A New Property of Maiorana-M Farland

Fun tions

Yuliang Zheng
S hool of Network Computing
Monash University
M Mahons Road, Frankston, VIC 3199, Australia
Email: yuliang.zhenginfote h.monash.edu.au
Xian-Mo Zhang
S hool of Information Te hnology & Computer S ien e
University of Wollongong
Wollongong, NSW 2522, Australia
Email: xianmo s.uow.edu.au
Abstra t
Maiorana-M Farland fun tions were originally introdu ed in ombinatori s. These fun tions are useful in onstru ting bent fun tions,
although only in spe ial ases. An interesting problem is therefore
to investigate whether Maiorana-M Farland fun tions that are not
bent an be used, indire tly, to obtain bent fun tions. This question
is given an aÆrmative answer in this paper. More spe i

an be used to form the sequen e of a bent fun tion. 1 . ally. Maiorana-M Farland Fun tions. we show that the non-zero terms in the Fourier transform of a MaioranaM Farland fun tion that is asso iated with an one-to-one mapping. This result presents new insights into the usefulness and properties of MaioranaM Farland fun tions. Key Words Bent Fun tions. Fourier Transform.

De.1 Motivation Let Vn be the ve tor spa e of n tuples of elements from GF (2). For positive integers k and m. let Q be a mapping from Vk to Vm and r be a (Boolean) fun tion on Vk .

x) on Vm+k as f (y. 2. 7. 8℄. It is known that when k = m and Q is a permutation on Vk . We know that when k < m. propagation hara teristi s and orrelation immunity[1. we will obtain even more bent fun tions from this kind of bent fun tions.ne a fun tion f (y. x) = Q(y)xT  r(y) where x 2 Vm and y 2 Vk . 4℄. Of ourse. there exist bent fun tions that are not equivalent to Maiorana-M Farland fun tions by any nonsingular linear transformation on the variables [5℄. an it still be used to obtain a bent fun tion after a simple transformation ? In this work. More spe i. This observation motivates us to ask a question. Then we say that f is a Maiorana-M Farland fun tion. a Maiorana-M Farland fun tion is not a bent fun tion. given a Maiorana-M Farland fun tion that is not bent in its own right. we provide an aÆrmative answer for the ase of k  m. f is a bent fun tion on V2k [3. If we use nonsingular linear transformations on the variables. Maiorana-M Farland fun tions play an important role in the design of ryptographi fun tions that satisfy ryptographi ally desirable properties su h as high nonlinearity. This provides us with a powerful method for k onstru ting as many as (2k !)22 di erent bent fun tions on V2k . namely.

then the non-zero terms in the Fourier transform of a Maiorana-M Farland fun tion f (y. form the sequen e of a bent fun tion on V2k . x) = Q(y)xT  r(y). 1)-sequen e de. when on atenated together. 2 Boolean Fun tions The truth table of a fun tion f on Vn is a (0. ally. we show that if k  m and Q is an one-to-one mapping.

1)-sequen e de.ned by (f ( 0 ). f ( 2n 1 )). f ( 1 ). : : : . and the sequen e of f is a (1.

: : :. 1. 1)-matrix of order 2n de. The matrix of f is a (1. ( 1)f ( 1 ) . 0. ( 1)f ( 2n 1) ). 1). : : : . 0. 2n 1 1 = (1. where 0 = (0. 1). : : : . : : : . 0). 1 = (0. : : : .ned by (( 1)f ( 0 ) .

ned by M = (( 1)f ( i  j ) ) 2 .

bm ). am ) and ~b = (b1 . we de.    .where  denotes the addition in GF (2).    . Given two sequen es a~ = (a1 .

~b are the sequen es of fun tions f and g on Vn respe tively. if m = 2n and a~. Let a~ = (a1 . ~bi. bm ) be two sequen es or ve tors.    . am ) and ~b = (b1 . am bm ).ne the omponent-wise produ t of the two sequen es by a~  ~b = (a1 b1 . is de.    . denoted by ha~.    . In parti ular. where  denotes the addition in GF (2). the s alar produ t of a~ and ~b. then a~  ~b is the sequen e of f  g.

