, Amsterdam, Kluwer, 1999, pp. 419{434.
47
