ARTICLE IN PRESS
Journal of Complexity 20 (2004) 205–244
http://www.elsevier.com/locate/jco
Highly nonlinear mappings
Claude Carleta,,1 and Cunsheng Dingb
b
a
INRIA Projet Codes, Domaine de Voluceau, BP 105, 78153 Le Chesnay Cedex, France
Department of Computer Science, Hong Kong University of Science and Technology, Clear Water Bay,
Kowloon, Hong Kong, China
Received 9 January 2003; accepted 12 August 2003
Abstract
Functions with high nonlinearity have important applications in cryptography, sequences
and coding theory. The purpose of this paper is to give a well-rounded treatment of nonBoolean functions with optimal nonlinearity. We summarize and generalize known results,
and prove a number of new results. We also present open problems about functions with high
nonlinearity.
r 2003 Elsevier Inc. All rights reserved.
Keywords: Functions; Nonlinearity; Cryptography; Coding; Sequences; Difference partition; Difference
matrices; Difference sets; Almost difference sets; Generalized Hadamard matrices
1. Introduction
Functions with high nonlinearity have important applications in cryptography
[3,14,24,63,64,66,67], sequences [25,69] and coding theory [11,55,61,75]. In cryptography, functions with high nonlinearity are necessary for achieving confusion. They
are used to construct keystream generators for stream ciphers, S-boxes for block
ciphers, building blocks for hash algorithms, and authentication codes. In coding
theory, they permit to construct good error correcting codes. In sequences, they are
used to obtain good autocorrelation for CDMA communication systems.
During the last 20 years, there has been a lot of studies of Boolean functions with
high nonlinearity. See for example, [10,12–15,17–20,37–40,67,71]. Non-Boolean
functions have also important applications in cryptography [8,9,64], sequences
Corresponding author.
E-mail addresses: claude.carlet@inria.fr (C. Carlet), cding@cs.ust.hk (C. Ding).
1
Also at University of Paris 8 and GREYC-Caen.
0885-064X/$ - see front matter r 2003 Elsevier Inc. All rights reserved.
doi:10.1016/j.jco.2003.08.008
ARTICLE IN PRESS
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
206
[57,68] and coding theory [43,69], but they have been less studied. It turns out that
functions with optimum nonlinearity correspond to certain combinatorial designs.
Thus the study of functions with optimum nonlinearity could lead to new problems
in combinatorics.
The purpose of this paper is to give a well-rounded treatment of non-Boolean
functions with optimum or almost optimum nonlinearity. We summarize the known
results on this subject, which have been presented in a large number of papers. We
generalize several of them and we prove new results. We present open problems
about functions with high nonlinearity, and propose new problems in combinatorics
by establishing relations between functions with optimum nonlinearity and certain
subjects of combinatorics.
2. Preliminaries
Let f be a function from an abelian group ðA; þÞ of order n to another abelian
group ðB; þÞ of order m: f is linear if and only if f ðx þ yÞ ¼ f ðxÞ þ f ðyÞ for all
x; yAA: A function g is affine if and only if g ¼ f þ b; where f is linear and b is a
constant. Clearly, the zero function is linear. If f is a nonzero linear function from A
to B; let H ¼ fxAA j f ðxÞ ¼ 0g: Then H is a subgroup of A; f ðAÞ is a subgroup of B
and, denoting by jSj the size of a set S; j f ðAÞj jHj ¼ n: In the case that n is odd
and m is a power of 2, the only linear function from A to B is the zero function, since
if f a0; then j f ðAÞj is even, a contradiction with the fact that n is odd; thus all affine
functions are constant functions.
The (Hamming) distance between two functions f and g from A to B; denoted by
dð f ; gÞ; is defined to be
dð f ; gÞ ¼ jfxAA j f ðxÞ gðxÞa0gj:
One way of measuring the nonlinearity of a function f from ðA; þÞ to ðB; þÞ is to use
the minimum distance between f and all affine functions from ðA; þÞ to ðB; þÞ: With
this approach the nonlinearity of f is defined to be
Nf ¼ min dð f ; lÞ;
lAL
ð1Þ
where L denotes the set of all affine functions from ðA; þÞ to ðB; þÞ: This measure of
nonlinearity is related to linear cryptanalysis (cf. [63]) but it is not useful in some
general cases. For example, as pointed out above, in the case jAj is odd and jBj is a
power of 2, this measure makes little sense as there are no nonconstant affine
functions from ðA; þÞ to ðB; þÞ:
A robust measure (cf. [66]) of the nonlinearity of functions is related to differential
cryptanalysis (cf. [5]) and uses the derivatives Da f ðxÞ ¼ f ðx þ aÞ f ðxÞ: It may be
defined by
Pf ¼ max max PrðDa f ðxÞ ¼ bÞ;
0aaAA
bAB
ð2Þ
where PrðEÞ denotes the probability of the occurrence of event E: The smaller the
value of Pf ; the higher the corresponding nonlinearity of f (if f is linear, then
ARTICLE IN PRESS
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
207
Pf ¼ 1). In some cases, it is possible to find the exact relation between the two
measures on nonlinearity. We will come back to this later. Note that both
nonlinearity measures are relative to the two operations of the two abelian groups.
3. Functions with perfect nonlinearity
Let f be a function from ðA; þÞ to ðB; þÞ: For any bAB define
Cb ¼ f 1 ðbÞ ¼ faAA j f ðaÞ ¼ bg:
ð3Þ
We have the following property.
Lemma 1. Let f be a function from ðA; þÞ to ðB; þÞ: Then, for every aAA and every
bAB
P
jCz -ðCzþb aÞj
:
PrðDa f ðxÞ ¼ bÞ ¼ zAB
jAj
Proof. We have
jfxAA j Da f ðxÞ ¼ bgj
[
¼ fxAA j f ðxÞ ¼ z and f ðx þ aÞ ¼ z þ bg
zAB
[
¼ ðCz -ðCzþb aÞÞ
zAB
X
¼
jCz -ðCzþb aÞj:
zAB
The conclusion then follows. &
Notice that, for every aAA; the sets fxAA j Da f ðxÞ ¼ bg constitute a partition of
A; and thus we have the following lemma.
Lemma 2. For every aAA; we have
X
jAj ¼
jfxAA j Da f ðxÞ ¼ bgj:
bAB
Note that the maximum of a sequence of numbers is greater than or equal to its
mean. It then follows that, for every aAA;
max ½PrðDa f ðxÞ ¼ bÞ ¼ max
bAB
bAB
jfxAA j Da f ðxÞ ¼ bgj 1
X :
jAj
jBj
ARTICLE IN PRESS
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
208
Then
Pf X
1
:
jBj
ð4Þ
This lower bound can be considered as an upper bound for the nonlinearity of f : For
applications in coding theory and cryptography we wish to find functions with the
smallest possible Pf :
1
:
Definition 3. A function f : A-B has perfect nonlinearity if Pf ¼ jBj
Since the maximum of a sequence of numbers equals its mean if and only if the
sequence is constant, inequality (4) is an equality if and only if, for every bAB and
every aAA ¼ A\f0g; the quantity jfxAA j Da f ðxÞ ¼ bgj has value jAj
jBj :
Definition 4. A function g : A-B is balanced if the size of g
1 ðbÞ is the same for
every bAB (this size is then jAj
jBj ).
Theorem 5. A function f : A-B has perfect nonlinearity if and only if, for every
aAA ¼ A\f0g; the derivative Da f is balanced (this is possible only if jBj divides jAj).
In the case of Boolean functions (i.e. functions from GF ð2Þn to GF ð2Þ; where
GF ð2Þ is the two-element field), perfect nonlinear functions are also called bent (cf.
[71]). We recall in Section 3.6 the definitions and properties of bent functions.
3.1. Stability of the set of perfect nonlinear functions under actions of general affine
groups
The addition of any perfect nonlinear function from ðA; þÞ to ðB; þÞ and any
affine function from ðA; þÞ to ðB; þÞ is clearly a perfect nonlinear function.
Theorem 6. Assume that f ðxÞ is a function from ðA; þÞ to ðB; þÞ with perfect
nonlinearity and lðxÞ is a linear or an affine permutation from ðA; þÞ to ðA; þÞ; then the
composition f 3l is another function from ðA; þÞ to ðB; þÞ with perfect nonlinearity.
Proof. If lðxÞ is a linear permutation, then f ðlðx þ aÞÞ f ðlðxÞÞ is equal to f ðlðxÞ þ
lðaÞÞ f ðlðxÞÞ and is balanced for every aa0 since lðaÞa0 if and only if aa0: If lðxÞ
is a translation, say lðxÞ ¼ x þ u; then f ðlðx þ aÞÞ f ðlðxÞÞ ¼ f ðx þ u þ aÞ f ðx þ
uÞ is balanced. The conclusion then follows by composition. &
Theorem 7. Let f : ðA; þÞ-ðB; þÞ have perfect nonlinearity, and let
l : ðB; þÞ-ðC; þÞ be a linear onto function. Then the composition l3f is a function
from ðA; þÞ to ðC; þÞ with perfect nonlinearity.
ARTICLE IN PRESS
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
209
Proof. Since l is linear, we have
lð f ðx þ aÞÞ lð f ðxÞÞ ¼ lð f ðx þ aÞ f ðxÞÞ:
The conclusion then follows from the facts that l is linear and onto and that f has
perfect nonlinearity. &
Theorem 7 leads to a construction of perfect nonlinear functions which is rather
useful, as justified by the results of Proposition 41.
3.2. Perfect nonlinear functions and difference partitions
Perfect nonlinear functions are naturally related to the combinatorial notion of
difference partition.
Let ðA; þÞ and ðB; þÞ be two abelian groups of orders n and m; respectively.
Assume that fCb j bABg is a partition of A: We call fCb j bABg an ðn; m; dÞ difference
partition of ðA; þÞ with respect to ðB; þÞ if
X
jCz -ðCzþb aÞjpd
ð5Þ
zAB
for all bAB and all nonzero elements a of A; and if for at least one pair ða; bÞ the
equality of (5) is achieved. Note that for a difference partition fCb j bABg some Cb
may be empty. The difference partitions defined here are quite different from the
difference families that have been studied in combinatorics [4, Chapter VII].
Since fCz -ðCzþb aÞ j z; bABg is a partition of A; we have
ð6Þ
dmXn:
The case of equality corresponds to perfect nonlinear functions.
Proposition 8. Let ðA; þÞ and ðB; þÞ be abelian groups of orders n and m; respectively.
Let fCb j bABg be an ðn; m; dÞ difference partition of ðA; þÞ with respect to ðB; þÞ: Let
f be the function from A to B defined by f ðxÞ ¼ b; for every xACb : Then Pf ¼ dn: Thus,
f has perfect nonlinearity if and only if m divides n and fCb ð f Þ j bABg is an ðn; m; n=mÞ
difference partition of ðA; þÞ with respect to ðB; þÞ:
Proof. It follows from Lemma 1.
&
If fCb ð f Þ j bABg is an ðn; m; n=mÞ difference partition of ðA; þÞ with respect to
ðB; þÞ; then the equality in (5) holds for all bAB and all nonzero elements a of A:
There are some restrictions on the possible sizes of the sets Cb :
Theorem 9. Let ðA; þÞ and ðB; þÞ be abelian groups of orders n and m; respectively,
where m divides n: If an ðn; m; n=mÞ difference partition fCb j bABg of A with respect to
ARTICLE IN PRESS
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
210
B exists, then for any nonzero bAB
8
P
n2 þ ðm 1Þn
>
2
>
;
k
¼
>
z
zAB
>
<
m
P
nðn 1Þ
>
;
>
zAB kz kzþb ¼
>
m
>
:P
zAB kz ¼ n;
ð7Þ
where kz ¼ jCz j for each zAB:
Proof. If fCb j bABg is an ðn; m; n=mÞ difference partition, we have
X
n
jCz -ðCzþb aÞj ¼
m
zAB
P
zAB
kz ¼ n and
for all bAB and all nonzero elements a of A: It then follows that for any nonzero
bAB
X X
nðn 1Þ
¼
jCz -ðCzþb aÞj
m
aAA\f0g zAB
X X
¼
jCz -ðCzþb aÞj
zAB aAA\f0g
¼
X
jfxAA; aAA j f ðxÞ ¼ z and f ðx þ aÞ ¼ z þ bgj
zAB
¼
X
jfxAA; aAA j f ðxÞ ¼ z and f ðx þ aÞ ¼ z þ bgj
zAB
¼
X
kz kbþz :
zAB
Similarly, we obtain
X X
nðn 1Þ
¼
jCz -ðCz aÞj
m
aAA\f0g zAB
X X
¼
jCz -ðCz aÞj
zAB aAA\f0g
¼
X
jfxAA; aAA j f ðxÞ ¼ z and f ðx þ aÞ ¼ zgj
zAB
¼
¼
X
zAB
X
kz ðkz 1Þ
kz2 zAB
¼
X
X
zAB
kz2 n:
zAB
This completes the proof.
