On weak and strong 2 -bent Boolean functions

On weak and strong 2k -bent Boolean functions Pantelimon St˘anic˘a Department of Applied Mathematics Naval Postgraduate School Monterey, CA 93943-5212, U.S.A.; Email: [email protected]

August 5, 2015

Abstract In this paper we introduce a sequence of discrete Fourier transforms and define new versions of bent functions, which we shall call (weak, strong) octa/hexa/2k -bent functions. We investigate relationships between these classes and completely characterize the octabent and hexabent functions in terms of bent functions.

Keywords: Boolean functions, Walsh-Hadamard transforms, bent, negabent, octabent, hexabent functions.

1

Introduction

Let F2 be the prime field of characteristic 2 and let Vn := Fn2 is the ndimensional vector space over F2 . A function from Fn2 to F2 is called a Boolean function on n variables. We denote the set of all Boolean functions by Bn . The set of integers, real numbers and complex numbers are denoted by Z, R and C respectively. The addition over Z, R and C is denoted by ‘+’. The addition over Vn for all n ≥ 1, is denoted by ⊕. If x = (x1 , . . . , xn ) and y = (y1 , . . . , yn ) are two elements of Vn we define the scalar (or inner) product, by x · y = x1 y1 ⊕ x2 y2 ⊕ · · · ⊕ xn yn .

We define the scalar/inner product x y in C × C in the same way, although the sum is over C. We define the intersection of two vectors x, y in some vector space by x ? y = (x1 y1 , x2 y2 , . . . , xn yn ). √ If z = a + b i ∈ C, then |z|= a2 + b2 denotes the absolute value of z, and z = a − b i denotes the complex conjugate of z, where i2 = −1, and a, b ∈ R. An important tool in the analysis of Boolean functions is the discrete Fourier transform, known in Boolean function literature, as Walsh, Hadamard, or Walsh–Hadamard transform, which we define next n X (−1)f (x)⊕u·x . Wf (u) = 2− 2 x∈Vn

Any f ∈ Bn can be expressed in algebraic normal form (ANF) as ! n M Y f (x1 , x2 , . . . , xn ) = ca xai i , ca ∈ F2 . a=(a1 ,...,an )∈Vn

i=1

The character (sign) form of some binary vector x = (x1 , . . . , xn ) is (−1)x = ((−1)x1 , . . . , (−1)xn ). The character form of a function is the character form of its truth table (output values). The (Hamming) weight of x ∈ Vn P is wt(x) := ni=1 xi . The algebraic degree of f , deg(f ) := maxa∈Vn {wt(a) : ca 6= 0}. Boolean functions having algebraic degree at most 1 are said to be affine functions. For any two functions f, g ∈ Bn , we define the (Hamming) distance d(f, g) = |{x : f (x) 6= g(x), x ∈ F2n }|= wt(f ⊕ g). The maximum nonlinearity of a Boolean function f ∈ Bn defined by nl(f ) = max{d(f, `) | ` ∈ An , the affine functions in n variables} known to be equal to nl(f ) = 2n−1 − 12 maxu |Wf (u)| is achieved when the maximum absolute value in the Walsh spectrum is minimized. For even n, such functions are known as bent functions [10] and the magnitudes of all the Walsh values in the spectrum is constant, that is, if |Wf (u)|= 1 for all u ∈ Vn . If f is bent, then for every u ∈ Vn , we have Wf (u) = ±1 = (−1)g(u) , for some function g, which is also bent and called the dual of f . A function f ∈ √ Bn is called semibent, if the Walsh transform of f takes the values {0, ± 2}, when n is odd, or {0, ±2}, even. P when n isf (x)⊕g(x⊕z) The sum Cf,g (z) = is the crosscorrelation of f x∈Vn (−1) and g at z. The autocorrelation of f ∈ Bn at u ∈ Vn is Cf,f (u) above, which we denote by Cf (u). It is known [3] that a function f ∈ Bn is bent if and only if Cf (u) = 0 for all u 6= 0. 2

