Permutation equivalence of cubic rotation symmetric Boolean functions
Permutation equivalence of cubic rotation symmetric Boolean functions Thomas W. Cusick ∗ University at Buffalo, 244 Mathematics Bldg., Buffalo, NY 14260 21 August 2014
Abstract Rotation symmetric Boolean functions have been extensively studied for about 15 years because of their applications in cryptography and coding theory. Until recently little was known about the basic question of when two such functions are affine equivalent. The simplest case of quadratic rotation symmetric functions which are generated by cyclic permutations of the variables in a single monomial was only settled in 2009. For the much more complicated case of cubic rotation symmetric functions generated by a single monomial, the affine equivalence classes under permutations which preserve rotation symmetry were determined in 2011. It was conjectured then that the cubic equivalence classes are the same if all nonsingular affine transformations, not just permutations, are allowed. This conjecture is probably difficult, but here we take a step towards it by proving that the cubic affine equivalence classes found in 2011 are the same if all permutations, not just those preserving rotation symmetry, are allowed. The needed new idea uses the theory of circulant matrices. Keywords: Boolean functions, rotation symmetry, affine equivalence, equivalence class, circulant matrix 2000 AMS Subject Classifications: 94C10; 94A15; 06E30
1
Introduction
Boolean functions have a variety of applications in the field of cryptography, a thorough overview of which can be found in [5, 10]. A Boolean function in n variables can be defined as a map from Vn , the n-dimensional vector space over the two element field F2 , to F2 . If f is a Boolean function in n variables, the truth table of f is defined to be the 2n -tuple given by (f (v0 ), f (v1 ), . . . , f (v2n −1 )) where v0 = (0, . . . , 0, 0), v1 = (0, . . . , 0, 1), . . . , v2n −1 = (1, . . . , 1, 1) are the 2n ∗ email: [email protected] This article is published in International J. of Computer Math. 92 (2015), 1568-1573 DOI 10.1080/00207160.2014.964693
1
elements of Vn listed in lexicographical order. The weight or Hamming weight of f (notation wt(f )) is the number of 1’s that appear in the truth table for f . As described in [10, pp. 5–6], every Boolean function on Vn can be expressed as a polynomial over F2 in n binary variables by: X ca xa1 1 · · · xann f (x1 , . . . , xn ) = a∈Vn
where ca ∈ F2 and a = (a1 , . . . , an ) with each ai equal to 0 or 1. The above representation is called the algebraic normal form (ANF) of f . Let di be number of variables in the i-th monomial of f , so di is the algebraic degree (or just the degree) of the monomial. If we let D be the set of the distinct degrees of the monomials in f which have non-zero coefficients, then the degree of f is given by max(D). If D contains only one element, then each monomial in f has the same degree and f is said to be homogeneous. If the degree of f is 1, then f is said to be affine, and if f is affine and homogeneous (i.e. the constant term is 0), f is said to be linear. A Boolean function f is said to be rotation symmetric if its ANF is invariant under any power of the cyclic permutation ρ(x1 , . . . , xn ) = (xn , x1 , . . . , xn−1 ). Rotation symmetric functions have proven to be very useful in several areas of cryptography (for references, see [10, pp. 108 - 118]). This has led to many papers which study different aspects of the theory of rotation symmetric functions. Some relevant papers are [12, 13, 18, 21]. In particular, [13] gives some applications of rotation symmetric functions in coding theory and the importance of rotation symmetric functions for cryptographic hashing is explained in [18]. Also, it turns out that the functions in the important papers [16, 17] on Reed-Muller codes are rotation symmetric. A cubic rotation symmetric function is said to be monomial rotation symmetric (MRS) if it is generated by applying any power of ρ to a single monomial. If such a function f has n variables x1 , x2 , . . . , xn , then, using x = (x1 , . . . , xn ), the function can be written in the form f (x) = x1 xj xk + x2 xj+1 xk+1 + ... + xn xj−1 xk−1 ,
(1)
where j and k are distinct integers > 1. Unless otherwise specified, all subscripts in given monomials will be taken Mod(n) (where the capital Mod notation i Mod(n) indicates that i is reduced modulo n and i ∈ {1, 2, . . . , n}). We shall use the notation (1, j, k) for the function f (x) in (1), no matter how the terms on the right-hand side are written (so the order of the terms, and of the 3 variables in each term, does not matter). This means that a given function may not have a unique representation in the form (1, j, k). For instance, if x1 appears in exactly 3 of the monomials in any representation (1) of f(x), then any of these monomials could be used in a representation (1, j, k). We shall call these monomials the 1-terms of f . If n is divisible by 3, the function (1, n3 + 1, 2n 3 + 1) is exceptional because then the representation (1) has only n3 distinct terms, and the duplicate terms cancel out. We shall call this special function the short
2
cubic function as in [6, p. 5070]. This is clearly the only situation in which x1 does not appear in exactly 3 of the monomials in (1). We say a permutation σ of the n variables in a function preserves rotation symmetry if, given any MRS function f in n variables, f ◦ σ is also rotation symmetric. As in [6], if f = (1, r, s), we shall sometimes use the convenient notation σ((1, r, s)) or σ(f ) instead of f ◦ σ. Two Boolean functions f and g in n variables are said to be affine equivalent (or, for brevity, equivalent) if there exists an invertible matrix A with entries in F2 and b ∈ Vn such that f (x) = g(Ax ⊕ b). Similarly, the functions are said to be permutation equivalent if there exists a permutation of the variables which maps one function to the other; clearly this is equivalent to affine equivalence with a permutation matrix A, that is a matrix with a single entry 1 in each row and each column, and all entries 0 elsewhere. Permutation equivalence is called S-equivalence in [4]. In general, determining whether or not two Boolean functions are equivalent is difficult, even in the simplest cases. Recently, however, much work has been done on affine equivalence of MRS functions (see [4, 2, 3, 6, 7, 8, 14]). In particular, [14] determines all of the equivalence classes for quadratic MRS functions and [6] determines all of the equivalence classes under permutations which preserve rotation symmetry for the cubic MRS functions. The latter work is extended to quartic MRS functions in [8]. In [4] a new approach to the determination of the equivalence classes under all permutations is given, based on results for circulant matrices in [20]. We remind the reader that a circulant matrix is a square matrix in which each row vector is cyclically rotated one entry to the right relative to the row vector above (so a circulant matrix always has identical entries in its main diagonal). In this paper we prove that, for cubic MRS functions, the equivalence classes under permutations which preserve rotation symmetry are the same as the equivalence classes under all permutations. This is a first step toward a much stronger conjecture made in [6, Remark 3.9], as we explain in detail in Section 4. The conjecture is also stated in the Abstract above.