&
kz
ARTICLE IN PRESS
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
211
Theorem 10. Let ðA; þÞ and ðB; þÞ be abelian groups of orders n and m; respectively,
where n is a multiple of m: If f is a function from A to B with perfect nonlinearity
Pf ¼ m1 ; then for any bAB
rffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
rffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
n
ðm 1Þn
n
ðm 1Þn
pkb p þ
;
m
m
m
m
where kz ¼ jfxAA j f ðxÞ ¼ zgj: Furthermore,
rffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
rffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
ðm 1Þn
ðm 1Þn
ðm 1Þn
ðm 1Þn
pNf p
þ
:
m
m
m
m
If B has exponent 2, i.e., 2b ¼ 0 for any bAB; then for any bAB
pffiffiffi
pffiffiffi
n ðm 1Þ n
n þ ðm 1Þ n
pkb p
;
m
m
where kz ¼ jfxAA j f ðxÞ ¼ zgj: Furthermore,
pffiffiffi
pffiffiffi
ðm 1Þn ðm 1Þ n
ðm 1Þn þ ðm 1Þ n
pNf p
:
m
m
Proof. We prove the
P first conclusion. Set kb ¼ n=m þ lb : It follows from the last
equation of (7) that b lb ¼ 0: Combining this equality and the first one of (7) yields
X
ðm 1Þn
:
l2b ¼
m
b
qffiffiffiffiffiffiffiffiffiffiffiffi
Hence jlb jp ðm
1Þn
m : This proves the conclusion on kb : The lower and upper bounds
on Nf then follow from the bounds on kb and the fact that the sum of a function with
perfect nonlinearity is again a function with perfect nonlinearity.
We now prove the bounds for the case that B has exponent 2. For any nonzero
bAB; by (7)
X
X
X
X
2
ðkz kzþb Þ2 ¼
kz2 2
kz kzþb þ
kzþb
zAB
zAB
2
zAB
zAB
n þ ðm 1Þn
nðn 1Þ
2
m
m
¼ 2n:
¼2
ð8Þ
Since B has exponent 2, in the summation
X
ðkz kzþb Þ2
zAB
both ðkz kzþb Þ2 and ðkzþb kz Þ2 occur as terms. Then by (8)
2ðkz kzþb Þ2 ¼ ðkz kzþb Þ2 þ ðkzþb kz Þ2 p2n
and hence
pffiffiffi
pffiffiffi
npkz kzþb p n:
ð9Þ
ARTICLE IN PRESS
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
212
It follows that
X
pffiffiffi
pffiffiffi
kzþb pðm 1Þ n:
ðm 1Þ npðm 1Þkz ba0
P
kzþb ¼ n kz : We have
pffiffiffi
pffiffiffi
n ðm 1Þ n
n þ ðm 1Þ n
pkz p
:
m
m
Note that
ba0
The bounds on Nf follow from those on kb and the fact that the sum of a function
with perfect nonlinearity and any affine function gives also a function with perfect
nonlinearity. &
For the existence of functions with perfect nonlinearity, we have the following
result.
Theorem 11. Assume that there is a function with perfect nonlinearity from an abelian
group of order n to another abelian group of order m; where m divides n: If m is even,
then n is a square. If m is odd, then
z2 ¼ nx2 þ ð
1Þðm
1Þ=2 my2
has a nontrivial solution in integers.
Theorem 11 is a direct consequence of Lemma 24 below, which was stated in [6,7]
for the existence of generalized Hadamard matrices.
3.3. Functions with perfect nonlinearity and difference matrices
It is known that Boolean functions with perfect nonlinearity (i.e. bent functions)
are related to Hadamard matrices (cf. [71]). More generally, functions with perfect
nonlinearity are related to the so-called difference matrices and generalized
Hadamard matrices.
Let ðG; þÞ be a group of order m: An ðm; k; lÞ difference matrix is a k ml matrix
D ¼ ðdij Þ with entries from G; so that for each 1phojpk; the list
fdhl djl j 1plpmlg
contains l times every element of G: Similarly, difference matrices can be defined
over nonabelian groups [4,22]. A generalized Hadamard matrix GHðm; l) is a
ðm; ml; lÞ difference matrix. Hence Hadamard difference matrices are special
difference matrices. In particular, a Hadamard matrix Hð4nÞ is a GHð2; 2nÞ over the
group ðf1; 1g; Þ:
Theorem 12. Let f be a function from an abelian group ðA; þÞ of order n to another
one ðB; þÞ of order m; where m divides n: Let A ¼ fa0 ; a1 ; y; an
1 g; and define an
ARTICLE IN PRESS
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
n n matrix D as
0
f ða0 þ a0 Þ
B f ða þ a Þ
1
0
B
D¼B
@
^
f ða0 þ a1 Þ
?
f ða0 þ an
1 Þ
1
f ða1 þ a1 Þ
^
?
^
f ða1 þ an
1 Þ
^
C
C
C:
A
f ðan
1 þ a0 Þ f ðan
1 þ a1 Þ
213
? f ðan
1 þ an
1 Þ
Then f has perfect nonlinearity Pf ¼ m1 if and only if D is a GHðm; n=mÞ; i.e., an n n
generalized Hadamard matrix.
Proof. By Theorem 5, f has perfect nonlinearity if and only if Da f ðxÞ ¼ f ðx þ aÞ f ðxÞ takes on each element of B exactly n=m times for each nonzero element a of A:
The conclusion then follows. &
Remarks.
(a) Any k rows of the matrix D of Theorem 12 gives an ðm; k; n=mÞ difference
matrix over B: Theorem 12 shows that every function with perfect nonlinearity
gives generalized Hadamard matrices. But clearly, many generalized Hadamard
matrices do not give functions with optimum nonlinearity.
(b) Theorem 12 is a rather straightforward result, which traces back to at least [28].
Example 13. Define the function f ðxÞ from GF ðqÞ2t to GF ðqÞ as
f ðx1 ; x2 ; y; x2t Þ ¼ x1 x2 þ x3 x4 þ ? þ x2t
1 x2t :
We will show in Theorem 39 that this function is perfect nonlinear. Then the matrix
D of Theorem 12 is a ðq; q2t ; q2t
1 Þ difference matrix, i.e., a generalized Hadamard
matrix GHðq; q2t
1 Þ:
Remark. It is shown by de Launey that for any group G of prime power order q and
any integer t40; there is a GHðq; q2t
1 Þ over G [27]. Here G may not be elementary
abelian. It remains to be checked whether the construction of Corollary 13 is the
same as the one of de Launey [27].
3.4. A characterization of perfect nonlinearity by means of Fourier transform
We denote by e the exponent of A; it is the maximum order of elements of A; it is
also called the characteristic of A since A is in additive representation. A
homomorphism between A and a multiplicative group G is any mapping w from A
to G such that
wða þ a0 Þ ¼ wðaÞwða0 Þ
for all a; a0 AA:
A character of A is any homomorphism from A to the multiplicative group of all
complex eth roots of unity. The multiplicative group  of characters of A is
ARTICLE IN PRESS
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
214
isomorphic to the group A (cf. [46]). We fix some isomorphism from A to  and we
denote by wa the image of aAA by this isomorphism. w0 is the trivial character, i.e.
the constant function 1.
P
For every aa0; we have
aAA wa ðaÞ ¼ 0; indeed, there exists a0 AA such that
wa0 ðaÞa1; then the equality
X
X
X
wa ðaÞ ¼
waþa0 ðaÞ ¼ wa0 ðaÞ
wa ðaÞ
aAA
aAA
aAA
P
implies aAA wa ðaÞ ¼ 0:
Let E be any subgroup of A: Denote by E > the subgroup of A of elements a such
that wa ðaÞ ¼ 1 for all aAE: Then
X
wa ðaÞ ¼ 0; 8aeE >
ð10Þ
aAE
and
X
wa ðaÞ ¼ 0;
8aeE:
ð11Þ
aAE >
The characters satisfy the orthogonality relation
X
0
if a1 aa2 ;
/wa1 ; wa2 S ¼
wa1 ðaÞwa2 ðaÞ ¼
jAj
if a1 ¼ a2 ;
aAA
where wa2 ðaÞ denotes the complex conjugate of wa2 ðaÞ:
The Fourier transform of any complex-valued function j on A is defined by
X
#
jðaÞ
¼
jðaÞwa ðaÞ:
aAA
A direct consequence of property (11) is that for every elements a0 and a0 in A and
for every subgroup E of A; we have
X
X
#
wa ða0 ÞjðaÞ
¼ jE > jwa0 ða0 Þ
wa0 ðaÞjðaÞ:
ð12Þ
aAa0 þE >
aA
a0 þE
Indeed,
X
#
wa ða0 ÞjðaÞ
¼
aAa0 þE >
X
# 0 þ aÞ
wa0 þa ða0 Þjða
aAE >
¼
X X
jðaÞwa0 þa ða0 þ aÞ
aAE > aAA
¼
X
jðaÞwa0 ða0 þ aÞ
aAA
¼ jE > jwa0 ða0 Þ
X
aA
a0 þE
X
!
wa ða0 þ aÞ
aAE >
wa0 ðaÞjðaÞ:
ARTICLE IN PRESS
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
215
The Fourier transform of the product of two functions j1 and j2 equals the
normalized convolution of the Fourier transforms of j1 and j2 :
1
1 X
c2 ðaÞ ¼
c1 j
c ða0 Þc
jd
j
j2 ða a0 Þ:
ð13Þ
j
1 j2 ðaÞ ¼
jAj
jAj a0 AA 1
Equality (13) with j2 ¼ j1 and a ¼ 0 gives Parseval’s relation:
X
1 X
2
#
jjðaÞj2 ¼
jjðaÞj
:
jAj
aAA
aAA
The inverse Fourier transform is determined by the equality:
1 X
#
jðaÞ ¼
jðaÞw
a ðaÞ:
jAj aAA
Note that j satisfies jðaÞ ¼ 0; for every aa0; if and only if j# is constant and that j
#
is constant if and only if jðaÞ
¼ 0; for every aa0:
Let f be a function from A to a group B: We denote by e0 the exponent of B and we
fix again an isomorphism between B and B̂ (the group of homomorphisms from B to
the multiplicative group of all complex e0 th roots of unity); we denote by w0b the
image of bAB by this isomorphism. For every bAB; we denote by fb the complexvalued function w0b 3f and we have, for every aAA;
X
fbb ðaÞ ¼
w0b 3f ðaÞwa ðaÞ:
aAA
Parseval’s relation on fb gives
X
j fbb ðaÞj2 ¼ jAj2 :
aAA
We give in Theorem 16 a characterization of perfect nonlinearity by means of
Fourier transform, which generalizes results given in [71] for Boolean functions, in
[1] for functions defined over finite fields and in [16] for functions defined over
residue class rings. We need first to characterize balanced functions and to recall a
classical property of Fourier transform.
Proposition 14. Let f be any function from A to B: Then f is balanced if and only if, for
every bAB we have
fbb ð0Þ ¼ 0:
Proof. We have
X
X
fbb ð0Þ ¼
w0b 3f ðaÞ ¼
jCb jw0b ðbÞ:
aAA
ð14Þ
bAB
P
0
Thus, if f is balanced and ba0; then fbb ð0Þ ¼ jAj
bAB wb ðbÞ ¼ 0: Conversely, if, for
jBj
every bAB we have fbb ð0Þ ¼ 0; then, according to relation (14), the integer-valued
ARTICLE IN PRESS
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
216
function b/jCb j admits as Fourier transform the function
0
if ba0
b/
jAj if b ¼ 0
and according to the properties of the Fourier transform recalled above, it is
constant. &
Lemma 15. Let f : A-B and Da f ðxÞ ¼ f ðx þ aÞ f ðxÞ: Let ACfb ðaÞ be the value at
P
0 of the Fourier transform of ðDa f Þb : ACfb ðaÞ ¼ xAA w0b ðDa f ðxÞÞ: Then, ACfb has
Fourier transform j fbb j2 :
Proof.
df ðaÞ ¼
AC
b
X
Dd
a fb ð0Þwa ðaÞ
aAA
¼
X X
w0b ð f ðx þ aÞÞw0b ð f ðxÞÞwa ðaÞ
aAA xAA
¼
XX
w0b ð f ðx þ aÞÞw0b ð f ðxÞÞwa ðx þ aÞwa ðxÞ
aAA xAA
¼ fbb ðaÞfbb ðaÞ:
&
ACfb is often called the autocorrelation function of fb : When only one
nonzero b exists, i.e. when B ¼ GF ð2Þ; it is also called the autocorrelation
function of f :
Theorem 16. Let f be any function from an abelian group A to an abelian group B:
Then f has perfect nonlinearity if and only if, for every bAB and every aAA; fbb ðaÞ has
pffiffiffiffiffiffiffi
magnitude jAj:
Proof. According to Theorem 5, f has perfect nonlinearity if and only if for every
aa0 the function Da f ðxÞ ¼ f ðx þ aÞ f ðxÞ is balanced. Thus, according to
Proposition 14, f has perfect nonlinearity if and only if for every aAA and every
bAB we have ACfb ðaÞ ¼ 0: Thus, according to the properties of the Fourier
transform recalled above, f has perfect nonlinearity if and only if for every bAB ;
ACfb has constant Fourier transform (this constant value must be jAj). Lemma 15
completes the proof. &
Theorem 16 states that f has perfect nonlinearity if and only if, for every bAB ; fb
is bent in the sense of Logachev, Salnikov and Yashchenko. We recall in Section 3.6
the original notion of bent functions and its successive generalizations.