We refer to Carlet [1, 2], and Cusick and St˘anic˘a [3] for more on Boolean functions. Another transformation on Boolean functions was introduced by Rierra and Parker [9] (see also [7, 11]), and dubbed nega–Hadamard transform of f ∈P Vn at any vector u ∈ Vn as the complex valued function Nf (u) = −n f (x)⊕u·x iwt(x) . A function is said to be negabent if the nega– 2 2 x∈Vn (−1) Hadamard transform is flat in P absolute value, namely |Nf (u)|= 1 for all f (x)+g(x⊕z) (−1)x·z is the nega– u ∈ Vn . The sum Cf,g (z) = x∈Vn (−1) crosscorrelation P of f and g at z, and the nega–autocorrelation of f at u ∈ Vn is Cf (u) = x∈Vn (−1)f (x)⊕f (x⊕u) (−1)x·u . 2π i

Let ζ2k = e 2k be a 2k -complex root of 1. In this paper we introduce yet an entire sequence of transforms, which we call 2k -Hadamard transform as the complex valued function n X wt(x) (2k ) (−1)f (x)⊕u·x ζ2k . Hf (u) = 2− 2 x∈Vn

Certainly, if k = 1, 2, and so, ζ2 = −1, ζ4 = i, we get the Walsh-Hadamard, 2πi respectively, the nega-Hadamard √ √transforms. If k = 3, 4, and so, ζ8 = e 8 = 2πi

√

√

2 2 + i 2− , then we shall call the correspondζ16 = e 16 = 2+ 2 2 ing transforms, the octa-Hadamard transform, respectively, hexa-Hadamard transform and denote them by Of (u), respectively, Xf (u). The 2k -crosscorrelation of f, g, respectively, 2k -autocorrelation of f are defined by X (2k ) Cf,g (u) = (−1)f (x)⊕g(x⊕z) µx z , 1+i √ , 2

x∈Vn (2k ) Cf (u)

=

X

(−1)f (x)⊕f (x⊕z) µx z ,

x∈Vn

where µ = ζ 2 is a 2k−1 complex root of 1 (recall the scalar product x z is computed over Z). When k is fixed we shall use Cf,g , Cf , instead. We call a function octabent, hexabent, and in general 2k -bent if and only if the octa-Hadamard, hexa-Hadamard, respectively, 2k -Hadamard transform (2k ) are flat in absolute value, that is, |Of (u)|= 1, |Xf (u)|= 1, |Hf (u)|= 1, for all u ∈ Vn . Since it is relevant below, we call a function g a strong 2k -bent function if and only if g is 2` -bent for all ` ≤ k. Also, a function f is a weak 2k -bent function if and only if f ⊕ s2k−1 is a strong 2k−1 -bent function. In this paper, we will give some of the properties of the transform and we will investigate functions that are both bent, octabent, hexabent and 3

in general 2k -bent. In the case of octabent and hexabent, we will find a necessary and sufficient condition in terms of “lower-ladder” level of such functions.

2

Properties of the 2k -Hadamard transform

Certainly, such transforms to be of any use, they have to be invertible. Lemma 1. Let f ∈ Bn . Then n

−wt(y)

(−1)f (y) = 2− 2 ζ2k

X

(2k )

Hf

(u)(−1)y·u .

(1)

u∈Vn

Proof. We have (let δ0 (x) be the Dirac symbol, which is 1 at x = 0 and 0, elsewhere), X X n X wt(x) (2k ) (−1)f (x)⊕u·x ζ2k (−1)y·u Hf (u)(−1)y·u =2−n 2− 2 u∈Vn x∈Vn

u∈Vn

=2−n

X X

wt(x)

(−1)f (x)⊕u·x ζ2k

(−1)y·u

x∈Vn u∈Vn

=2

−n

wt(x)

X

(−1)f (x) ζ2k

x∈Vn −n

=2

X

(−1)u·(x⊕y)

u∈Vn wt(x) (−1)f (x) ζ2k 2n δ0 (x

X

⊕ y)

x∈Vn wt(y)

=(−1)f (y) ζ2k

,

and the lemma is shown. As in [11], we next prove a theorem that gives the 2k -Hadamard transform of various combinations of Boolean functions. For easy writing, when (2k ) k is fixed, we shall use Hf instead of Hf . We will make use throughout of the well-known identity (see [5]) wt(x ⊕ y) = wt(x) + wt(y) − 2wt(x ? y). Theorem 2. Let f, g, h be in Bn , ζ = e The following statements are true:

2πi 2k

and ω = e

πi 2k

(2)

a square root of ζ.