2
Permutation equivalence for cubic MRS functions
The paper [20] studied circulant matrices whose entries are 0 and 1; we shall call such matrices binary circulant matrices. We also call vectors with entries 0 and 1 binary vectors, etc. The purpose of the paper was to prove that certain equivalence relations defined on the set of binary circulant matrices are the ´ am Problem in same, and then to give an application of these results to the Ad´ graph theory. That problem is irrelevant to our work here, but an account of it can be found in [20, pp. 18-19] or [11]. The paper [4] shows that there is a connection between MRS functions and circulant matrices, and proves that this connection can be used to determine the permutation equivalence classes for many MRS functions of degree ≥ 3,
3
including all of the cubic MRS functions, in any number of variables. We shall mainly confine ourselves to the cubic MRS functions. Let Cn denote the set of all n × n circulant matrices. If the first row of an n × n circulant matrix C is (c1 , c2 , . . . , cn ), then we denote the matrix C by C(c1 , c2 , . . . , cn ). Following [4], we define a relation ∼ on the set Cn as follows: Let A1 = C(a1 , . . . , an ) and A2 = C(b1 , . . . , bn ). Then A1 ∼ A2 if and only if (a1 , . . . , an ) = ρk (b1 , . . . , bn ), for some k, 0 ≤ k ≤ n − 1. Clearly ∼ is an equivalence relation, and we denote the equivalence class of C(a1 , . . . , an ) by < C(a1 , . . . , an ) > . We shall also use the ∆ notations introduced in [4], but we replace that notation with δ, since ∆ has a different meaning in [20, p. 7]. Given a binary circulant matrix A = C(a1 , . . . , an ), we define δ(A) = {i : ai = 1} ⊆ {1, 2, . . . , n}, and we call this set the support index set for the matrix A. Clearly any matrix in the equivalence class < C(a1 , . . . , an ) > has a support index set which is defined by a cyclic permutation of (a1 , . . . , an ). Such a permutation is the same as Mod(n) addition of a given integer b to the set δ(A), and we shall use the notation δ(A) + b instead of (δ(A) + (b, b, . . . , b)) Mod(n). We use a similar notation for uδ(A) with gcd(u, n) = 1, instead of uδ(A) Mod(n). We also use the δ notation for binary vectors a = (a1 , . . . , an ), where we define δ(a) = {i : ai = 1} ⊆ {1, 2, . . . , n}. Thus we have δ(C(a)) = δ(a). The following result, which is [20, Theorem 1.1, p. 2], is essential for our work below. To state the theorem, we need to define the weight of any binary circulant matrix C to be the number of 1’s in any row. Theorem 1. Let A, B be two n × n binary circulant matrices of weight at most 3 with support index sets δ(A) and δ(B), respectively. Then the following are equivalent: 1. There exist u, v Mod(n) such that gcd(u, n) = 1 and δ(A) = uδ(B) + v. 2. There are n × n permutation matrices P and Q such that A = P BQ. 3. There is an n × n permutation matrix P such that AAT = P BB T P −1 . 4. The complex matrices AAT , BB T are similar. It is easy to prove that 1. ⇒ 2. ⇒ 3. ⇒ 4., but for the case of weight 3 the implication 2. ⇒ 1. is difficult. In order to prove this last implication (see [20, Section 4]), the eigenvalues of AAT are used; clearly AAT is a circulant matrix but it need not be binary and its eigenvalues are complex numbers. This explains the reference to complex matrices in 4. above. If 2. in Theorem 1 holds, we say that the circulant matrices A and B are P-Q equivalent. We can extend this notion from circulant matrices to equivalence 4
classes of MRS functions as follows [4, p. 10]. Given an MRS function f (x) of degree d in n variables generated by a monomial x1 xi2 · · · xid , say, we define the corresponding circulant matrix equivalence class Mf to be < C(a) >, where a is the binary vector with 1’s in positions 1, i2 , . . . , id . Now we say that the matrix equivalence classes Mf and Mg are P-Q equivalent if there are matrices Cf in Mf and Cg in Mg such that Cf and Cg are P-Q equivalent. The second result which is essential for our work below is the following [4, Theorem 5.3, p. 10]. Theorem 2. Two MRS Boolean functions f, g in n variables are permutation equivalent if and only if their corresponding