ARTICLE IN PRESS
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
217
3.5. Obtaining functions with perfect nonlinearity from known ones
In Section 3.1, we have seen obvious ways of obtaining perfect nonlinear functions
from known ones. Another one is as follows: let A; A0 and B be three abelian groups.
Let f : A/B and g : A0 /B be two perfect nonlinear mappings. Then f #g : A A0 /B defined by ð f #gÞðx; yÞ ¼ f ðxÞ þ gðyÞ is perfect nonlinear. We give now a
nontrivial similar construction. Theorem 17 and the remark which follows it
generalize the most part of the theorem in [12], which was stated for Boolean bent
functions.
Theorem 17. Assume that the size of A is a square. Let E be a subgroup of A of size
pffiffiffiffiffiffiffi
jAj: Assume that f ðxÞ is a function from ðA; þÞ to ðB; þÞ with perfect nonlinearity
and that f takes constant value on E: Then every function obtained from f by choosing
another constant value for f on E has also perfect nonlinearity.
Proof. Let b be any element of B: Define gðxÞ ¼ f ðxÞ if xeE; gðxÞ ¼ f ðxÞ þ b if
xAE: Let b be any nonzero element of B: Denote by ob the constant value of fb on
E: Recall that we denote by E > the set of elements a of A such that wa ðaÞ ¼ 1 for all
aAE:
Let us first prove that fbb ðaÞ ¼ ob jEj for every aAE > : According to relation (12)
P
>
b
applied to j ¼ fb and to a0 ¼ a0 ¼ 0; we have
aAE > fb ðaÞ ¼ ob jE jjEj: Since,
pffiffiffiffiffiffiffi
according to Theorem 16, fbb ðaÞ has magnitude jEj ¼ jAj for every a; we deduce
pffiffiffiffiffiffiffi
that fbb ðaÞ equals ob jAj for every aAE > :
P
We have gbb ðaÞ ¼ fbb ðaÞ þ ob ðw0b ðbÞ 1Þ aAE wa ðaÞ: Thus gbb ðaÞ equals fbb ðaÞ for
pffiffiffiffiffiffiffi
pffiffiffiffiffiffiffi
every aeE > : And for every aAE > we have gbb ðaÞ ¼ ob jAj þ ob ðw0b ðbÞ 1Þ jAj ¼
pffiffiffiffiffiffiffi
pffiffiffiffiffiffiffi
ob w0b ðbÞ jAj: Thus, gbb ðaÞ has magnitude jAj for every aAA and every bAB ; and
g has therefore perfect nonlinearity. &
Remarks.
(a) The same proof shows that if j is bent on A in the sense of Logachev, Salnikov
# is constant
and Yashchenko (see Section 3.6) and if it is constant on E; then j
on E > and j remains bent if we change its constant value on E:
(b) Since fbb is constant on E > ; applying property (12) to fbb and to a0 ¼ 0 shows that
P
for every a0 eE:
aAa0 þE fb ðaÞ ¼ 0: This is equivalent to the fact that f is
balanced on every coset of E in A; according to Proposition 14.
>
b
(c) According to property (12), we have also P
aAa0 þE > fb ðaÞ ¼ 0 for every a0 eE :
pffiffiffiffiffiffiffi
If there exists a function g from A to B such that fbb ¼ jAjgb (using the same
terminology as Kumar et al. [57], we can say that f is regular-bent), this implies
that g is balanced on every coset of E > :
(d) Theorem 17 is still valid if we only assume that the restriction of f to E is affine
and if we change the values of f on E by adding a constant (apply Theorem 17
ARTICLE IN PRESS
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
218
to f þ l where f is affine). It is also valid if E is a coset of a subgroup (change
f ðxÞ into f ðx þ uÞ).
(e) We give after Theorem 39 an example of application of Theorem 17. In the case
pffiffiffiffiffiffiffi
of this example, there exists a function g from A to B such that fbb ¼ jAjgb :
3.6. Bent functions and perfect nonlinearity
Let A be the abelian group GF ð2Þn ; B ¼ GF ð2Þ and f a function from A to B:
Using the notation of Section 3.4, we have f1 ðaÞ ¼ ð
1Þ f ðaÞ and fb1 ðaÞ ¼
P
f ðaÞþaa
where a a ¼ a1 a1 þ ? þ an an is the usual inner product in
aAGF ð2Þn ð
1Þ
GF ð2Þn : The Fourier transform of f1 ¼ ð
1Þ f is often called the Walsh transform of
f : The notion of binary bent function, introduced by Rothaus in [71], is related to
P
Parseval’s relation aAGF ð2Þn j fb1 ðaÞj2 ¼ 22n : a function f : GF ð2Þn -GF ð2Þ is bent if
P
f ðaÞþaa
has constant magnitude for every aAGF ð2Þn ; or equivalently
aAGF ð2Þn ð
1Þ
if the maximum of j fb1 ðaÞj2 equals its mean 2n (this is equivalent to say that f lies at
maximum Hamming distance from the set of affine functions); this is possible only if
n is even. As shown by Rothaus, and also according to Theorem 16, this notion is
equivalent to perfect nonlinearity. More information on binary bent functions can be
found in the survey paper [14] and in Canteaut et al. [10], Carlet [12–15], Carlet and
Guillot [17,18], Dobbertin [37], Hou and Langevin [49], and Wolfmann [75].
Logachev, Salnikov and Yashchenko have adapted this notion in [60] to the
general case of functions j from any finite abelian group A to the set of complex
#
numbers of magnitude 1 (see also [48]): j is bent if jðaÞ
has constant magnitude
pffiffiffiffiffiffiffi
jAj for every aAA:
The notion of binary bent function has been generalized to functions from a finite
abelian group A to a finite abelian group B in two directions:
*
Kumar et al. [57] have generalized it to functions f from Znq to Zq ¼ Z=qZ; where
q is any positive number. The function f1 equals then oqf ; where oq ¼ expð2ip=qÞ
pffiffiffiffiffiffiffi
P
f ðaÞþaa
(where i ¼ 1) and we have fb1 ðaÞ ¼
: Kumar, Scholtz and
n oq
aAZq
*
Welch called generalized bent any function f from Znq to Zq such that fb1 has
pffiffiffiffiffi
constant magnitude qn ; i.e. such that f1 is bent in the sense of Logachev,
Salnikov and Yashchenko. Obviously, a stronger notion could also be considered:
for every ba0; fb is bent in the sense of Logachev, Salnikov and Yashchenko. But
this notion does not deserve a specific denomination since, as shown in [16] and
also according to Theorem 16, it is equivalent to perfect nonlinearity.
Ambrosimov [1] considers functions f from GF ðqÞn to GF ðqÞ where q is a power
of a prime p; and GF ðqÞ is the finite field of order q: For every bAGF ðqÞ; fb equals
Trðbf Þ
where Tr is the trace function from GF ðqÞ to GF ðpÞ and where op ¼
P
Trðbf ðaÞþaaÞ
n op
: The function f is called bent
expð2ip=pÞ: Then fbb ðaÞ equals
op
aAGF ðqÞ
ARTICLE IN PRESS
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
219
pffiffiffiffiffi
by Ambrosimov if, for every nonzero b; fbb has constant magnitude qn ; i.e. if
Trðbf Þ
is bent in the sense of Logachev, Salnikov and Yashchenko. As shown
fb ¼ op
by Ambrosimov and according to Theorem 16, this notion is equivalent to perfect
nonlinearity.
The notions of bent functions by Kumar, Scholtz and Welch and by Ambrosimov,
when they both apply, that is when q is a prime, have different definitions but are in
fact equivalent, as shown in [57].
4. Binary functions with optimum nonlinearity
In this section, we consider the case ðB; þÞ ¼ ðGF ð2Þ; þÞ and functions from A to
B: If ðA; þÞ is cyclic, then functions from A to B with optimal nonlinearity are the
same as binary sequences with optimal autocorrelation, i.e. perfect sequences. The
main references for this section are [24,34,52].
Let n ¼ jAj: For a function f from A to B; the autocorrelation function of f is
X
ACf ðaÞ ¼
ð
1Þ f ðxþaÞ
f ðxÞ :
xAA
The support of f is the set
Sf ¼ fxAA j f ðxÞ ¼ 1g:
The weight of f is defined to be jSf j; and denoted by wf : We also say that f is the
characteristic function of Sf :
Considering the Fourier transform of Da f at vector 0, we have, according to
Lemma 15
X
ACf ðaÞ ¼ ðn 2wf Þ2 :
ð15Þ
aAA
For any subset H of A; we define the difference function
dH ðaÞ ¼ jðH þ aÞ-Hj;
ð16Þ
where H þ a ¼ fx þ a j xAHg:
The following easy result plays an important role in the sequel.
Theorem 18. Let f be a function from A to B; and let k be the weight of f : Then for any
nonzero aAA;
8
n 2ðk dSf ðaÞÞ
>
>
<
; b ¼ 0;
n
PrðDa f ðxÞ ¼ bÞ ¼
>
2ðk dSf ðaÞÞ
>
:
;
b ¼ 1:
n
ARTICLE IN PRESS
220
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
Proof. This is a generalization of Theorem 4.4 in [34] (see also [24,
Theorem 6.3.1]). We have PrðDa f ðxÞ ¼ 1Þ ¼ 1n wDa f ¼ 1n ð2wf 2dSf ðaÞÞ and
PrðDa f ðxÞ ¼ 0Þ ¼ 1 PrðDa f ðxÞ ¼ 1Þ: &
4.1. The case n 0 ðmod 4Þ
Let ðG; þÞ be an abelian group with v elements, and let D be a k-subset of G: Then
D is called a ðv; k; lÞ difference set of G if the equation x y ¼ g has exactly l
solutions ðx; yÞAD D for every nonzero element gAG: A trivial necessary
condition for the existence of a ðv; k; lÞ difference set is
kðk 1Þ ¼ ðv 1Þl:
ð17Þ
Theorem 19. Let D be a ðv; k; lÞ difference set of an abelian group ðA; þÞ with v
elements, and let fD ðxÞ be the function with support D: Then,
(a) for any nonzero aAA;
Prð fD ðx þ aÞ fD ðxÞ ¼ bÞ ¼
½v 2ðk lÞ=v; b ¼ 0;
2ðk lÞ=v;
b ¼ 1:
(b) Pf ¼ maxfv
2ðk
lÞ; 2ðk
lÞg:
D
v
v
Proof. This is a generalization of Theorem 4.5 in [34] (see also [24, Theorem 6.3.2]).
The conclusion follows from Theorem 18. &
Theorem 20. Let f be a function from A to B: Then the following three conclusions are
equivalent:
(A) Pf ¼ 12;
(B) ACf ðaÞ ¼ 0 for every nonzero element a of A;
(C) the support Sf is a ð4u2 ; 2u2 7u; uðu71ÞÞ difference set of A; where n ¼ 4u2 :
Proof. According to Theorem 5 and Proposition 14, (A) and (B) are equivalent. By
Theorem 19, (C) implies (A). If (B) is true, then for every nonzero a; the function
f ðxÞf ðx þ aÞ has constant weight and the support Sf is therefore a difference set.
According to Theorem 19, v 0 ðmod 4Þ: It is well known that a symmetric design
with v ¼ 4u can only exist if u is a perfect square and the parameters of Sf have the
form ð4u2 ; 2u2 7u; uðu71ÞÞ (see [51, p. 282]). &
It follows from Theorem 20 that ð4u2 ; 2u2 7u; uðu71ÞÞ difference sets, called
Hadamard difference set, of an abelian group A give all binary functions with perfect
nonlinearity. Detailed information about Hadamard difference sets can be found in
[52]. We just mention the following.
ARTICLE IN PRESS
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
221
Lemma 21 (Jungnickel and Pott [53]). Let G be any group which is a direct product of
an abelian group of order 2e and exponent at most e; where e ¼ 2d þ 2 for some
nonnegative integer d; with groups of the type Z2mi ; where each mi is a power of 3, and
groups of the type Z4pj ; where the pj are (not necessarily distinct) odd primes. Then G
contains a Hadamard difference set.
Combining Theorem 20 and Lemma 21 proves the following.
Theorem 22. Let
A ¼ Z2dþ2
Z2m1 ? Z2mt Z4p1 ? Z4ps ;
2
ð18Þ
where each mi is a power of 3, the pj are (not necessarily distinct) odd primes, sX0 and
tX0: Then there are binary functions from A to B with perfect nonlinearity.
As recalled in Section 3.6, Boolean functions (i.e. functions from GF ð2Þn to GF ð2Þ)
have perfect nonlinearity if and only if they are bent.
Numerous binary functions with perfect nonlinearity from the set A of (18) to
B ¼ GF ð2Þ can be constructed as indicated in Theorem 22 by using
the actual constructions of the Hadamard difference sets indicated in
Lemma 21: for details, we refer to Arasu et al. [2], Chen [21], Kraemer [56], Turyn
[74], and Xia [76].
4.2. The case n 3 ðmod 4Þ
In this section, let ðA; þÞ be an abelian group of order n 3 ðmod 4Þ;
and B ¼ GF ð2Þ: The following theorem is the function version of perfect
sequences [52].