: : : : n 1 Let `i . 2. Hn = H Hn 1 . n = 1. 2 GF (2). Furthermore f is alled a linear fun tion if = 0. denoted by Hn . A Sylvester-Hadamard matrix of order 2n. xn ) = a1 x1      an xn  . : : : . be the i row of Hn . It is known that `i is the sequen e of a linear fun tion 'i (x) de. ha~. where aj . A (1. 2. where AT is the transpose of A and In is the identity matrix of order n. j = 1. ~bi = m a b . when a~ and ~b are from Vm . ~bi = a1 b1      am bm. 0  i  2n 1. 1)-matrix A of order n is alled a Hadamard matrix if AAT = nIn . and when a~ and ~b are (1. 1)-sequen es. where i i i=1 the addition and multipli ation are over the reals.ned as the sum of omponent-wise multipli ations. : : : . An aÆne fun tion f on Vn is a fun tion that takes the form of f (x1 . In parti ular. n. where the addition and multipli ation are over P GF (2). is generated by the following re ursive relation   H H n 1 n 1 H0 = 1. ha~.

The Hamming weight of a (0. the Hamming distan e d(f. denoted by HW ( ). 1)-sequen e  .ned by the s alar produ t 'i (x) = h i . g) between them is de. is the number of ones in the sequen e. xi. Given two fun tions f and g on Vn . where i is the ith ve tor in Vn a ording to the as ending alphabeti al order.

Then we all a sequen e de. xn ).ned as the Hamming weight of the truth table of f (x)  g(x). Let f be a fun tion on Vn and  denote the sequen e of f . where x = (x1 . : : : .

1)-sequen e. From the same paper.ned by 1 2 2 n Hn the Fourier transform of the fun tion f . they have sin e found numerous appli ations in logi synthesis. A bent fun tion on Vn exists only for n even. it is known that f is a bent fun tion on Vn if and only if the matrix of f is an Hadamard matrix. Although the on ept of bent fun tions was initially introdu ed in ombinatori s. then f must be a bent fun tion [6℄. Note that generally ea h oordinate 1 1 2 n to 2 2 n . An interesting fa t take a value ranging from 2 of 2 21 n Hn an 1 is that if 2 2 n Hn is a (1. 3 . The algebrai degree of bent fun tions on Vn is at most 21 n [6℄. digital ommuni ations and ryptography.

3 Maiorana-M Farland Fun tions Consider a Maiorana-M Farland fun tion de.

j1 . where j0 . Given a Maiorana-M Farland fun tion f de. : : : . : : : . 0  i  2m 1. j2k 1 g be an arbitrary subset of f0.ned by f (z ) = f (y. : : : . x) = Q(y)xT  r(y) (1) where Q is a mapping from Vk to Vm . j2k 1 are not ne essarily mutually distin t. 1 . r is a fun tion on Vk . Set  = 0 `j0 . j1 . y 2 Vk and z = (y. 2k 1 be an arbitrary (1. j1 . 1)-sequen e of length 2k and fj0 . : : : . x 2 Vm . 2m 1g. j2k 1 g = f0. : : : . Let 0 . 2k 1 `j2k 1 (2) where fj0 . 1. : : :. x). : : : . 2k 1g. 1. 1 `j1 . Let `i denote the ith row of Hm .