circulant matrix equivalence classes Mf and Mg are P -Q equivalent. Now we can obtain our main theorem. Theorem 3. Two cubic MRS functions f and g in n variables are in the same equivalence class under permutations which preserve rotation symmetry if and only if they are in the same equivalence class under all permutations. Proof. The ”only if” part of the theorem is trivial, so we need only consider the ”if” part. Suppose that f is generated by the monomial x1 xp xq and g is generated by the monomial x1 xr xs . Define binary circulant matrices Af = C(a) and Ag = C(b), where δ(a) = {1, p, q} and δ(b) = {1, r, s}. Let Mf and Mg be the corresponding circulant matrix equivalence classes. It is convenient to describe the connection of δ(a) and δ(a) with f , g, respectively, by saying that δ(a) and δ(b) give the monomials x1 xp xq , x1 xr xs , respectively. First observe that applying a cyclic shift to the rows of Af is the same as adding a constant v Mod(n) to δ(a). Next observe that if a = (a1 , . . . , an ), we choose u with gcd(u, n) = 1, and we define a permutation matrix P from the permutation ai → aui , 1 ≤ i ≤ n, then the circulant matrix C(P a) is P-Q equivalent to Af . (Note this is essentially 1. ⇒ 2. in Theorem 1.) Now assume that f and g are permutation equivalent. By Theorem 2 the matrices Af and Ag are P-Q equivalent and by Theorem 1 there exist integers u and v with gcd(u, n) = 1 such that δ(a) = uδ(b) + v.
(2)
By our observations above, if we define k by ku ≡ 1 mod n, then (2) implies the existence of a permutation σ given by σ(i) = (k + i − 1)u Mod(n) = u(i − 1) + 1, 1 ≤ i ≤ n
(3)
such that δ(a) and σ(δ(b)) both give 1-terms (see Introduction) of f. Permutation σ is obtained from the permutation ai → aui , 1 ≤ i ≤ n by a cyclic shift of appropriate length, which, using (2), gives σ(1) = 1. By the permutation equivalence of f and g, we must have x1 xσ(r) xσ(s) equal to one of the 1-terms of f . If we extend σ in the obvious way to a permutation of the n variables xi , then it is clear from (3) that σ maps every monomial in g to a unique monomial 5
in f , so we have σ((1, r, s)) = (1, p, q), that is σ(g) = f. This construction of the permutation σ is essentially the same as the construction given in the proof of [6, Theorem 3.5]. It is also obvious from (3) that the permutation of variables defined by σ preserves rotation symmetry for all cubic MRS functions, so the theorem is proved. We remark that it is proved in [6, Lemma 3.4, p. 5071] that every permutation σ which preserves rotation symmetry and fixes the index 1 has form (3) for some u with gcd(u, n) = 1. Of course the map δ in (2) also preserves rotation symmetry. The point in going from (2) to (3) is that we only need to consider a single convenient value of v, chosen so that σ fixes 1. With respect to the last paragraph of the proof above, a referee points out that in [20] the n variables are indexed by 0, 1, . . . , n−1 instead of by 1, 2, . . . , n, as we have done in this paper. Using the former indexing, the notation becomes simpler if one chooses σ so as to fix 0, which is the additive identity, instead of 1, as is done in this paper. In particular, it turns out that with the former choice of indices and fixed index 0, in the second paragraph of the above proof we obtain [20, p. 4] that the circulant matrix C(P a) is P-Q equivalent to Af with Q = P −1 . This need not be true if we index with 1, 2, . . . , n with fixed index 1, as the following example, based on one given by the referee, shows. Example. We take n = 5, δ(a) = {1, 3, 4}, u = 3, δ(b) = uδ(a) = {1, 2, 3}. Then we have A = P BQ = 0 0 0 0 1 1 1 1 0 0 0 1 0 0 0 1 0 1 1 0 0 1 0 1 1 0 0 0 1 0 0 1 1 1 0 0 0 1 0 0 1 0 1 0 1 = 1 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 1 0 1 0 0 0 1 0 0 1 0 0 1 1 0 0 0 1 0 0 1 0 0 0 1 1 0 0 1 0 0 0 0 1 0 1 1 0 1 but Q 6= P −1 . In the proof of Theorem 3 this example corresponds to f = (1, 3, 4) = (1, 3, 5) = (1, 2, 4) and g = (1, 2, 3) = (1, 2, 5) = (1, 4, 5). In (2) we take u = 3 and v = 0, so (3) becomes σ(i) = 3i − 2. Now δ(a) = {1, 3, 4} gives the 1-term x1 x3 x4 of f and σ(δ(b)) = {1, 4, 2} gives the 1-term x1 x2 x4 of f .