Theorem 23. Let f be a function from A to B: Then the minimum possible value for Pf
1
is 12 þ 2n
and the following two conclusions are equivalent:
1
(A) Pf ¼ 12 þ 2n
;
n
3
nþ1
(B) the support Sf is an n; n
1
or n; nþ1
difference set of A:
2 ; 4
2 ; 4
Proof. Let k be the weight of f : Note that ½n 2ðk dSf ðaÞÞ þ 2ðk dSf ðaÞÞ ¼ n:
By Theorem 18, to minimize Pf we need to minimize the maximum magnitude of
½n 2ðk dSf ðaÞÞ 2ðk dSf ðaÞÞ ¼ n 4ðk dSf ðaÞÞ;
where a ranges over A : Since n 1 ðmod 4Þ; the minimal possible magnitude of
n 4ðk dSf ðaÞÞ corresponds to n 4ðk dSf ðaÞÞ ¼ 1: Thus, Pf is minimal if and
nþ1
only if dSf ðaÞ ¼ k nþ1
4 for every nonzero aAA; i.e., if Sf is an n; k; k 4
ARTICLE IN PRESS
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
222
difference set of A: It then follows from the equation
nþ1
kðk 1Þ ¼ ðn 1Þ k 4
1
1
that k ¼ n71
2 ; and the minimal value for Pf is 2 þ 2n:
&
We say that f has optimum nonlinearity if Pf achieves the minimum value
1
).
(here 12 þ 2n
n
3
nþ1
difference set is an n; nþ1
Since the complement of any n; n
1
2 ; 4
2 ; 4 difference
n
3
set and vice versa, we consider only difference sets with parameters n; n
1
2 ; 4 :
Difference sets of this type are called Paley–Hadamard difference sets. Any Paley–
Hadamard difference set of A gives a function from A to B with optimum
nonlinearity.
Paley–Hadamard difference sets include the following classes:
(1) with parameters ð2t 1; 2t
1 1; 2t
2 1Þ; for description of difference sets
with these parameters see Dillon [31], Dillon and Dobbertin [32], Gordon et al.
[42], Pott [70], Xiang
[77]; n
3
(2) with parameters n; n
1
2 ; 4 ; where n ¼ qðq þ 2Þ and both q and q þ 2 are prime
powers. These are generalizations of the twin-prime difference sets, and may be
defined as
fðg; hÞAGF ðqÞ GF ðq þ 2Þ: g; ha0 and wðgÞwðhÞ ¼ 1g
,fðg; 0Þ: gAGF ðqÞg;
where wðxÞ ¼ þ1 if x is a nonzero square in the corresponding field, and wðxÞ ¼
1 otherwise [53];
n
3
(3) with parameters n; n
1
2 ; 4 ; where n ¼ q is a prime power congruent to 3
ðmod 4Þ: They are Paley difference sets and just consist of all the squares in
GF ðqÞ [53];
n
3
(4) with parameters n; n
1
2 ; 4 ; where n ¼ q is a prime power of the form q ¼
4s2 þ 27: They are cyclotomic difference sets and can be described as [51]
ð6;qÞ
D ¼ D0
ð6;qÞ
,D1
ð6;qÞ
,D3
ð6;qÞ
;
ð6;qÞ
where D0
denotes the multiplicative group generated by a6 ; Di
denotes the cosets, and a is a primitive element of GF ðqÞ:
ð6;qÞ
¼ ai D 0
4.3. The case n 2 ðmod 4Þ
As before let ðA; þÞ be an abelian group of order n: Let C be a k-subset of A: The
set C is an ðn; k; l; tÞ almost difference set of A if dC ðaÞ ¼ jðC þ aÞ-Cj takes on the
value l altogether t times and the value l þ 1 altogether n 1 t times when a
ranges over all the nonzero elements of A:
ARTICLE IN PRESS
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
223
Two kinds of almost difference sets were introduced in [26,33,34] (see also
[24, p. 140; 35]). They were generalized and unified in [36].
For ðn; k; l; tÞ almost difference sets of A we have the following basic
relation:
kðk 1Þ ¼ tl þ ðn 1 tÞðl þ 1Þ:
ð19Þ
The following lemma due to Bruck, Chowla and Ryser will be needed later.
Lemma 24. Let D be an ðn; k; lÞ difference set in a group G:
(i) If n is even, then k l is a square.
(ii) If n is odd, then the equation
n
1
2 lz2
x2 ¼ ðk lÞy2 þ ð
1Þ
ð20Þ
has a solution in integers x; y; z; not all zero.
We consider now functions f from A to B with optimum nonlinearity. As before,
let Sf and k be the support and weight of f ; respectively. When A is cyclic, the first
part of the following theorem is the function version of the corresponding results
about perfect sequences [52].
Theorem 25. The minimum possible value for Pf is 12 þ 1n: Furthermore, Pf ¼ 12 þ 1n if
and only if
(a) the support Sf is a difference set with parameters
pffiffiffiffiffiffiffiffiffiffiffiffiffiffi
pffiffiffiffiffiffiffiffiffiffiffiffiffiffi!
n7 3n 2 n þ 272 3n 2
;
n;
;
2
4
(b) or the support Sf is an almost difference set with parameters
n þ 2 4nk 4k2 ðn 1Þðn 2Þ
;
n; k; k :
4
4
ð21Þ
ð22Þ
Proof. The minimum discrepancy between n 2ðk dSf ðaÞÞ and 2ðk dSf ðaÞÞ is 2,
since n 2 ðmod 4Þ: By Theorem 18, the nonlinearity measure Pf achieves its
minimum value if and only if one of the following three cases happens:
(A) ½n 2ðk dSf ðaÞÞ 2ðk dSf ðaÞÞ takes on only value 2 when a ranges over all
nonzero elements of A;
(B) ½n 2ðk dSf ðaÞÞ 2ðk dSf ðaÞÞ takes on only value 2 when a ranges over
all nonzero elements of A;
(C) ½n 2ðk dSf ðaÞÞ 2ðk dSf ðaÞÞ takes on both values 2 and 2 when a
ranges over all nonzero elements of A:
In all three cases the minimum value for Pf is 12 þ 1n:
ARTICLE IN PRESS
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
224
If (A) happens, then Sf is an n; k; k n
2
difference set. Hence we obtain
4
n
2
kðk 1Þ ¼ ðn 1Þ k :
4
Whence
pffiffiffiffiffiffiffiffiffiffiffiffiffiffi
n7 3n 2
:
k¼
2
pffiffiffiffiffiffiffiffi
pffiffiffiffiffiffiffiffi
Hence Sf is an n; n7 23n
2; nþ2724 3n
2 difference set.
We now prove that (B) cannot happen. Suppose that (B) happens. Then Sf is an
n; k; k nþ2
difference set. Hence we obtain
4
nþ2
kðk 1Þ ¼ ðn 1Þ k :
4
Whence
n2 n 2
¼ 0:
k
þ
2
4
This is impossible.
By definition, (C) happens if and only if
n72
;
dSf ðaÞ ¼ k 4
which is equivalent to Sf being an n; k; k nþ2
4 ; t almost difference set of A: It then
follows from (19) that
t¼
4nk 4k2 ðn 1Þðn 2Þ
:
4
&
ð23Þ
Remarks.
(I) Note that 1ptpn 2: It follows from (23) that
pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
n 3ðn 2Þ
n þ 3ðn 2Þ
pkp
ð24Þ
2
2
if f has optimum nonlinearity. This means that in the case n 2 ðmod 4Þ the
weight k of functions with optimum nonlinearity is more flexible, compared with
the two cases n 0 ðmod 4Þ and n 3 ðmod 4Þ:
(II) The condition of (17) and Lemma 24 cannot be used to rule out the existence of
difference sets with parameters of (21). For examples, ð66; 40; 24Þ and
ð902; 477; 252Þ are such parameters. However, it is known that no difference
sets with parameters ð66; 40; 24Þ exist [51]. No difference set with the parameters
of (21) is known. In the cyclic case, more information on the existence can be
found in [52].
Open Problem 26. Construct difference sets with the parameters of (21) or show that
difference sets with such parameters do not exist.
ARTICLE IN PRESS
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
225
We describe now the classes of binary functions with optimum nonlinearity which
correspond to the known almost difference sets with the parameters of (22). To this
end, we need to define cyclotomic classes and numbers. Let GF ðqÞ be a finite field,
ðd;qÞ
and let d divide q 1: For a primitive element a of GF ðqÞ; define D0 ¼ ðad Þ; the
multiplicative group generated by ad ; and
ðd;qÞ
Dh
ðd;qÞ
¼ ah D 0
for h ¼ 1; 2; y; d 1:
ðd;qÞ
These Dh are called cyclotomic classes of order d: The cyclotomic numbers of order
d with respect to GF ðqÞ are defined as
ðd;qÞ
ðh; jÞ ¼ jðDh
ðd;qÞ
þ 1Þ-Dj
j:
Clearly, there are at most d 2 different cyclotomic numbers of order d:
The cyclotomic classes of order 4 can be used to describe several classes of binary
functions with optimum nonlinearity. Consider the finite field GF ðqÞ; where q 5 ðmod 8Þ: It is known that q has a quadratic partition q ¼ s2 þ 4t2 ; with s ð4;qÞ
71 ðmod 4Þ: Let Dh be the cyclotomic classes of order 4.
Theorem 27. Let h; j; lAf0; 1; 2; 3g be three pairwise distinct integers, and define
ð4;qÞ
ð4;qÞ
ð4;qÞ
ð4;qÞ
C ¼ ½f0g ðDh ,Dj Þ,½f1g ðDl ,Dj Þ:
n
6 3n
6
Then C is an n; n
2
almost difference set of A ¼ GF ð2Þ GF ðqÞ if
2 ; 4 ; 4
(1) t ¼ 1 and ðh; j; lÞAfð0; 1; 3Þ; ð0; 2; 1Þg; or
(2) s ¼ 1 and ðh; j; lÞAfð1; 0; 3Þ; ð0; 1; 2Þg:
Theorem 27 is a generalization of two results in [36]. The proof given in [36] can be
slightly modified to give a proof of Theorem 27 by using cyclotomic numbers of
order 4 for general finite fields [72].
It follows from Theorems 25 and 27 that the characteristic functions fC of the
several classes of almost difference sets C described in Theorem 27 have optimum
nonlinearity. Furthermore these functions have weight n
2
2 ; where n ¼ 2q: So we say
that they are almost balanced.
Theorem 28. Let h; j; lAf0; 1; 2; 3g be three pairwise distinct integers, and define
ð4;qÞ
ð4;qÞ
ð4;qÞ
ð4;qÞ
C ¼ ½f0g ðDh ,Dj Þ,½f1g ðDl ,Dj Þ,f0; 0g:
3n
2
Then C is an n; n2; n
2
almost difference set of A ¼ GF ð2Þ GF ðqÞ if
4 ; 4
(1) t ¼ 1 and ðh; j; lÞAfð0; 1; 3Þ; ð0; 2; 3Þ; ð1; 2; 0Þ; ð1; 3; 0Þg; or
(2) s ¼ 1 and ðh; j; lÞAfð0; 1; 2Þ; ð0; 3; 2Þ; ð1; 0; 3Þ; ð1; 2; 3Þg:
Theorem 28 is also a generalization of two results in [36]. The proof given in [36]
can also be slightly modified to give a proof of Theorem 28 by using cyclotomic
numbers of order 4 for general finite fields [72].
ARTICLE IN PRESS
226
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
It follows from Theorems 25 and 28 that the characteristic functions fC of the two
classes of almost difference sets C described in Theorem 28 have optimum
nonlinearity. Furthermore these functions have weight n2; where n ¼ 2q: Hence they
are balanced.
We now describe another class of functions with optimum nonlinearity. Let q ð2;qÞ
3 ðmod 4Þ: Let Dh denote the cyclotomic classes of order 2 with respect to GF ðqÞ
and let a be the primitive element employed to define the cyclotomic classes of
order 2.
Theorem 29. Define a function from ðZq
1 ; þÞ to ðGF ð2Þ; þÞ as
(
ð2;qÞ
1 if ah AðD1 1Þ;
f ðhÞ ¼
0 otherwise:
Then f has optimum nonlinearity.
Theorem 29 is the function-oriented version of a result about binary sequences
with optimum autocorrelation given in [59]. The support of the function f defined in
Theorem 29 is of course an almost difference set by Theorem 25.
4.4. The case n 1 ðmod 4Þ and n41
In this section we assume that n 1 ðmod 4Þ and consider binary functions f from
A to B with optimum nonlinearity. As before, let Sf and k be the support and weight
of f ; respectively.
1
1
: Furthermore, Pf ¼ 12 þ 2n
if
Theorem 30. The possible minimum value for Pf is 12 þ 2n
and only if the support Sf is a difference set with parameters
pffiffiffiffiffiffiffiffiffiffiffiffiffiffi
pffiffiffiffiffiffiffiffiffiffiffiffiffiffi!
n7 2n 1 n þ 172 2n 1
;
n;
:
ð25Þ
2
4
Proof. The proof is similar to that of Theorem 25 and is omitted.
&
Remarks.
pffiffiffiffiffiffiffiffi
(a) For any difference set with parameters of (25), the number n7 2n
1 must be a
2
square.