Let r be the fun tion whose sequen e is 0 . 1.ned in (1). and j2k 1 the integer representation of Q( 2k 1 ). The above observations indi ate that the sequen e of ea h fun tion on Vm+k . and Q( 2k 1 ) is the binary representation of j2k 1 . 1 . let 0 . Then (1) must be a fun tion whose sequen e is (2). assume that we are given fj0 . j2k 1 g  f0. Q( 1 ) is the binary representation of j1 . j1 the integer representation of Q( 1 ). : : : . j1 . j1 . Conversely. : : :. 2m 1g. : : :. j2k 1 are not ne essarily mutually distin t. : : : . 1 . : : : . and similarly let Q be the mapping from Vk to Vm su h that Q( 0 ) is the binary representation of j0 . where j0 . : : : . Then (2) is the sequen e of the fun tion f in (1). and a (1. 1)-sequen e. : : : . 0 . 2k 1 . 1 . 2k 1 be the sequen e of r whi h is involved in the onstru tion of f . 2k 1 . de. Furthermore let j0 be the integer representation of Q( 0 ). : : : .

and onversely. as well as in the design of ryptographi fun tions that satisfy ryptographi ally desirable properties. we use P to denote the permutation on Vk . x) = P (y)xT 4  r(y) (3) . ea h sequen e in (2) an be expressed in (1). 4 Bent Fun tions via Maiorana-M Farland Fun tions Maiorana-M Farland fun tions play an important role in the onstru tion of bent fun tions. For the sake of onvenien e. We are parti ularly interested in the ase when m = k and Q is a permutation on Vk .ned in (1). an be expressed in (2). Then the Maiorana-M Farland fun tion introdu ed in (1) an be spe ialized as f (z ) = f (y.

g(z ) = g(y. (3) and (4) omplement ea h other. In [3. y 2 Vk and z = (y. where x. x). Dillon proves that the fun tion f in (3) is a bent fun tion on V2k . 4℄.where y. A question that arises naturally is how fun tions de. In a sense. x) = P (x)yT  r(x) (4) is also a bent fun tion on V2k . x 2 Vk and z = (y. x). Inter hanging x and y in (3) also gives a bent fun tion. Namely.

ned in (3) relate to those de.

To prove the main result in this paper. In addition. ex ept f (y. a further greater number of bent fun tions an be obtained from those in 2k and 2k . De. y 2 V2k . x) = xyT . and similarly let 2k denote the set of bent fun tions on V2k expressed in (4). x) = xyT . we examine in more detail the sequen e of f in (4).ned (4). it is important to point out that there exist bent fun tions that are neither in 2k or 2k . nor an they be obtained by applying a nonsingular linear transformation on the variables of bent fun tions in 2k or 2k (see [5℄). Thus (3) and (4) allow us to onstru t exponentially many bent fun tions all of whi h. where x. Notation 1 Let 2k denote the set of bent fun tions on V2k expressed in (3). Nevertheless. We note that by the use of nonsingular linear transformations on the variables. we k have # 2k = # 2k = (2k !)22 . are distin t. Hen e we have #( 2k \ 2k ) = 1. Then one an verify that f 2 2k \ 2k if and only if f (y.

: : : .. hi2k 1 ). Let i denote the ith row of N .nition 1 B = (bij ) is alled a 2k  2k permutation matrix if there ex 1 if i = (j ) k ists a permutation  on f0. hi1 . : : : . Let hi denote the ith row of Hk . 2k 1 ). hi = (hi0 . ni1 . ni2k 1 ). 2k 1. 1. 1. Let C = diag( 0 . : : : .e. i. 1 . : : : ..e. Denote the entry on the ross of the ith row and the j th olumn of Hk by hij . i. : : : . 1. : : : . j = 0. Denote the entry on the ross of the ith row and the j th olumn of N by nij .    . i. Set N = Hk BC . 2k 1. i. i = 0. Hen e we have i = ( 0 hi(0) . 1 hi(1) . 2 1g su h that bij = 0 otherwise. 5 (6) . : : : . 2k 1. 1    2k 1 ) be a 2k  2k diagonal matrix where ea h j = 1. j = 0. i = (ni0 . 1. 2k 1 hi(2k 1) ) (5) Set  = (0 .