3
Permutation equivalence for higher degree MRS functions
Theorem 3 cannot be generalized to higher degrees, since already for quartic MRS functions there is an example for 8 variables of two quartic MRS functions that are permutation equivalent but are not equivalent by any permutation which preserves rotation symmetry for all quartic MRS functions in 8 variables [8, Remark 1.10, p. 197]. The analogous generalization of Theorem 1 to binary circulant matrices of weight 4 or more was considered in [20, Sections 7 and 8]. That paper gives an explicit counterexample to the implication 2. ⇒ 1. for weight 4 and n = 8, and this is precisely the same as the corresponding example 6
for the quartic MRS functions in [8]. However it is proved in [20, Section 7] that the implication for weight 4 is true if n has all prime factors > 28, which suggests that Theorem 3 could be generalized with some similar extra conditions. We do not investigate such questions here.
4
Conjectures
We believe the following conjecture is the most important one in the theory of affine equivalence for cubic MRS functions. The main conjecture for cubic MRS functions. The permutation equivalence classes for cubic MRS functions are the same as the equivalence classes for all affine transformations. This conjecture was first stated in [6, Remark 3.9]. It follows from Theorem 3 that the main conjecture is equivalent to the conjecture in which the set of all permutations is replaced by the set of all permutations which preserve rotation symmetry. The counterexample mentioned in Section 3 shows that the main conjecture cannot be extended to functions of degree greater than 3. The work in [20] supports our contention that the cubic MRS functions are special in this respect. We close the paper with another conjecture about MRS functions. Weight = nonlinearity conjecture. If the number of variables n in an MRS function f of any degree > 1 is odd, then the weight and nonlinearity for f are equal. The simplest special case f = (1, 2, 3) of this conjecture was already stated in [9, p. 300], and this case was proved by a complicated argument in [21]. This work was extended to the quartic case f = (1, 2, 3, 4) in [19].
References [1] M. L. Bileschi, T. W. Cusick and D. Padgett, Weights of Boolean cubic monomial rotation symmetric functions, Cryptogr. Commun. 4 (2012), pp. 105–130. [2] A. Brown and T. W. Cusick, Recursive weights for some Boolean functions, J. Math. Cryptol. 6 (2012), pp. 105–135. [3] A. Brown and T. W. Cusick, Equivalence classes for cubic rotation symmetric functions, Cryptogr. Commun. 5 (2013), pp. 85–118. [4] D. Canright, J. H. Chung and P. St˘anic˘a, Circulant matrices and affine equivalence of monomial rotation symmetric Boolean functions, to appear. [5] C. Carlet, Boolean functions for cryptography and error-correcting codes, in Y. Crama and P. L. Hammer (eds.) Boolean Models and Methods in Mathematics, Computer Science, and Engineering, pp. 257-397. Cambridge University Press, Cambridge, England, 2010. 7
[6] T. W. Cusick, Affine equivalence of cubic homogeneous rotation symmetric Boolean functions, Inform. Sci. 181 (2011), pp. 5067–5083. [7] T. W. Cusick and A. Brown, Affine equivalence for rotation symmetric Boolean functions with pk variables, Finite Fields Appl. 18 (2012), pp. 547–562. [8] T. W. Cusick and Y. Cheon, Affine equivalence of quartic homogeneous rotation symmetric Boolean functions, Inform. Sci. 259 (2014), pp. 192– 211. [9] T. W. Cusick and P. St˘anic˘a, Fast evaluation, weights and nonlinearity of rotation-symmetric functions, Discrete Math. 258 (2002), pp. 289–301. [10] Thomas W. Cusick and Pantelimon St˘anic˘a, Cryptographic Boolean Functions. Academic Press, San Diego, CA, 2009. [11] B. Elspas and J. Turner, Graphs with circulant adjacency matrices, J. Combinatorial Theory 9, pp. 297–307, 1970. [12] S. Kavut, S. Maitra and M. D. Y¨ ucel, Search for Boolean Functions With Excellent Profiles in the Rotation Symmetric Class, IEEE Trans. Inform.Theory 53 (2007), pp. 1743–1751. [13] S. Kavut and M. D. Y¨ ucel, 9-variable Boolean functions with nonlinearity 242 in the generalized rotation symmetric class, Inform. and Comput. 208 (2010), pp. 341–350. [14] H. Kim, S-M. Park and S. G. Hahn, On the weight and nonlinearity of homogeneous rotation symmetric Boolean functions of degree 2, Discrete Appl. Math.157 (2009), pp. 428–432. [15] P. St˘ anic˘ a and S. Maitra, A constructive count of rotation symmetric functions, Inform. Process. Lett. 88 (2003), pp. 299-304. [16] Patterson, N. J. and Wiedemann, D. H., The covering radius of the (215 , 16) Reed-Muller code is at least 16276, IEEE Trans. Inform. Theory 29 (1983), pp. 354–356. [17] Patterson, N. J. and Wiedemann, D. H., Correction to ‘The covering radius of the (215 , 16) Reed-Muller code is at least 16276’, IEEE Trans. Inform. Theory 36 (1990), p. 443. [18] J. Pieprzyk and C. X. Qu, Fast hashing and rotation-symmetric functions, J. UCS 5 (1999), pp. 20–31. [19] B. Wang, X. Zhang and W. Chen, The Hamming weight and nonlinearity of a type of rotation symmetric Boolean function, Acta Math. Sinica (Chin. Ser.) 55 (2012), pp. 613-626.
8
[20] D. Wiedemann and M. E. Zieve, Equivalence of sparse circulants: the bi´ am problem, arXiv.org 0706.1567v1 (2007). partite Ad´ [21] X. Zhang, H. Guo, R. Feng and Y. Li, Proof of a conjecture about rotation symmetric functions, Discrete Math. 311 (2011), pp. 1281-1289.