(i) If `a,c (x) = a · x ⊕ c is affine (a ∈ Vn , c ∈ F2 ), then Hf ⊕`a,c (u) = (−1)c Hf (a ⊕ u). Moreover,   π n   π wt(a⊕u) H`a,c (u) = (−1)c 2n cos k −i tan k ω n−2wt(a⊕u) . 2 2

4

(ii) If h(x) = f (x) ⊕ g(x) on Fn2 , then for u ∈ Fn2 , X X Hh (u) = 2−n/2 Hf (v)Wg (u ⊕ v) = 2−n/2 Wf (v)Hg (u ⊕ v). v∈Fn 2

v∈Fn 2

(iii) If h(x) = f (Ox), then Hh (u) = ζ wt(a) Hf (Ou), where O is an n × n orthogonal matrix over F2 (and so, OT O = In ). (iv) If h(x, y) = f (x) ⊕ g(y), x, y ∈ Fn2 , then Hf ⊕g (u, v) = Hf (u)Hg (v). (v) If f ∈ Bn , g ∈ Bm , and h(x, y) = f (x)g(y), then 2k/2 Hh (u, v) = Hf (u)Ag1 (v) + ω n ζ −wt(u) Ag0 (v),   π m   π wt(v) Ag1 (v) + Ag0 (v) = (−1)c 2m cos k −i tan k ω m−2wt(v) , 2 2 P P where Ag0 (v) = y,g(y)=0 (−1)y·v ζ wt(v) , Ag1 (v) = y,g(y)=1 (−1)y·v ζ wt(v) .

n Moreover, if k = 1, then 21/2 Hyf (x) (u, v) = (−1)v ζ Hf (u)+2n/2 cos 2πk

wt(u) n−2wt(u) 1/2 −i tan 2πk ω , 2 H(y⊕1)f (x) (u, v) = Hf (u)+2n/2 (−1)v ζ



n wt(u) n−2wt(u) cos 2πk −i tan 2πk ω . Proof. To show (i), write Hf ⊕`a,c (u) =

X

(−1)f (x)⊕`a,c (x)⊕x·u ζ wt(x)

x∈Vn

= (−1)c

X

(−1)f (x)⊕x·(a⊕u) ζ wt(x)

x∈Vn c

= (−1) Hf (a ⊕ u). 2πi

πi

Next, for ζ = e 2k and ω = e 2k a square root of ζ, then  π   π  1 + ζ = 1 + cos k−1 + i sin k−1  π2  π 2 π 2 = 2 cos + 2i sin cos k 2k  2k  π2  πi π = 2 cos k e 2k = 2 cos k ω, 2π   π 2 π 2 1 − ζ = 2 sin − 2i sin cos 2k  2k 2k  π = −2i sin k ω −1 , 2 5

 
b b so, 1 + (−1)b ζ = 2 cos α2 − ω 1−(−1) ω (−1) . 2 Let f = 0. Then, with notations a = (a1 , . . . , an ), u = (u1 , . . . , un ), and for easy writing, bi := ai ⊕ ui , 1 ≤ i ≤ n, we write X H`a,c (u) = (−1)c (−1)x·(a⊕u) ζ wt(x) = (−1)c

x∈Vn n  Y

1 + ζ(−1)bk



k=1 c

= (−1)

Y

Y

(1 + ζ)

bk =0

(1 − ζ)

bk =1

  π n−wt(a⊕u) ω n−wt(a⊕u) = (−1)c 2 cos k 2   π wt(a⊕u) ω −wt(a⊕u) · −2i sin k 2   π n   π wt(a⊕u) = (−1)c 2n cos k −i tan k ω n−2wt(a⊕u) . 2 2 Next, we show (ii). We write X X Hf (v)Wg (u ⊕ v) = 2−n (−1)f (y)⊕g(z)⊕v·(y⊕z)⊕u·z ζ wt(y) v∈Vn

v,y,z∈Vn

= 2

X

−n

(−1)f (y)⊕g(z)⊕u·z ζ wt(y)

y,z∈Vn

X

=

X

(−1)v·(y⊕z)

v∈Vn

f (y)⊕g(y)⊕u·y

(−1)