Consider  whi h is de.Note that0  is a (1. Let 2k denote the set of all the fun tions on V2k . -1)-sequen e of length 22k . We now prove that 2k = 2k . whose sequen es take 0 the form expressed in (6).

0  i  2k 1. denoted by '(x) = h i . i i . : : : . a permutation on f0. Re all that Hk is symmetri and the ith row (the ith olumn) is the sequen e of a linear fun tion on Vk . 1. From . we de. xi. Hen e we have hij = ( 1)h j . 2k 1g.ned in (6). where i is the binary representation of an integer i.

1. where j is the binary representation of an integer j .ne P . a new permutation on Vk . : : : . j = 0. Furthermore. from 0 . 2k 1 . we de. : : : . 1 . as follows: P ( j ) = (j) . 2k 1.

Thus we have proved the following result: Lemma 1 For any positive integer k. i ) = ( 1)h (j) . set N = Hk BC . 5 Bent Fun tions in the Fourier Transform of Maiorana-M Farland Fun tions Let k be a positive integer with k  m. : : :. Hen e for any j. 1 . our main result in this paper. 1. any 2k  2k permutation matrix B and any 2k  2k diagonal matrix C with diagonal entries 1.ne a fun tion r on Vk su h that 0 . This lemma will be used in the next se tion in proving Theorem 1. : : : . i = 0. 2k 1g. i 2 f0. Then (0 . : : : . it is easy to verify that # 2k = # 2k = 2k !  22 . 2k 1 ) is the sequen e of a bent fun tion on V2k . 1. This property. i ) = P ( j ) Ti  r( j ) = (j) Ti  r( j ) = h (j) . Let F be a mapping from Vk to Vm that satis. we have f ( j . 0 0 together with the fa t that 2k  2k . i ir( j ) = j hi(j) (7) 0 Hen e we have 2k  2k . : : : . 1 . Denote the ith row of N by i . This proves that ( 1)f ( j . i i  r( j ). shows that 2k = 2k is indeed true. 2k 1. 2k 1 is the sequen e of r. 0 k Finally.

Dis ussions in Se tion 3 indi ate that the sequen e of f an be expressed as  = ( 0 `j0 . y 2 Vk and z = (y. 2k 1 `j2k 1 ) 6 . x). 1 `j1 .e. Also let r be a fun tion on Vk . F is an one-to-one mapping). x) = F (y)xT  r(y) where x 2 Vm .. Set f (z ) = f (y. : : : .es the ondition of F ( ) 6= F ( 0 ) for 6= 0 (i.

j1 . : : : . Sin e Hm+k = Hk  Hm . . : : : . 6 Hk  `i = 6 6 4 3 Li Li+2m (2k 7 7 7 5 1) for ea h . fj0 . j2k 1 g is an arbitrary subset of f0.where ea h j = 1. j2k 1 are mutually distin t. 1. 2m 1g and ea h `i denotes the ith row of Hm . Let Lj denote the j th row of Hm+k . and es the sth row of Hk . Sin e F is an one-to-one mapping.. 0  j  2m+k 1. 0  i  2m 1. : : : . we have 2 Li+2m . j1 . where  denotes the Krone ker produ t [9℄. 0  s  2k 1. j0 .

hi2k 1 ). 2k 2k u=0 X 1 1 u=0 h2k 1u Lj2k 7 u m 1+ 2 ) (10) . 1 h1u Lj1 +u2m . We further have 2 k (hs Hk )  `i = (0. Comparing (9) and (8). 0) (9) where ea h 0 denotes the all-zero sequen e of length 2m and the sth sequen e of length 2m is `i . hi1 . 1 `j1 . As in Se tion 3. : : : . 2k 1 `j2k 1 ) k 1 k 1 2X 2X = 2 k ( 0 h0u Lj0 +u2m . : : : . 1. j = 0. : : : . are zero. where i. ex ept the sth. and denote by hi the ith row of Hk . 0) where all the entries. i. 0. Then we have (hs Hk )  `i = 2k X1 u=0 hsu Li+u2m (8) Note that 2 k hs Hk = (0. 2k 1. 0) = 2 k 2k X1 u=0 hsu Li+u2m and hen e  = ( 0 `j0 . 0. 0. : : : . we on lude (0. hi = (hi0 . : : : . : : : . 0. : : : .e. we denote by hij the entry on the ross of the ith row and the j th olumn of Hk . 0  i  2m 1. : : : . 0.xed i. : : : . `i. : : : u=0 : : : . `i. 1. 0..