9
Abstract Rotation symmetric Boolean functions have been extensively studied for about 15 years because of their applications in cryptography and coding theory. Until recently little was known about the basic question of when two such functions are affine equivalent. The simplest case of quadratic rotation symmetric functions which are generated by cyclic permutations of the variables in a single monomial was only settled in 2009. For the much more complicated case of cubic rotation symmetric functions generated by a single monomial, the affine equivalence classes under permutations which preserve rotation symmetry were determined in 2011. It was conjectured then that the cubic equivalence classes are the same if all nonsingular affine transformations, not just permutations, are allowed. This conjecture is probably difficult, but here we take a step towards it by proving that the cubic affine equivalence classes found in 2011 are the same if all permutations, not just those preserving rotation symmetry, are allowed. The needed new idea uses the theory of circulant matrices. Keywords: Boolean functions, rotation symmetry, affine equivalence, equivalence class, circulant matrix 2000 AMS Subject Classifications: 94C10; 94A15; 06E30
1
Introduction
Boolean functions have a variety of applications in the field of cryptography, a thorough overview of which can be found in [5, 10]. A Boolean function in n variables can be defined as a map from Vn , the n-dimensional vector space over the two element field F2 , to F2 . If f is a Boolean function in n variables, the truth table of f is defined to be the 2n -tuple given by (f (v0 ), f (v1 ), . . . , f (v2n −1 )) where v0 = (0, . . . , 0, 0), v1 = (0, . . . , 0, 1), . . . , v2n −1 = (1, . . . , 1, 1) are the 2n ∗ email: [email protected] This article is published in International J. of Computer Math. 92 (2015), 1568-1573 DOI 10.1080/00207160.2014.964693
1
elements of Vn listed in lexicographical order. The weight or Hamming weight of f (notation wt(f )) is the number of 1’s that appear in the truth table for f . As described in [10, pp. 5–6], every Boolean function on Vn can be expressed as a polynomial over F2 in n binary variables by: X ca xa1 1 · · · xann f (x1 , . . . , xn ) = a∈Vn
where ca ∈ F2 and a = (a1 , . . . , an ) with each ai equal to 0 or 1. The above representation is called the algebraic normal form (ANF) of f . Let di be number of variables in the i-th monomial of f , so di is the algebraic degree (or just the degree) of the monomial. If we let D be the set of the distinct degrees of the monomials in f which have non-zero coefficients, then the degree of f is given by max(D). If D contains only one element, then each monomial in f has the same degree and f is said to be homogeneous. If the degree of f is 1, then f is said to be affine, and if f is affine and homogeneous (i.e. the constant term is 0), f is said to be linear. A Boolean function f is said to be rotation symmetric if its ANF is invariant under any power of the cyclic permutation ρ(x1 , . . . , xn ) = (xn , x1 , . . . , xn−1 ). Rotation symmetric functions have proven to be very useful in several areas of cryptography (for references, see [10, pp. 108 - 118]). This has led to many papers which study different aspects of the theory of rotation symmetric functions. Some relevant papers are [12, 13, 18, 21]. In particular, [13] gives some applications of rotation symmetric functions in coding theory and the importance of rotation symmetric functions for cryptographic hashing is explained in [18]. Also, it turns out that the functions in the important papers [16, 17] on Reed-Muller codes are rotation symmetric. A cubic rotation symmetric function is said to be monomial rotation symmetric (MRS) if it is generated by applying any power of ρ to a single monomial. If such a function f has n variables x1 , x2 , . . . , xn , then, using x = (x1 , . . . , xn ), the function can be written in the form f (x) = x1 xj xk + x2 xj+1 xk+1 + ... + xn xj−1 xk−1 ,
(1)
where j and k are distinct integers > 1. Unless otherwise specified, all subscripts in given monomials will be taken Mod(n) (where the capital Mod notation i Mod(n) indicates that i is reduced modulo n and i ∈ {1, 2, . . . , n}). We shall use the notation (1, j, k) for the function f (x) in (1), no matter how the terms on the right-hand side are written (so the order of the terms, and of the 3 variables in each term, does not matter). This means that a given function may not have a unique representation in the form (1, j, k). For instance, if x1 appears in exactly 3 of the monomials in any representation (1) of f(x), then any of these monomials could be used in a representation (1, j, k). We shall call these monomials the 1-terms of f . If n is divisible by 3, the function (1, n3 + 1, 2n 3 + 1) is exceptional because then the representation (1) has only n3 distinct terms, and the duplicate terms cancel out. We shall call this special function the short
2
cubic function as in [6, p. 5070]. This is clearly the only situation in which x1 does not appear in exactly 3 of the monomials in (1). We say a permutation σ of the n variables in a function preserves rotation symmetry if, given any MRS function f in n variables, f ◦ σ is also rotation symmetric. As in [6], if f = (1, r, s), we shall sometimes use the convenient notation σ((1, r, s)) or σ(f ) instead of f ◦ σ. Two Boolean functions f and g in n variables are said to be affine equivalent (or, for brevity, equivalent) if there exists an invertible matrix A with entries in F2 and b ∈ Vn such that f (x) = g(Ax ⊕ b). Similarly, the functions are said to be permutation equivalent if there exists a permutation of the variables which maps one function to the other; clearly this is equivalent to affine equivalence with a permutation matrix A, that is a matrix with a single entry 1 in each row and each column, and all entries 0 elsewhere. Permutation equivalence is called S-equivalence in [4]. In general, determining whether or not two Boolean functions are equivalent is difficult, even in the simplest cases. Recently, however, much work has been done on affine equivalence of MRS functions (see [4, 2, 3, 6, 7, 8, 14]). In particular, [14] determines all of the equivalence classes for quadratic MRS functions and [6] determines all of the equivalence classes under permutations which preserve rotation symmetry for the cubic MRS functions. The latter work is extended to quartic MRS functions in [8]. In [4] a new approach to the determination of the equivalence classes under all permutations is given, based on results for circulant matrices in [20]. We remind the reader that a circulant matrix is a square matrix in which each row vector is cyclically rotated one entry to the right relative to the row vector above (so a circulant matrix always has identical entries in its main diagonal). In this paper we prove that, for cubic MRS functions, the equivalence classes under permutations which preserve rotation symmetry are the same as the equivalence classes under all permutations. This is a first step toward a much stronger conjecture made in [6, Remark 3.9], as we explain in detail in Section 4. The conjecture is also stated in the Abstract above.