(b) The parameters of (25) satisfy the conditions of both (17) and Lemma 24. Note
that
0sffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
1
pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
n7
2n
1
@
; 1; 1A
2
ARTICLE IN PRESS
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
227
is a solution to (20). Examples of parameters are
ð13; 9; 6Þ;
ð61; 36; 21Þ;
ð25; 16; 10Þ;
ð41; 25; 15Þ;
ð85; 49; 28Þ:
But it is known that among the parameters above only difference sets with
parameters ð13; 9; 6Þ exist [51]. The set D ¼ f2; 4; 5; 6; 7; 8; 10; 11; 12g is a
ð13; 9; 6Þ difference set in Z13 : It is known that no cyclic abelian difference set
of this type exists for 13onp20201 [52].
Open Problem 31. Construct new difference sets with parameters of (25) or show that
difference sets with such parameters do not exist for n420; 201: (We are interested
only in the case n420; 201 because of Remark (b) above.)
3
if and only if the support Sf is an almost difference set with
Theorem 32. Pf ¼ 12 þ 2n
parameters
!
n þ 3 4nk 4k2 ðn 1Þ2
;
n; k; k :
4
4
Proof. The proof is similar to that of Theorem 25 and is omitted.
Similarly, we have the following bounds for the weight of f
pffiffiffiffiffiffiffiffiffiffiffiffiffiffi
pffiffiffiffiffiffiffiffiffiffiffiffiffiffi
n 2n 5
n þ 2n 5
pkp
2
2
&
ð26Þ
3
if f has nonlinearity Pf ¼ 12 þ 2n
:
ð2;qÞ
Theorem 33. Let q 1 ðmod 4Þ and let Dh denote the cyclotomic classes of order 2.
Then the function from ðGF ðqÞ; þÞ to ðGF ð2Þ; þÞ defined by
(
ð2;qÞ
1 if xAD0 ;
f ðxÞ ¼
0 otherwise
3
has nonlinearity Pf ¼ 12 þ 2n
:
Proof. It can be proved with the help of Theorem 18 and the cyclotomic numbers of
order 2 [72]. &
Theorem 34. Let q ¼ 4q0 þ 1 ¼ x2 þ 4y2 be a power of an odd prime with x ð4;qÞ
ð4;qÞ
q
5 q
1
1 ðmod 4Þ: Then Dh ,Dj
is an q; q
1
almost difference set if and only if
2 ; 4 ; 2
0
q is odd, y ¼ 71; and ðh; jÞAfð0; 1Þ; ð1; 2Þ; ð2; 3Þ; ð3; 0Þg:
ARTICLE IN PRESS
228
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
Theorem 34 is a slight generalization of a class of almost difference sets in [35].
The proof given in [35] can be slightly modified to give a proof of Theorem 34 by
using cyclotomic numbers of order 4 for general finite fields [72].
It follows from Theorems 25 and 34 that the characteristic functions fC of the class
3
of almost difference sets C described in Theorem 34 have nonlinearity Pf ¼ 12 þ 2n
:
q
1
Furthermore these functions have weight 2 ; and thus are balanced.
4.5. Minimum distance from affine functions
In Sections 4.1 and 4.3, we have described binary functions from A to B with
optimum nonlinearity constructed from difference sets in the two cases
n 0 ðmod 4Þ and n 2 ðmod 4Þ; where n is the order of A: In this section
we are concerned with the minimum distance of such a function with all affine
functions from A to B: We call the two constant functions 0 and 1 trivial
affine functions.
Theorem 35. Suppose D is an ðn; k; lÞ difference set of A; and fD ðxÞ is the
characteristic function of D: Assume that lðxÞ is any nontrivial affine function from
A to B: Then
pffiffiffiffiffiffiffiffiffiffiffi
1
1
c
Prð fD ðxÞ ¼ lðxÞÞ ¼ 7 pffiffiffi ;
2
2 n
where Prð fD ðxÞ ¼ lðxÞÞ denotes the probability of agreement between fD ðxÞ and lðxÞ;
: Hence the distance between fD ðxÞ and lðxÞ is
and c ¼ n
4ðk
lÞ
n
pffiffiffiffiffiffiffiffiffiffiffi
1 c pffiffiffi
n
n:
dð fD ðxÞ; lðxÞÞ ¼ 7
2
2
Proof. This is a generalization of Theorem 4.8 in [34], see also Theorem 6.5.3
in [24]. The proof is essentially the same as the one given in [24,34], and is
omitted. &
If D is a Hadamard difference set, then c ¼ 0 and
dð fD ðxÞ; lðxÞÞ ¼
pffiffiffi
n7 n
:
2
pffiffi
Hence the minimum distance Nf between fD ðxÞ and all affine functions is n
2 n (and is
optimal, according to Parseval’s relation). This was known for bent functions. It is
shown here that this is also true for the characteristic function of any Hadamard
difference sets.
ARTICLE IN PRESS
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
229
5. Nonbinary functions with optimum nonlinearity
5.1. The case jBj ¼ 3
Since the abelian group of order 3 is unique up to isomorphism, in the
case m ¼ 3 we assume that ðB; þÞ ¼ ðZ3 ; þÞ: In this case if fC0 ; C1 ; C2 g is an
ðn; 3; n=3Þ difference partition of A with respect to B; then the conditions of (7)
reduce to
n2 þ 2n
;
3
k0 þ k1 þ k2 ¼ n;
k02 þ k12 þ k22 ¼
2
since these two equalities imply k0 k1 þ k1 k2 þ k2 k0 ¼ n 3
n: For example,
pffiffiffi
pffiffiffi
pffiffiffi
nþ n nþ n n
2 n
;
;
3
3
3
pffiffiffi
pffiffiffi
pffiffiffi
n
n n
n nþ2 n
;
;
3
3
3
ðk0 ; k1 ; k2 Þ ¼
and
ðk0 ; k1 ; k2 Þ ¼
are solutions to the two equations above. In fact, ðn; 3; n=3Þ difference partitions of
some A with respect to B; or equivalently, functions from some A to B with perfect
nonlinearity, do exit. When q ¼ 3 Theorem 39 below gives a large class of perfect
nonlinear functions with jBj ¼ 3:
5.2. The case jBj=4
When B ¼ Z4 ; we have the following constraints:
Theorem 36. Let ðA; þÞ be an abelian group of order n and let ðB; þÞ ¼ ðZ4 ; þÞ; where
n is a multiple of 4. If an ðn; 4; n=4Þ difference partition fCb j bABg of A with respect to
B exists, then
8
pffiffiffi
n7 n
>
>
< k0 þ k2 ¼
;
2pffiffiffi
>
>
: k1 þ k3 ¼ n8 n;
2
where kz ¼ jCz j for each zAB:
ð27Þ
ARTICLE IN PRESS
230
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
Proof. If fCb j bABg is an ðn; 4; n=4Þ difference partition, then the conditions of (7)
reduce to
nðn 1Þ
;
8
k0 þ k1 þ k2 þ k3 ¼ n;
k0 k2 þ k1 k3 ¼
k02 þ k12 þ k22 þ k32 ¼
n2 þ 3n
;
4
since
k0 k1 þ k1 k2 þ k2 k3 þ k3 k0 ¼ k0 k3 þ k1 k0 þ k2 k1 þ k3 k2 ¼ ðk0 þ k1 þ k2 þ
2
2
k3 Þ ðk0 þ k12 þ k22 þ k32 Þ 2ðk0 k2 þ k1 k3 Þ: It then follows that
ðk0 þ k2 Þ2 þ ðk1 þ k3 Þ2 ¼
n2 þ n
;
2
ðk0 þ k2 Þ þ ðk1 þ k3 Þ ¼ n:
ð28Þ
Solving the set of equations proves the conclusion.
&
We shall see in Section 6.5 that there exist perfect nonlinear functions from A ¼ Zn4
to B ¼ Z4 ; where n is any positive integer greater than 1.
Theorem 37. Let ðA; þÞ be an abelian group of order n and let ðB; þÞ be either ðZ2 Z2 ; þÞ or ðGF ð22 Þ; þÞ; where n is a multiple of 4. If an ðn; 4; n=4Þ difference partition
fCb j bABg of A with respect to B exists, then the vector ðkð0;0Þ ; kð0;1Þ ; kð1;0Þ ; kð1;1Þ Þ must
take on one of the following:
pffiffiffi
pffiffiffi
pffiffiffi
pffiffiffi
nþ3 n n
n n
n n
n
;
;
;
;
4
4
4
4
pffiffiffi
pffiffiffi
pffiffiffi
pffiffiffi
n
n n
n nþ3 n n
n
;
;
;
;
4
4
4
4
pffiffiffi
pffiffiffi
pffiffiffi
pffiffiffi
n
3 n nþ n nþ n nþ n
;
;
;
;
4
4
4
4
pffiffiffi
pffiffiffi
pffiffiffi
pffiffiffi
nþ n nþ n n
3 n nþ n
;
;
;
;
4
4
4
4
pffiffiffi
pffiffiffi
pffiffiffi
pffiffiffi
n
n n
n n
n nþ3 n
;
;
;
;
4
4
4
4
pffiffiffi
pffiffiffi
pffiffiffi pffiffiffi
n
n nþ3 n n
n n
n
;
;
;
;
4
4
4
4
pffiffiffi
pffiffiffi
pffiffiffi
pffiffiffi
nþ n nþ n nþ n n
3 n
;
;
;
;
4
4
4
4
pffiffiffi
pffiffiffi
pffiffiffi pffiffiffi
nþ n n
3 n nþ n nþ n
;
;
;
;
4
4
4
4
ð29Þ
where kði; jÞ ¼ jCði; jÞ j for each ði; jÞAB:
Proof. Note that ðGF ð22 Þ; þÞ is isomorphic to ðZ2 Z2 ; þÞ: We need to consider
B ¼ Z2 Z2 only. If fCb j bABg is an ðn; 4; n=4Þ difference partition of A with
ARTICLE IN PRESS
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
231
respect to B; then the conditions of (7) reduce to
8
nðn 1Þ
>
>
;
kð0;0Þ kð0;1Þ þ kð1;0Þ kð1;1Þ ¼
>
>
8
>
>
>
>
nðn 1Þ
>
>
;
< kð0;0Þ kð1;0Þ þ kð0;1Þ kð1;1Þ ¼
8
ð30Þ
>
nðn 1Þ
>
> kð0;0Þ kð1;1Þ þ kð1;0Þ kð0;1Þ ¼
;
>
>
8
>
>
>
2
>
>
: k2 þ k2 þ k2 þ k2 ¼ n þ 3n:
ð0;0Þ
ð0;1Þ
ð1;0Þ
ð1;1Þ
4
Solving the set of equations above gives
8
pffiffiffi
n7 n
>
>
< kð0;0Þ þ kð0;1Þ ¼
;
2pffiffiffi
>
>
: kð1;0Þ þ kð1;1Þ ¼ n8 n;
2pffiffiffi
8
n7
n
>
>
< kð0;0Þ þ kð1;0Þ ¼
;
2pffiffiffi
>
>
: kð0;1Þ þ kð1;1Þ ¼ n8 n;
2pffiffiffi
8
n7
n
>
>
< kð0;0Þ þ kð1;1Þ ¼
;
2pffiffiffi
>
>
: kð1;0Þ þ kð0;1Þ ¼ n8 n:
2
So there are eight cases. In each case, we obtain two solutions ðkð0;0Þ ; kð0;1Þ ; kð1;0Þ ;
kð1;1Þ Þ: Altogether we get the eight solutions of (29). It is checked that they are indeed
solutions of (30). This completes the proof. &
Theorem 38. Let ðA; þÞ be an abelian group of order n and let ðB; þÞ be either ðZ2 Z2 ; þÞ or ðGF ð22 Þ; þÞ; where n is a multiple of 4. If f is a function from A to B with
perfect nonlinearity Pf ¼ 14; then
pffiffiffi
pffiffiffi
3n 3 n
3n n
or
:
Nf ¼
4
4
Proof. We consider only the case B ¼ Z2 Z2 : For any affine function lðxÞ; gðxÞ ¼
f ðxÞ lðxÞ must have perfect nonlinearity Pg ¼ 14 as f ðxÞ has perfect nonlinearity.
Let kði; jÞ ¼ jfxAA j gðxÞ ¼ ði; jÞgj: By Theorem 37, ðkð0;0Þ ; kð0;1Þ ; kð1;0Þ ; kð1;1Þ ) must
take on one of the eight vectors listed in Theorem 37. The conclusion of this theorem
then follows. &
Remarks.
(1) The nonlinearity Nf measures the minimum distance between f and all affine
functions from A to B: Theorem 37 means that the best affine approximation of
any function from A to B with perfect nonlinearity is very poor.
ARTICLE IN PRESS
232
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
(2) The conditions of (28), those of (27), and Theorem 38 may suggest that
functions with optimum nonlinearity Pf may not have optimum nonlinearity
Nf : In other words the two kinds of measures of nonlinearity are not consistent
for nonbinary functions. This is not strange, as sometimes the nonlinearity
measure Nf makes little sense.
(3) When q ¼ 4; Theorem 39 below will give a large class of perfect nonlinear
functions with jBj ¼ 4:
6. Constructions of functions with optimum nonlinearity
We give the basic constructions. They can be modified and combined by using the
results of Section 3.