ζ

wt(y)

n/2

=2

Hf ⊕g (u).

y∈Vn

The second identity is similar. For (iii) we use a similar argument as in [11], and get X X Hh (u) = 2−n/2 (−1)h(y)⊕u·y ζ wt(y) = 2−n/2 (−1)f (Oy)⊕u·y ζ wt(y) y

= 2

X

−n/2

y f (z)⊕u·OT z wt(OT z)

(−1)

ζ

z

X

= 2−n/2

(−1)f (z)⊕Ou·z ζ wt(z)

z

= 2

−n/2 wt(a)

= ζ

wt(a)

ζ

X (−1)f (z)⊕(Ou)·z ζ wt(z) z

Hf (Ou), 6

since wt(OT z) = (OT z)T (OT z) = zT (OOT )z = zT z = wt(z). Claim (iv) is straightforward, and for claim (v), exactly as in [11] for the nega-Hadamard transform, we see that X (−1)f (x)g(y)⊕x·u⊕y·v ζ wt(x)+wt(y) 2(n+m)/2 Hh (u, v) = (x,y)∈Fn+k 2

X

=

(−1)y·v ζ wt(y)

x

y,g(y)=1

X

+

X (−1)f (x)⊕x·u ζ wt(x)

(−1)y·v ζ wt(y)

(−1)x·u ζ wt(x)

x

y,g(y)=0

X

= 2n/2 Hf (u)

X

  π n (−1)y·v ζ wt(y) + 2n cos k 2

y,g(y)=1



· −i tan

 π wt(u) 2k

X

ω n−2wt(u)

(−1)y·v ζ wt(y) ,

y,g(y)=0

from which we obtain the claim. In particular, for m = 1, if g(y) = y, then Ag0 (v) = 1, Ag1 (v) = (−1)v ζ, and if g(y) = y ⊕ 1, then Ag1 (v) = 1, Ag0 (v) = (−1)v ζ, and so the claim follows. Theorem 3. Let f, g ∈ Bn . The 2k -crosscorrelation of f, g is X (2k ) Cf,g (z) = ζ wt(z) Hf (u)Hg (u)(−1)u·z . u∈Vn

Furthermore, the

2k -Parseval

identity holds X |Hf (u)|2 = 2n .

u∈Vn

2k -bent

Moreover, f is

if and only if Cf (u) =, for all u 6= 0.

Proof. Using [3, Lemma 2.6] and identity (2), we write X ζ wt(z) Hf (u)Hg (u)(−1)u·z u∈Vn

X

−n

=2

(−1)f (x)⊕g(y) ζ wt(x)+wt(z)−wt(y)

x,y∈Vn

=

X

u∈Vn

(−1)f (x)⊕g(x⊕z) ζ 2wt(x?z)

x,y∈Vn

=

X

X

(2k )

(−1)f (x)⊕g(x⊕z) µx z = Cf,g (z).

x∈Vn

7

(−1)u·(x⊕y⊕z)

If f = g, then we get (2k )

Cf

(z) =

X

(−1)f (u)⊕f (u⊕z) µu z = ζ wt(z)

u∈Vn

X

|Hf (u)|2 (−1)u·z ,

u∈Vn

and by replacing z = 0, then we get the 2k -Parseval identity. The last claim is also implied by the previous identity.

3

Complete characterization of octabent and hexabent Boolean functions

Lemma 4. Let z be a complex number. If s ∈ Z2 , then zs =

1 + (−1)s 1 − (−1)s + z. 2 2

(3)

Proof. The claim is a straightforward computation going through the cases s = 0, 1. Throughout the paper, we let s1 (x) =

n M

xi ,

s2 (x) =

M

M

i=1

s3 (x) =

M

xi xj ,

1≤i<j≤n

xi xj xk ,

s4 (x) =

1≤i<j