2
Permutation equivalence for cubic MRS functions
The paper [20] studied circulant matrices whose entries are 0 and 1; we shall call such matrices binary circulant matrices. We also call vectors with entries 0 and 1 binary vectors, etc. The purpose of the paper was to prove that certain equivalence relations defined on the set of binary circulant matrices are the ´ am Problem in same, and then to give an application of these results to the Ad´ graph theory. That problem is irrelevant to our work here, but an account of it can be found in [20, pp. 18-19] or [11]. The paper [4] shows that there is a connection between MRS functions and circulant matrices, and proves that this connection can be used to determine the permutation equivalence classes for many MRS functions of degree ≥ 3,
3
including all of the cubic MRS functions, in any number of variables. We shall mainly confine ourselves to the cubic MRS functions. Let Cn denote the set of all n × n circulant matrices. If the first row of an n × n circulant matrix C is (c1 , c2 , . . . , cn ), then we denote the matrix C by C(c1 , c2 , . . . , cn ). Following [4], we define a relation ∼ on the set Cn as follows: Let A1 = C(a1 , . . . , an ) and A2 = C(b1 , . . . , bn ). Then A1 ∼ A2 if and only if (a1 , . . . , an ) = ρk (b1 , . . . , bn ), for some k, 0 ≤ k ≤ n − 1. Clearly ∼ is an equivalence relation, and we denote the equivalence class of C(a1 , . . . , an ) by < C(a1 , . . . , an ) > . We shall also use the ∆ notations introduced in [4], but we replace that notation with δ, since ∆ has a different meaning in [20, p. 7]. Given a binary circulant matrix A = C(a1 , . . . , an ), we define δ(A) = {i : ai = 1} ⊆ {1, 2, . . . , n}, and we call this set the support index set for the matrix A. Clearly any matrix in the equivalence class < C(a1 , . . . , an ) > has a support index set which is defined by a cyclic permutation of (a1 , . . . , an ). Such a permutation is the same as Mod(n) addition of a given integer b to the set δ(A), and we shall use the notation δ(A) + b instead of (δ(A) + (b, b, . . . , b)) Mod(n). We use a similar notation for uδ(A) with gcd(u, n) = 1, instead of uδ(A) Mod(n). We also use the δ notation for binary vectors a = (a1 , . . . , an ), where we define δ(a) = {i : ai = 1} ⊆ {1, 2, . . . , n}. Thus we have δ(C(a)) = δ(a). The following result, which is [20, Theorem 1.1, p. 2], is essential for our work below. To state the theorem, we need to define the weight of any binary circulant matrix C to be the number of 1’s in any row. Theorem 1. Let A, B be two n × n binary circulant matrices of weight at most 3 with support index sets δ(A) and δ(B), respectively. Then the following are equivalent: 1. There exist u, v Mod(n) such that gcd(u, n) = 1 and δ(A) = uδ(B) + v. 2. There are n × n permutation matrices P and Q such that A = P BQ. 3. There is an n × n permutation matrix P such that AAT = P BB T P −1 . 4. The complex matrices AAT , BB T are similar. It is easy to prove that 1. ⇒ 2. ⇒ 3. ⇒ 4., but for the case of weight 3 the implication 2. ⇒ 1. is difficult. In order to prove this last implication (see [20, Section 4]), the eigenvalues of AAT are used; clearly AAT is a circulant matrix but it need not be binary and its eigenvalues are complex numbers. This explains the reference to complex matrices in 4. above. If 2. in Theorem 1 holds, we say that the circulant matrices A and B are P-Q equivalent. We can extend this notion from circulant matrices to equivalence 4
classes of MRS functions as follows [4, p. 10]. Given an MRS function f (x) of degree d in n variables generated by a monomial x1 xi2 · · · xid , say, we define the corresponding circulant matrix equivalence class Mf to be < C(a) >, where a is the binary vector with 1’s in positions 1, i2 , . . . , id . Now we say that the matrix equivalence classes Mf and Mg are P-Q equivalent if there are matrices Cf in Mf and Cg in Mg such that Cf and Cg are P-Q equivalent. The second result which is essential for our work below is the following [4, Theorem 5.3, p. 10]. Theorem 2. Two MRS Boolean functions f, g in n variables are permutation equivalent if and only if their corresponding circulant matrix equivalence classes Mf and Mg are P -Q equivalent. Now we can obtain our main theorem. Theorem 3. Two cubic MRS functions f and g in n variables are in the same equivalence class under permutations which preserve rotation symmetry if and only if they are in the same equivalence class under all permutations. Proof. The ”only if” part of the theorem is trivial, so we need only consider the ”if” part. Suppose that f is generated by the monomial x1 xp xq