6.1. Functions from ðGF ðqÞn ; þÞ to ðGF ðqÞ; þÞ
Let p be a prime and q ¼ pl : We have seen in Section 3.6 that for every bAGF ðqÞ;
Trðbf Þ
fb equals op
where Tr is the trace function from GF ðqÞ to GF ðpÞ and where
P
Trðbf ðaÞþaaÞ
n op
:
op ¼ expð2ip=pÞ: Thus, fbb ðaÞ equals
aAGF ðqÞ
We extend now the known constructions of perfect nonlinear Boolean functions
(cf. [30]) to this more general framework.
Let ðA; þÞ ¼ ðGF ðqÞn ; þÞ; where n is even. Then the following function f from
ðA; þÞ to ðGF ðqÞ; þÞ
f ðx1 ; x2 ; y; xn Þ ¼ x1 xn=2þ1 þ x2 xn=2þ2 þ ? þ xn=2 xn
has perfect nonlinearity Pf ¼ 1q: Hence fCb ð f Þ j bAGF ðqÞg is a ðqn ; q; qn
1 Þ difference
partition, where Cb ð f Þ ¼ fxAA j f ðxÞ ¼ bg:
More generally, we have the following result.
Theorem 39. Let n be any even positive integer and let p be a bijective mapping from
GF ðqÞn=2 to GF ðqÞn=2 : We denote its coordinate functions by p1 ; y; pn=2 : Let g be a
function from GF ðqÞn=2 to GF ðqÞ: Then,
f ðx1 ; x2 ; y; xn Þ ¼ x1 p1 ðxn=2þ1 ; y; xn Þ þ x2 p2 ðxn=2þ1 ; y; xn Þ
þ ? þ xn=2 pn=2 ðxn=2þ1 ; y; xn Þ þ gðxn=2þ1 ; y; xn Þ
has perfect nonlinearity Pf ¼ 1q:
Proof. Denote ðx1 ; x2 ; y; xn=2 Þ by x and ðxn=2þ1 ; xn=2þ2 ; y; xn Þ by x0 : We have
f ðx; x0 Þ ¼ x pðx0 Þ þ gðx0 Þ: For every 0abAGF ðqÞ and every a; a0 AGF ðqÞn=2 ;
ARTICLE IN PRESS
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
233
we have
fbb ða; a0 Þ ¼
X
0
0
0
0
opTrðb½xpðx Þþgðx Þþaxþa x Þ ;
x;x0 AGF ðqÞn=2
where Tr is the trace function from GF ðqÞ to GF ðpÞ:
P
Trðb½xpðx0 Þþgðx0 Þþaxþa0 x0 Þ
The partial sum
o
is null if bpðx0 Þ þ aa0:
xAGF ðqÞn=2 p
Thus
X
0 Þþa0 x0 Þ
fbb ða; a0 Þ ¼ qn=2
oTrðbgðx
;
p
x0 Ap
1 ð
a=bÞ
and, since p
1 ð
a=bÞ is a singleton, f has perfect nonlinearity according to
Theorem 16. &
This class of functions is often called Maiorana–McFarland’s class.
The functions f in the class of Maiorana–McFarland functions with constant g
can be modified using Theorem 17: take E ¼ f0g GF ðqÞn=2 in this theorem;
denote by d0 the Dirac symbol (d0 ðxÞ ¼ 1 if x ¼ 0; d0 ðxÞ ¼ 0 otherwise);
we have that, for every l; mAGF ðqÞ; the function f ðx1 ; x2 ; y; xn Þ ¼
x1 p1 ðxn=2þ1 ; y; xn Þ þ x2 p2 ðxn=2þ1 ; y; xn Þ þ ? þ xn=2 pn=2 ðxn=2þ1 ; y; xn Þ þ ld0 ðxÞ þ
m is perfect nonlinear.
Remark. Let q be an odd prime, then every polynomial function of degree 2 from
GF ðqÞ to GF ðqÞ is bent [57] and therefore perfect nonlinear. Let q be a power of 2
and let b0 ; y; b4 be elements of GF ðqÞ: Then, as shown by Ambrosimov in [1], the
function from GF ðqÞ2 to GF ðqÞ: f ðx1 ; x2 Þ ¼ b0 þ b1 x1 þ b2 x2 þ b3 x21 þ b4 x22 þ x1 x2
has also perfect nonlinearity.
Another adaptation of a classical construction is the following:
Theorem 40. Let p be a prime and q ¼ pl : Let ðA; þÞ ¼ ðGF ðqÞn ; þÞ;
where n is even. We identify GF ðqÞn=2 with the field GF ðqn=2 Þ: Let g be any balanced
function from GF ðqn=2 Þ to GF ðqÞ: Then the following function f from ðA; þÞ to
ðGF ðqÞ; þÞ
f ðx; x0 Þ ¼ gðxx0q
n=2 2
Þ;
x; x0 AGF ðqn=2 Þ
has perfect nonlinearity Pf ¼ 1q:
Proof. For every 0abAGF ðqÞ and every a; a0 AGF ðqn=2 Þ; we have
X
0qn=2 2 ÞÞþTr0 ðaxþa0 x0 Þ
fbb ða; a0 Þ ¼
opTrðbgðxx
;
x;x0 AGF ðqn=2 Þ
ARTICLE IN PRESS
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
234
where Tr is the trace function from GF ðqÞ to GF ðpÞ and Tr0 is the trace function
from GF ðqn=2 Þ to GF ðpÞ: Writing x ¼ x0 z for every x0 a0; we have
X
0qn=2 2 ÞÞþTr0 ðaxþa0 x0 Þ
opTrðbgðxx
xAGF ðqn=2 Þ;x0 AGF ðqn=2 Þ
X
¼
0
0
0
opTrðbgðzÞÞþTr ððazþa Þx Þ
zAGF ðqn=2 Þ;x0 AGF ðqn=2 Þ
¼
X
0
0
X
0
ððazþa Þx Þ
oTrðbgðzÞÞþTr
p
z;x0 AGF ðqn=2 Þ
oTrðbgðzÞÞ
:
p
zAGF ðqn=2 Þ
P
TrðbgðzÞÞ
Since g is balanced, we have zAGF ðqn=2 Þ op
¼ 0; according to Proposition 14.
Thus
X
X
0
0
0 0
fbb ða; a0 Þ ¼
opTrðbgð0ÞÞþTr ðaxÞ þ
opTrðbgðzÞÞþTr ððazþa Þx Þ :
z;x0 AGF ðqn=2 Þ
xAGF ðqn=2 Þ
The partial sum
P
TrðbgðzÞÞþTr0 ððazþa0 Þx0 Þ
x0 AGF ðqn=2 Þ
P
op
is null if az þ a0 a0:
0
is null, we deduce that fbb ða; a0 Þ
Trðbgð0ÞÞ
has
has magnitude qn=2 : And if a ¼ 0 and a0 a0; then fbb ða; a0 Þ ¼ qn=2 op
n=2
n=2
also magnitude q : We deduce that fbb ð0; 0Þ has magnitude q
as well,
thanks to Parseval’s relation. Thus, f has perfect nonlinearity according to
Theorem 16. &
If aa0; since the sum
Trðbgð0ÞÞþTr ðaxÞ
xAGF ðqn=2 Þ
op
This class of functions is often called Dillon’s class or Partial Spreads class
(when q ¼ 2; the support of the function is a partial spread).
6.2. Functions from ðGF ðqÞn ; þÞ to ðGF ðqÞn ; þÞ: perfect and almost perfect nonlinear
mappings
We consider now the case of mappings f from GF ðqÞn to GF ðqÞn where q ¼ pl :
Since GF ðqÞn can be identified, as a vector space over GF ðpÞ with GF ðqn Þ ¼ GF ðpln Þ;
this case reduces to that of mappings f from GF ðpm Þ to GF ðpm Þ:
If p ¼ 2; the minimum possible value of Pf is p2m ; because the characteristic
of the field being equal to 2, any solution x of the equation Da f ðxÞ ¼ b can be
paired with the solution x þ a: If p42; then the minimum possible value
of Pf is p1m : A function f from GF ðpm Þ to GF ðpm Þ is called (cf. [66,67]) almost
perfect nonlinear if Pf ¼ p2m ; and perfect nonlinear if Pf ¼ p1m : Perfect nonlinear
mappings are also called planar functions. Perfect and almost perfect nonlinear
mappings have important applications in cryptography and coding theory
[3,11,24,44,67]. In this section we summarize known perfect and almost perfect
nonlinear functions.
ARTICLE IN PRESS
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
235
Known almost perfect nonlinear power functions xs from GF ð2m ) to GF ð2m ) are
the following:
*
*
*
*
*
*
s ¼ 2m 2 (m odd) [3,67].
s ¼ 2h þ 1 with gcdðh; mÞ ¼ 1; where 1phpðm 1Þ=2 if m is odd and
1phpðm 2Þ=2 if m is even [41,67].
s ¼ 22h 2h þ 1 with gcdðh; mÞ ¼ 1; where 1phpðm 1Þ=2 if m is odd and
1phpðm 2Þ=2 if m is even [50,54].
s ¼ 2ðm
1Þ=2 þ 3; where m is odd [11,39].
s ¼ 2ðm
1Þ=2 þ 2ðm
1Þ=4 1; where m 1 ðmod 4Þ [40].
s ¼ 2ðm
1Þ=2 þ 2ð3m
1Þ=4 1; where m 3 ðmod 4Þ [40].
Known perfect nonlinear power functions xs from GF ðpm Þ to GF ðpm Þ; where p42;
are the following [23,45]:
*
*
*
s ¼ 2:
s ¼ pk þ 1; where m=gcdðm; kÞ is odd.
s ¼ ð3k þ 1Þ=2; where p ¼ 3; k is odd, and gcdðm; kÞ ¼ 1:
The case s ¼ 2 was known earlier in [28] under the name of generalized Hadamard
matrices.
We deduce that if
*
*
*
s ¼ 2; or
s ¼ pk þ 1; where m=gcdðm; kÞ is odd, or
s ¼ ð3k þ 1Þ=2; where p ¼ 3; k is odd, and gcdðm; kÞ ¼ 1;
then the matrix D of Theorem 12 is a ðq; q; 1Þ difference matrix, i.e., a generalized
Hadamard matrix GHðq; 1Þ:
The following proposition illustrates the idea of constructing new perfect
nonlinear functions from known ones.
Proposition 41. Define f ðxÞ ¼ TrGF ðpm Þ=GF ðph Þ ðxs Þ; where m and h are integers with
1phjm; p is an odd prime, and TrGF ðpm Þ=GF ðph Þ is the trace function from GF ðpm Þ to
GF ðph Þ: If
*
*
*
s ¼ 2; or
s ¼ pk þ 1; where m=gcdðm; kÞ is odd, or
s ¼ ð3k þ 1Þ=2; where p ¼ 3; k is odd, and gcdðm; kÞ ¼ 1;
then
(a) f ðxÞ is a function from GF ðpm Þ to GF ðph Þ with perfect nonlinearity, and
(b) the matrix D of Theorem 12 defined by f is a generalized Hadamard matrix
GHðph ; pm
h Þ:
ARTICLE IN PRESS
236
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
Proof. As made clear before, xs has perfect nonlinearity if s takes on one of the three
values above. The conclusion in part (a) then follows from Theorem 7. The
conclusion of part (b) then follows from Theorem 12. &
Known almost perfect nonlinear power functions xs from GF ðpm Þ to GF ðpm Þ;
where p is odd, are the following (due to Helleseth and Sandberg [45], and Helleseth
et al. [44]):
*
*
*
*
*
*
*
*
*
*
s ¼ pm 2; where pm 2 ðmod 3Þ [44].
m
s ¼ p 2
1 1; where p 3; 7 ðmod 20Þ; pm 47; pm a27; and m is odd [45].
s ¼ 3; where pa3 [44].
m
m
s ¼ p 4þ1 þ p 2
1; where pm 3 ðmod 8Þ [44].
m
s ¼ p 4þ1; where pm 7 ðmod 8Þ [44].
s ¼ pm 3; where n41 is odd and p ¼ 3 [44].
m
s ¼ 2p 3
1; where pm 2 ðmod 3Þ [44].
s ¼ pm=2 þ 2; where p43 is prime and pm=2 1 ðmod 3Þ [44].
s ¼ pðmþ1Þ=2 1; where m is odd and p ¼ 3 [44].
k
s ¼ 5 2þ1; where gcdð2m; kÞ ¼ 1 and p ¼ 5 [44].
Functions from GF ðpm Þ to GF ðpm Þ with high nonlinearity that are not perfect or
almost perfect nonlinear may be found in Beth and Ding [3], Dobbertin [38], Gold
[41], Helleseth and Sandberg [45], Helleseth et al. [44], Kasami [54], and Lachaud and
Wolfmann [58].
Note that any power function is a group homomorphism. The perfect and almost
perfect nonlinear functions in this section illustrate an idea which will be used again
in Section 6.3.
6.3. Functions with optimum nonlinearity from linear functions
One way of getting functions with optimum nonlinearity with respect to a pair of
operations is to use linear functions with respect to another pair of operations. The
following theorem illustrates this idea ([34, p. 125], see also [24, p. 296]).