and g is generated by the monomial x1 xr xs . Define binary circulant matrices Af = C(a) and Ag = C(b), where δ(a) = {1, p, q} and δ(b) = {1, r, s}. Let Mf and Mg be the corresponding circulant matrix equivalence classes. It is convenient to describe the connection of δ(a) and δ(a) with f , g, respectively, by saying that δ(a) and δ(b) give the monomials x1 xp xq , x1 xr xs , respectively. First observe that applying a cyclic shift to the rows of Af is the same as adding a constant v Mod(n) to δ(a). Next observe that if a = (a1 , . . . , an ), we choose u with gcd(u, n) = 1, and we define a permutation matrix P from the permutation ai → aui , 1 ≤ i ≤ n, then the circulant matrix C(P a) is P-Q equivalent to Af . (Note this is essentially 1. ⇒ 2. in Theorem 1.) Now assume that f and g are permutation equivalent. By Theorem 2 the matrices Af and Ag are P-Q equivalent and by Theorem 1 there exist integers u and v with gcd(u, n) = 1 such that δ(a) = uδ(b) + v.
(2)
By our observations above, if we define k by ku ≡ 1 mod n, then (2) implies the existence of a permutation σ given by σ(i) = (k + i − 1)u Mod(n) = u(i − 1) + 1, 1 ≤ i ≤ n
(3)
such that δ(a) and σ(δ(b)) both give 1-terms (see Introduction) of f. Permutation σ is obtained from the permutation ai → aui , 1 ≤ i ≤ n by a cyclic shift of appropriate length, which, using (2), gives σ(1) = 1. By the permutation equivalence of f and g, we must have x1 xσ(r) xσ(s) equal to one of the 1-terms of f . If we extend σ in the obvious way to a permutation of the n variables xi , then it is clear from (3) that σ maps every monomial in g to a unique monomial 5
in f , so we have σ((1, r, s)) = (1, p, q), that is σ(g) = f. This construction of the permutation σ is essentially the same as the construction given in the proof of [6, Theorem 3.5]. It is also obvious from (3) that the permutation of variables defined by σ preserves rotation symmetry for all cubic MRS functions, so the theorem is proved. We remark that it is proved in [6, Lemma 3.4, p. 5071] that every permutation σ which preserves rotation symmetry and fixes the index 1 has form (3) for some u with gcd(u, n) = 1. Of course the map δ in (2) also preserves rotation symmetry. The point in going from (2) to (3) is that we only need to consider a single convenient value of v, chosen so that σ fixes 1. With respect to the last paragraph of the proof above, a referee points out that in [20] the n variables are indexed by 0, 1, . . . , n−1 instead of by 1, 2, . . . , n, as we have done in this paper. Using the former indexing, the notation becomes simpler if one chooses σ so as to fix 0, which is the additive identity, instead of 1, as is done in this paper. In particular, it turns out that with the former choice of indices and fixed index 0, in the second paragraph of the above proof we obtain [20, p. 4] that the circulant matrix C(P a) is P-Q equivalent to Af with Q = P −1 . This need not be true if we index with 1, 2, . . . , n with fixed index 1, as the following example, based on one given by the referee, shows. Example. We take n = 5, δ(a) = {1, 3, 4}, u = 3, δ(b) = uδ(a) = {1, 2, 3}. Then we have A = P BQ = 0 0 0 0 1 1 1 1 0 0 0 1 0 0 0 1 0 1 1 0 0 1 0 1 1 0 0 0 1 0 0 1 1 1 0 0 0 1 0 0 1 0 1 0 1 = 1 0 0 0 0 0 0 1 1 1 1 0 0 0 0 1 1 0 1 0 0 0 1 0 0 1 0 0 1 1 0 0 0 1 0 0 1 0 0 0 1 1 0 0 1 0 0 0 0 1 0 1 1 0 1 but Q 6= P −1 . In the proof of Theorem 3 this example corresponds to f = (1, 3, 4) = (1, 3, 5) = (1, 2, 4) and g = (1, 2, 3) = (1, 2, 5) = (1, 4, 5). In (2) we take u = 3 and v = 0, so (3) becomes σ(i) = 3i − 2. Now δ(a) = {1, 3, 4} gives the 1-term x1 x3 x4 of f and σ(δ(b)) = {1, 4, 2} gives the 1-term x1 x2 x4 of f .
3
Permutation equivalence for higher degree MRS functions
Theorem 3 cannot be generalized to higher degrees, since already for quartic MRS functions there is an example for 8 variables of two quartic MRS functions that are permutation equivalent but are not equivalent by any permutation which preserves rotation symmetry for all quartic MRS functions in 8 variables [8, Remark 1.10, p. 197]. The analogous generalization of Theorem 1 to binary circulant matrices of weight 4 or more was considered in [20, Sections 7 and 8]. That paper gives an explicit counterexample to the implication 2. ⇒ 1. for weight 4 and n = 8, and this is precisely the same as the corresponding example 6
for the quartic MRS functions in [8]. However it is proved in [20, Section 7] that the implication for weight 4 is true if n has all prime factors > 28, which suggests that Theorem 3 could be generalized with some similar extra conditions. We do not investigate such questions here.
4
Conjectures
We believe the following conjecture is the most important one in the theory of affine equivalence for cubic MRS functions. The main conjecture for cubic MRS functions. The permutation equivalence classes for cubic MRS functions are the same as the equivalence classes for all affine transformations. This conjecture was first stated in [6, Remark 3.9]. It follows from Theorem 3 that the main conjecture is equivalent to the conjecture in which the set of all permutations is replaced by the set of all permutations which preserve rotation symmetry. The counterexample mentioned in Section 3 shows that the main conjecture cannot be extended to functions of degree greater than 3. The work in [20] supports our contention that the cubic MRS functions are special in this respect. We close the paper with another conjecture about MRS functions. Weight = nonlinearity conjecture. If the number of variables n in an MRS function f of any degree > 1 is odd, then the weight and nonlinearity for f are equal. The simplest special case f = (1, 2, 3) of this conjecture was already stated in [9, p. 300], and this case was proved by a complicated argument in [21]. This work was extended to the quartic case f = (1, 2, 3, 4) in [19].
References [1] M. L. Bileschi, T. W. Cusick and D. Padgett, Weights of Boolean cubic monomial rotation symmetric functions, Cryptogr. Commun. 4 (2012), pp. 105–130. [2] A. Brown and T. W. Cusick, Recursive weights for some Boolean functions, J. Math. Cryptol. 6 (2012), pp. 105–135. [3] A. Brown and T. W. Cusick, Equivalence classes for cubic rotation symmetric functions, Cryptogr. Commun. 5 (2013), pp. 85–118. [4] D. Canright, J. H. Chung and P. St˘anic˘a, Circulant matrices and affine equivalence of monomial rotation symmetric Boolean functions, to appear. [5] C. Carlet, Boolean functions for cryptography and error-correcting codes, in Y. Crama and P. L. Hammer (eds.) Boolean Models and Methods in Mathematics, Computer Science, and Engineering, pp. 257-397. Cambridge University Press, Cambridge, England, 2010. 7
[6] T. W. Cusick, Affine equivalence of cubic homogeneous rotation symmetric Boolean functions, Inform. Sci. 181 (2011), pp. 5067–5083. [7] T. W. Cusick and A. Brown, Affine equivalence for rotation symmetric Boolean functions with pk variables, Finite Fields Appl. 18 (2012), pp. 547–562. [8] T. W. Cusick and Y. Cheon, Affine equivalence of quartic homogeneous rotation symmetric Boolean functions, Inform. Sci. 259 (2014), pp. 192– 211. [9] T. W. Cusick and P. St˘anic˘a, Fast evaluation, weights and nonlinearity of rotation-symmetric functions, Discrete Math. 258 (2002), pp. 289–301. [10] Thomas W. Cusick and Pantelimon St˘anic˘a, Cryptographic Boolean Functions. Academic Press, San Diego, CA, 2009. [11] B. Elspas and J. Turner, Graphs with circulant adjacency matrices, J. Combinatorial Theory 9, pp. 297–307, 1970. [12] S. Kavut, S. Maitra and M. D. Y¨ ucel, Search for Boolean Functions With Excellent Profiles in the Rotation Symmetric Class, IEEE Trans. Inform.Theory 53 (2007), pp. 1743–1751. [13] S. Kavut and M. D. Y¨ ucel, 9-variable Boolean functions with nonlinearity 242 in the generalized rotation symmetric class, Inform. and Comput. 208 (2010), pp. 341–350. [14] H. Kim, S-M. Park and S. G. Hahn, On the weight and nonlinearity of homogeneous rotation symmetric Boolean functions of degree 2, Discrete Appl. Math.157 (2009), pp. 428–432. [15] P. St˘ anic˘ a and S. Maitra, A constructive count of rotation symmetric functions, Inform. Process. Lett. 88 (2003), pp. 299-304. [16] Patterson, N. J. and Wiedemann, D. H., The covering radius of the (215 , 16) Reed-Muller code is at least 16276, IEEE Trans. Inform. Theory 29 (1983), pp. 354–356. [17] Patterson, N. J. and Wiedemann, D. H., Correction to ‘The covering radius of the (215 , 16) Reed-Muller code is at least 16276’, IEEE Trans. Inform. Theory 36 (1990), p. 443. [18] J. Pieprzyk and C. X. Qu, Fast hashing and rotation-symmetric functions, J. UCS 5 (1999), pp. 20–31. [19] B. Wang, X. Zhang and W. Chen, The Hamming weight and nonlinearity of a type of rotation symmetric Boolean function, Acta Math. Sinica (Chin. Ser.) 55 (2012), pp. 613-626.
8
[20] D. Wiedemann and M. E. Zieve, Equivalence of sparse circulants: the bi´ am problem, arXiv.org 0706.1567v1 (2007). partite Ad´ [21] X. Zhang, H. Guo, R. Feng and Y. Li, Proof of a conjecture about rotation symmetric functions, Discrete Math. 311 (2011), pp. 1281-1289.
9