Theorem 42. Any nonzero linear function f from ðGF ðqm Þ; þÞ to ðGF ðqÞ; þÞ is a
function from ðGF ðqm Þ ; Þ to ðGF ðqÞ; þÞ with optimum nonlinearity with respect to
the two operations and þ and Pf ¼ 1q þ qðqm1
1Þ:
The idea of obtaining highly nonlinear functions from linear functions is by far the
most useful tool [24]. We now illustrate this idea further by looking at the
nonlinearity of group characters.
There are two finite abelian groups in a finite field GF ðqÞ; i.e., the additive group
and multiplicative group of the field. For applications, we need to make an
important distinction between the corresponding two kinds of characters.
ARTICLE IN PRESS
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
237
We first consider the additive group ðGF ðqÞ; þÞ: Let p be the characteristic of
GF ðqÞ; and q ¼ pm : We identify the prime field of GF ðqÞ with Zp : As already seen in
Section 3.6, we can define w1 by
w1 ðaÞ ¼ e2pi TrðaÞ=p
for all aAGF ðqÞ;
which is a character of the additive group ðGF ðqÞ; þÞ: We call the characters of the
group ðGF ðqÞ; þÞ additive characters, and we call the above character w1 the
canonical additive character of GF ðqÞ: For bAGF ðqÞ; the function wb with wb ðaÞ ¼
w1 ðbaÞ for all aAGF ðqÞ is an additive character of GF ðqÞ; and every additive
character of GF ðqÞ is obtained in this way.
Characters of the multiplicative group GF ðqÞ are called multiplicative characters
of GF ðqÞ: Since GF ðqÞ is a cyclic group of order q 1; its characters can be easily
determined. Let g be a fixed primitive element of GF ðqÞ: For each j ¼ 0; 1; y; q 2;
the function cj with
cj ðgk Þ ¼ e2pijk=ðq
1Þ ;
k ¼ 0; 1; y; q 2
defines a multiplicative character of GF ðqÞ; and every multiplicative character of
GF ðqÞ is obtained in this way.
A multiplicative character w is of course linear with respect to ðGF ðqÞ ; Þ
and ðU; Þ; where U is the set of complex numbers of absolute value 1.
Let ordðwÞ ¼ d; and let Ud denote the dth roots of unity in the complex
numbers. Then w is a mapping from GF ðqÞ to Ud : We now extend w to GF ðqÞ by
defining
wð0Þ ¼ 1;
where 0 is the zero element of GF ðqÞ; and 1 is the identity element of Ud : We write w
for such an extended character of w:
Lemma 43 (Tze et al. [73]). Let q 1 ¼ dl; and let q be an odd prime power. For the
cyclotomic numbers of order d with respect to GF ðqÞ we have
d
1
X
ðh; h þ kÞ ¼
h¼0
l
1
if k ¼ 0;
l
if 1pkod:
Theorem 44. Consider the nonlinearity of the extended multiplicative
character w
of order d with respect to ðGF ðqÞ; þÞ and ðUd ; Þ: Let q be
ðd;qÞ
ðd;qÞ
odd and let 1ADs
for some 0pspd 1; where the Dh
are cyclotomic
classes of order d:
(1) If d s 2k ðmod dÞ has a solution k with 1pkpd 1; then
Pw
¼
lþ2
1 2d 1
¼ þ
:
dl þ 1 d
dq
ARTICLE IN PRESS
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
238
(2) Otherwise
Pw
¼
lþ1
1 d 1
¼ þ
:
dl þ 1 d
dq
In this case w
has optimal nonlinearity.
Proof. Since ordðwÞ ¼ d; w ¼ cl : Define b ¼ e2pi=d : Then b is a primitive dth root of
unity. Clearly,
ðd;qÞ
,f0gÞ ¼ 1;
ðd;qÞ
Þ ¼ bh ;
w
ðD0
w
ðDh
1phod:
ðd;qÞ
For any 0aaAGF ðqÞ and b ¼ bk AUd ; let a
1 ADj
: By Lemma 43
jfxAGF ðqÞ j f ðx þ aÞ=f ðxÞ ¼ bgj
¼
d 1
X
ðd;qÞ
jDh
ðd;qÞ
ðd;qÞ
-ðDkþh aÞj þ jfag-Dk
ðd;qÞ
j þ jf
ag-Dd
k j
h¼0
¼
d 1
X
ðd;qÞ
ðh þ j; h þ j þ kÞ þ jfag-Dk
ðd;qÞ
j þ jf
ag-Dd
k j
h¼0
(
¼
ðd;qÞ
l 1 þ jfa; ag-D0
lþ
ðd;qÞ
jfag-Dk j
þ
j;
ðd;qÞ
jf
ag-Dd
k j;
if k ¼ 0;
if 1pkod:
If d s 2k ðmod dÞ has a solution k with 1pkpd 1; then
ðd;qÞ
max jfag-Dk
a
ðd;qÞ
j þ jf
ag-Dd
k j ¼ 2:
Otherwise the maximum value is 1. The conclusions of this theorem then follow.
&
This theorem says that the nonlinearity of the extended multiplicative character w
with respect to ðGF ðqÞ; þÞ and ðUd ; Þ is either optimal or almost optimal.
Let f be an additive character of GF ðqÞ; and let d be its order. Then we have the
trivial facts that d41 and djq: By definition f is linear with respect to ðGF ðqÞ; þÞ
and ðUd ; Þ: Writing f
for the restriction of f to GF ðqÞ ; we consider now the
nonlinearity of f
with respect to ðGF ðqÞ ; Þ and ðUd ; Þ:
Theorem 45. For the nonlinearity of the additive character f
with respect to
ðGF ðqÞ ; Þ and ðUd ; Þ; we have
1
1
Pf ¼ þ :
d qd
The proof of Theorem 45 can be found in [24, p. 301]. It says that the nonlinearity
of the additive character f
with respect to ðGF ðq Þ; Þ and ðUd ; Þ is optimal.
In general, any group homomorphism is called a group character. Similarly, we
may define ring homomorphisms which may have high nonlinearity [24, p. 301].
ARTICLE IN PRESS
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
239
6.4. Other functions from ðGF ð2m Þ ; Þ to ðGF ð2Þ; þÞ with optimum nonlinearity
We have obtained at Theorem 42 functions from ðGF ðqm Þ ; Þ to ðGF ðqÞ; þÞ with
optimum nonlinearity. The most interesting practical case is when q ¼ 2: Several
other examples of functions with optimum nonlinearity are known in this case.
Indeed, Boolean functions defined on GF ð2m Þ and such that, for every aa1; the
function f ðxÞ þ f ðaxÞ is balanced are said to have ideal autocorrelation and present
much interest for the construction of good sequences for CDMA communications
systems. So much work has been done to obtain such functions. Their restrictions to
m
1
GF ð2m Þ have optimum nonlinearity Pf ¼ 22m 1 ¼ 12 þ 2ð2m1
1Þ: Thus, as shown in
Section 4.2, their supports are cyclic difference sets with the so-called ‘‘Singer
parameters’’ (this strengthens the reasons why these functions have been much
studied).
We list now the known constructions. Note that, if f ðxÞ has ideal autocorrelation,
gcdð2m 1; nÞ ¼ 1 and aAGF ð2m Þ is nonzero, then f ðaxn Þ has also ideal autocorrelation.
*
Theorem 42 corresponds to the fact that the Boolean function on GF ð2m Þ equal to
TrðxÞ; where Tr denotes the trace function from GF ð2m Þ to GF ð2Þ has ideal
autocorrelation (this can be generalized to any finite field). We have indeed:
X
X
ð
1ÞTrðxÞþTrðaxÞ ¼
ð
1ÞTrðð1þaÞxÞ ¼ 0:
xAGF ð2m Þ
xAGF ð2m Þ
The support of this function is called a Singer cyclic difference set. This
construction is generalized into GMW (Gordon–Mills–Welch) construction:
f ðxÞ ¼ Tr½ðTrGF ð2m Þ=GF ð2r Þ ðxÞÞt ;
*
*
where r divides m and gcdðt; 2m 1Þ ¼ 1; TrGF ð2m Þ=GF ð2r Þ is the trace function from
GF ð2m Þ to GF ð2r Þ; and Tr is the trace function from GF ð2r Þ to GF ð2Þ:
A second way to construct functions with ideal autocorrelation is by using
Maschietti’s method (cf. [31,62]): find k such that gcdðk; 2m 1Þ ¼ 1 and such
that the map x/x þ xk is 2 to 1 (i.e. such that for every yAGF ð2m Þ there exist
either two or no xAGF ð2m Þ such that y ¼ x þ xk ). Then GF ð2n Þ\fx þ
xk ; xAGF ð2n Þg is the support of a function f with ideal auto-correlation. Singer
sets with n ¼ 1 correspond to k ¼ 2: For m odd, k ¼ 6 (Segre case) and two other
more complex cases also work (see [32]).
A third way is by using No et al. method (cf. [65]): f is then the indicator of the set
fxd þ ðx þ 1Þd ; xAGF ð2n Þg (if the mapping x/xd is not a permutation) or of its
complement (if it is a permutation), where gcdðd; 2m 1Þ ¼ 1 and where the map
x/xd þ ðx þ 1Þd is 2 to 1. Take k such that gcdðk; mÞ ¼ 1 and d ¼ 22k 2k þ 1
(called Kasami exponent); then as shown by Dillon and Dobbertin in [32] (see also
[31]), f has ideal autocorrelation.
ARTICLE IN PRESS
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
240
*
A last way is when 2m 1 is a prime to take for f the indicator of the set of all
elements at (a a primitive element of GF ð2n Þ) such that t is not a square mod
2m 1:
6.5. Functions from Znq to Zq
If q is not a prime, it has been shown in [16] that only one construction among all
known constructions of generalized bent functions can produce perfect nonlinear
functions. This construction, due to Hou [47], is a generalization of Dillon’s (i.e.
Partial Spreads) construction of binary bent functions. It uses the notion of Galois
ring and can be specified to produce perfect nonlinear functions from Znq to Zq where
q is a power of a prime and n is even (cf. [16]).
The question whether functions with perfect nonlinearity exist on Znq for n odd
arises. A construction valid for A ¼ Zn4 where n is any positive integer greater than 1
and B ¼ Z4 has been given in [16]. It uses also Galois rings.
Open Problem 46. Construct perfect nonlinear functions from Znq to Zq for n odd and
qa4; q being not a prime.
Other perfect nonlinear functions from Zp2 to Zp
Theorem 47. Define f : Zp2 -Zp by f ðh þ jpÞ ¼ hj mod p for 0ph; jpp 1: Then f
has perfect nonlinearity with respect to ðZp2 ; þÞ and ðZp ; þÞ:
Theorem 48. Let f : Zp2 -Zp be a mapping whose restriction to Zp2 is a surjective
homomorphism with respect to ðZp2 ; Þ and ðZp ; þÞ and is zero otherwise. Then f has
perfect nonlinearity with respect to ðZp2 ; þÞ and ðZp ; þÞ:
Theorems 47 and 48 are the functional versions of results about generalized
Hadamard matrices due to de Launey [29] and Brock [7], respectively. We now give
one specific function of the type of Theorem 48.
Example 49. Let p be an odd prime, and let a be a primitive root modulo p2 : Define f
as
(
f ðxÞ ¼
h ðmod pÞ
0
if x ¼ ah for some h;
otherwise:
Then f satisfies the conditions of Theorem 48 and has thus perfect nonlinearity.
ARTICLE IN PRESS
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
241
7. Concluding remarks
In this paper we gave a well-rounded treatment of non-Boolean functions with
optimal nonlinearity. We generalized many known results, and introduced the
notion of difference partitions, and proved at nonlinearity. We presented several
open problems on highly nonlinear functions. It should be noted that functions with
optimal nonlinearity always correspond to certain subjects in combinatorics.
Acknowledgments
The authors thank the referees for their constructive comments and suggestions
that improved this paper. The authors are grateful to Harald Niedereitter and the
Institute for Mathematical Sciences at the National University of Singapore for
bringing them together for one month in the summer of 2001. Cunsheng Ding’s
research is supported by the Research Grants Council of the Hong Kong
Special Administration Region, China (Project No. HKUST6179/01E and
HKUST6173/03E).
References
[1] A.S. Ambrosimov, Properties of bent functions of q-valued logic over finite fields, Discrete Math.
Appl. 4 (4) (1994) 341–350.
[2] K.T. Arasu, J.A. Jedwab, S. Sehgal, New constructions of Menon difference sets, J. Combin. Theory
A 64 (1993) 329–336.
[3] T. Beth, C. Ding, On almost perfect nonlinear permutations, in: Advances in Cryptology—
Eurocrypt’ 93, Lecture Notes in Computer Science, Vol. 765, Springer, New York, 1994, pp. 65–76.
[4] T. Beth, D. Jungnickel, H. Lenz, Design Theory, Vol. 1, 2nd Edition, Cambridge University Press,
Cambridge, 1999.
[5] E. Biham, A. Shamir, Differential cryptanalysis of DES-like cryptosystems, J. Cryptology 4 (1) (1991)
3–72.
[6] B.W. Brock, Hermitian congruence and the existence and completion of generalized Hadamard
matrices, J. Combin. Theory A 49 (1988) 233–261.
[7] B.W. Brock, A new construction of circulant GHðp2 ; Zp Þ; Discrete Math. 112 (1993) 249–252.
[8] P. Camion, A. Canteaut, Construction of t-resilient functions over a finite alphabet, in: Advances in
Cryptology, EUROCRYPT’96, Lecture Notes in Computer Sciences, Vol. 1070, Springer, Berlin,
1996, pp. 283–293.
[9] P. Camion, A. Canteaut, Generalization of Siegenthaler inequality and Schnorr–Vaudenay
multipermutations, in: N. Koblitz (Ed.), Advances in Cryptology—CRYPTO’96, Lecture Notes in
Computer Science, Vol. 1109, Springer, Berlin, 1996, pp. 372–386.
[10] A. Canteaut, C. Carlet, P. Charpin, C. Fontaine, Propagation characteristics and correlationimmunity of highly nonlinear Boolean functions, in: Proceedings of Eurocrypt’00, Lecture Notes in
Computer Science, Vol. 1807, Springer, Berlin, 2000, pp. 507–520.
[11] A. Canteaut, P. Charpin, H. Dobbertin, Weight divisibility of cyclic codes, highly nonlinear functions
on F2m ; and cross correlation of maximum-length sequences, SIAM J. Discrete Math. 13 (1) (2000)
105–138.
[12] C. Carlet, Two new classes of bent functions, in: Advances in Cryptology—Eurocrypt’93, Lecture
Notes in Computer Sciences, Vol. 765, Springer, Heidelberg, 1994, pp. 77–101.
ARTICLE IN PRESS
242
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
[13] C. Carlet, A construction of bent functions, in: Finite Fields and Applications, London
Mathematical Society Lecture Notes Series 233, Cambridge University Press, Cambridge, 1996,
pp. 47–58.
[14] C. Carlet, Recent results on bent functions, in: Proceedings of the International Conference on
Combinatorics, Information Theory and Statistics, Portland, Maine, 1999, pp. 275–291.
[15] C. Carlet, On cryptographic propagation criteria for Boolean functions, Inform. and Comput. 151
(1999) 32–56.
[16] C. Carlet, S. Dubuc, On generalized bent and q-ary perfect nonlinear functions, in: D. Jungnickel, H.
Niederreiter (Eds.), Finite Fields and Applications, Proceedings of Fq5, Springer, Berlin, 2000,
pp. 81–94.
[17] C. Carlet, P. Guillot, An alternate characterization of the bentness of binary functions with
uniqueness, J. Combin. Theory A 76 (1996) 328–335.
[18] C. Carlet, P. Guillot, A characterization of binary bent functions, Designs, Codes and Cryptography
14 (1998) 130–140.
[19] C. Carlet, P. Guillot, A new characterization of Boolean functions, in: Proceedings of AAECC’13,
Hawaii, Lecture Notes in Computer Science, Vol. 1719, Springer, 1999, pp. 94–103.
[20] F. Chabaud, S. Vaudenay, Links between differential and linear cryptanalysis, in: Proceedings of
EUROCRYPT’94, Advances in Cryptology, Lecture Notes in Computer Science, Vol. 950, Springer,
Berlin, 1995, pp. 356–365.
[21] Y.Q. Chen, On the existence of abelian Hadamard difference sets and a new family of difference sets,
Finite Fields Appl. 3 (1997) 234–256.
[22] C.J. Colbourn, W. de Launey, Difference matrices, in: C. Colbourn, J.H. Dinitz (Eds.), Handbook of
Combinatorial Designs, CRC Press, New York, 1996, pp. 287–297 (Chapter IV.11).
[23] R.S. Coulter, R. Matthews, Planar functions and plans of the Lenz–Barlotti class II, Designs, Codes
and Cryptography 10 (1997) 165–195.
[24] T.W. Cusick, C. Ding, A. Renvall, Stream Ciphers and Number Theory, in: North-Holland
Mathematical Library, Vol. 55, North-Holland/Elsevier, Amsterdam, 1998.
[25] T.W. Cusick, H. Dobbertin, Some new 3-valued cross correlation functions of binary sequences,
IEEE Trans. Inform. Theory 42 (1996) 1238–1240.
[26] J.A. Davis, Almost difference sets and reversible difference sets, Arch. Math. 59 (1992) 595–602.
[27] W. de Launey, Square GBRDs over non-abelian groups, Ars Combin. 27 (1989) 40–49.
[28] W. de Launey, Generalized Hadamard matrices which are developed modulo a group, Discrete Math.
104 (1992) 49–65.
[29] W. de Launey, Circulant GHðp2 ; Zp Þ exist for all primes p; Graphs Combin. 8 (1992) 317–321.
[30] J.F. Dillon, Elementary Hadamard Difference sets, Ph.D. Thesis, University of Maryland, 1974.
[31] J.F. Dillon, Multiplicative difference sets via additive characters, Designs, Codes and Cryptography
17 (1999) 225–235.
[32] J.F. Dillon, H. Dobbertin, Cyclic difference sets with singer parameters, Manuscript, 1999.
[33] C. Ding, Binary cyclotomic generators, in: B. Preneel (Ed.), Fast Software Encryption, Lecture Notes
in Computer Science, Vol. 1008, Springer, New York, 1995, pp. 29–60.
[34] C. Ding, Cryptographic counter generators, TUCS Dissertations 4, Turku Centre for Computer
Science, Turku, Painosalama Oy, 1997.
[35] C. Ding, T. Helleseth, K.Y. Lam, Several classes of binary sequences with three-level autocorrelation,
IEEE Trans. Inform. Theory 45 (7) (1999) 2601–2606.
[36] C. Ding, T. Helleseth, H.M. Martinsen, New families of binary sequences with optimal three-level
autocorrelation, IEEE Trans. Inform. Theory 47 (1) (2001) 428–433.
[37] H. Dobbertin, Construction of bent functions and balanced Boolean functions with high
nonlinearity, in: B. Preneel (Ed.), Fast Software Encryption, Lecture Notes in Computer Science,
Vol. 1008, Springer, Heidelberg, 1995, pp. 61–74.
[38] H. Dobbertin, One-to-one highly nonlinear functions on finite fields with characteristic 2, Appl.
Algebra Eng. Comm. Comput. 9 (1998) 139–152.
[39] H. Dobbertin, Almost perfect nonlinear power functions on GF ð2n Þ: the Welch case, IEEE Trans.
Inform. Theory 45 (1999) 1271–1275.
ARTICLE IN PRESS
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
243
[40] H. Dobbertin, Almost perfect nonlinear power functions on GF ð2n Þ: the Niho case, Inform. and
Comput. 151 (1999) 57–72.
[41] R. Gold, Maximal recursive sequences with 3-valued recursive cross correlation functions, IEEE
Trans. Inform. Theory 14 (1968) 154–156.
[42] B. Gordon, W.H. Mills, L.R. Welch, Some new difference sets, Canad. J. Math. 14 (1962) 614–625.
[43] A.R. Hammons Jr., P.V. Kumar, A.R. Calderbank, N.J.A. Sloane, P. Solé, The Z4 -linearity of
Kerdock, Preparata, Goethals and related codes, IEEE Trans. Inform. Theory 40 (2) (1994) 301–319.
[44] T. Helleseth, C. Rong, D. Sandberg, New families of almost perfect nonlinear power mappings, IEEE
Trans. Inform. Theory 45 (2) (1999) 475–485.
[45] T. Helleseth, D. Sandberg, Some power mappings with low differential uniformity, Applicable
Algebra Eng. Comm. Computing 8 (1997) 363–370.
[46] E. Hewitt, K. Ross, Abstract Harmonic Analysis, Springer, Heidelberg, 1970.
[47] X.D. Hou, q-ary bent functions constructed from chain rings, Finite Fields Appl. 4 (1998) 55–61.
[48] X.D. Hou, Bent functions, Partial difference sets, and quasi-Frobenius local rings, Designs, Codes
and Cryptography 20 (2000) 251–268.
[49] X.D. Hou, P. Langevin, Results on bent functions, J. Combin. Theory A 80 (1997) 232–246.
[50] H. Janwa, R. Wilson, Hyperplane sections of Fermat varieties in P3 in char. 2 and some applications
to cyclic codes, in: Proceedings AAECC-10, Lecture Notes in Computer Science, Vol. 673, Springer,
Berlin, 1993, pp. 180–194.
[51] D. Jungnickel, Difference sets, in: J. Dinitz, D.R. Stinson (Eds.), Contemporary Design Theory: A
Collection of Surveys, Wiley, New York, 1992.
[52] D. Jungnickel, A. Pott, Perfect and almost perfect sequences, Discrete Appl. Math. 95 (1999)
331–359.
[53] D. Jungnickel, A. Pott, Difference sets: an introduction, in: A. Pott, P.V. Kumar, T. Helleseth, D.
Jungnickel (Eds.), Difference Sets, Sequences and their Correlation Properties, Kluwer, Amsterdam,
1999, pp. 259–295.
[54] T. Kasami, The weight enumerates for several classes of subcodes of the second order binary
Reed-Muller codes, Inform. and Control 18 (1971) 369–394.
[55] A.M. Kerdock, A class of low-rate nonlinear codes, Inform. and Control 20 (1972) 182–187.
[56] R.G. Kraemer, Proof of a conjecture on Hadamard 2-groups, J. Combin. Theory A 63 (1993) 1–10.
[57] P.V. Kumar, R.A. Scholtz, L.R. Welch, Generalized bent functions and their properties, J. Combin.
Theory A 40 (1985) 90–107.
[58] G. Lachaud, J. Wolfmann, The weights of the orthogonal of the extended quadratic binary Goppa
codes, IEEE Trans. Inform. Theory 36 (1990) 686–692.
[59] A. Lempel, M. Cohn, W.L. Eastman, A class of binary sequences with optimal autocorrelation
properties, IEEE Trans. Inform. Theory 23 (1) (1977) 38–42.
[60] O.A. Logachev, A.A. Salnikov, V.V. Yashchenko, Bent functions on a finite Abelian group, Discrete
Math. Appl. 7 (6) (1997) 547–564.
[61] F.J. MacWilliams, N.J.A. Sloane, The Theory of Error-Correcting Codes, North-Holland,
Amsterdam, 1977.
[62] A. Maschietti, Difference sets and hypherovals, Designs, Codes and Cryptography 14 (1998) 89–98.
[63] M. Matsui, Linear cryptanalysis method for DES cipher, in: Advances in
Cryptology—EUROCRYPT’93, Lecture Notes in Computer Science, Vol. 765, Springer, Berlin,
1994, pp. 386–397.
[64] A. Menezes, P. van Oorschot, S. Vanstone, Handbook of Applied Cryptography, CRC Press Series
on Discrete Mathematics and Its Applications, CRC Press, Boca Raton, 1996.
[65] J.-S. No, S.W. Golomb, G. Gong, H.-K. Lee, P. Gaal, Binary pseudorandom sequences of period
2m 1 with ideal autocorrelation generated by the polynomial zd þ ðz þ 1Þd ; IEEE Trans. Inform.
Theory 44 (3) (1998) 1278–1282.
[66] K. Nyberg, Perfect non-linear S-boxes, in: Advances in Cryptology, EUROCRYPT’91, Lecture
Notes in Computer Science, Vol. 547, Springer, Berlin, 1992, pp. 378–386.
[67] K. Nyberg, Differentially uniform mappings for cryptography, in: Advances in Cryptography—
Eurocrypt’93, Lecture Notes in Computer Science, Vol. 765, Springer, New York, 1994, pp. 55–64.
ARTICLE IN PRESS
244
C. Carlet, C. Ding / Journal of Complexity 20 (2004) 205–244
[68] J.D. Olsen, R.A. Scholtz, L.R. Welch, Bent function sequences, IEEE Trans. Inform. Theory 28 (6)
(1982) 858–864.
[69] V.S. Pless, W.C. Huffman, Handbook of Coding Theory, Elsevier, Amsterdam, 1998.
[70] A. Pott, Finite Geometry and Character Theory, in: Lecture Notes in Mathematics, Vol. 1601,
Springer, Berlin, 1995.
[71] O.S. Rothaus, On bent functions, J. Combin. Theory A 20 (1976) 300–305.
[72] T. Storer, Cyclotomy and Difference Sets, Markham, Chicago, 1967.
[73] T.W. Tze, S. Chanson, C. Ding, T. Helleseth, M. Parker, Logarithm authentication codes, Inform.
and Comput. 184 (2003) 93–108.
[74] R.J. Turyn, A special class of Williamson matrices and difference sets, J. Combin. Theory A 36 (1984)
111–115.
[75] J. Wolfmann, Bent functions and coding theory, in: A. Pott, P.V. Kumar, T. Helleseth, D. Jungnickel
(Eds.), Difference Sets, Sequences and their Correlation Properties, Kluwer, Amsterdam, 1999,
pp. 393–417.
[76] M. Xia, Some infinite class of Williamson matrices and difference sets, J. Combin. Theory A 61 (1992)
230–242.
[77] Q. Xiang, Recent results on difference sets with classical parameters, in: A. Pott, P.V. Kumar, T.
Helleseth, D. Jungnickel (Eds.), Difference Sets, Sequences and their Correlation Properties, Kluwer,
Amsterdam, 1999, pp. 419–434.
Further reading
R. Lidl, H. Niederreiter, Finite Fields, Encyclopedia of Mathematics and its Applications, Vol. 20,
Addison-Wesley, Reading, MA, 1983.