2k 1 in su h a way that s is pla ed before s0 if and only if js < js0 . where 0  u. j2k 1 su h that t0 < t1 <    < t2k 1 and  be the permutation on fj0 . : : : . we obtain 8 0 if i 6= j0 + u2m. j1 . b1 ht1 1 . b1 h (j1 )0 . : : : .  (j1 ) = t1 . : : : . Li i = > 2m s hsu where if i = j s + u2m for some s and u. from the left to the right. b2k 1 : Now we an use (11) to list all the non-zero terms in 2 mHm+k . j  2k 1. Next we rearrange 0 . 1 . b2k 1 ht2k 1 0 . b2k 1 h (j2k 1 )0 . j2k 1 g su h that  (j0 ) = t0 .  (j2k 1 ) = t2k 1 : Note that tj +v2m < ti +u2m if v  u and j < i. from the left to the right. b2k 1 ht2k 1 1 . i. j2k 1 + u2m. v. 2k 1 (11) h. b0 ht0 2k 1 . b2k 1 h (j2k 1 )1 . j1 . b2k 1 h (j2k 1 )2k 1 (13) Furthermore. b1. : : : . b1 h (j1 )1 . b1 h (j1 )2k 1 . as follows b0 ht0 0 . : : : . : : : . : : : . :::. : : : . is as follows: b0 h (j0 )0 . :::. : : : . u  2k 1 Let t0 . : : : . > : 0  s. b1 ht1 2k 1 . t2k 1 be a rearrangement of j0 . 1. We write the rearranged sequen e as b0 . j1 + u2m. b0 h (j0 )2k 1 . : : : .By using (10). we de. b2k 1 ht2k 1 2k 1 (12) Another way to look at the non-zero terms in 2 mHm+k . : : : . > > < u = 0. : : : . b0 ht0 1 . b1 ht1 0 . b0 h (j0 )1 . : : : . t1 .

b2k 1 h0(2k 1) . b2k 1 h1(2k 1) . Thus the following theorem holds. : : : . b1 h2k 1(1) . :::. we have proved that (14) is the sequen e of a bent fun tion on V2k . 8 . b1h1(1) . (1) = j1 . b0 h2k 1(0) . : : : . : : : . b0 h1(0) .ne a permutation  on f0. 1. b2k 1 h2k 1(2k 1) (14) Noting (5) and (6). 2k 1g su h that (0) = j0 . : : : . together with Lemma 1. (2k 1) = j2k 1 : Sin e Hk is symmetri . b1h0(1) . : : : . (13) an be rewritten as b0 h0(0) .

De.Theorem 1 Let k  m and F be an one-to-one mapping from Vk to Vm and r be a fun tion on Vk .

is the sequen e of a bent fun tion on V2k . 1. x). In addition. but not a (1. Then the sequen e obtained by on atenating the non-zero terms in 2 m Hm+k . from the left to the right. This is simply be ause the sequen e 2 m Hk+m in Theorem 1 is a (1. x) = F (y)xT  r(y) where x 2 Vm . takes the form of (6). Let  denote the sequen e of f . 0)sequen e. y 2 Vk and z = (y. 1)-sequen e. obtained in Theorem 1. As a onsequen e. and also the form of (4).ne a fun tion on Vk+m : f (z ) = f (y. It should be noted that Theorem 1 does not ontradi t the well-known fa t that a fun tion is bent if and only if its Fourier transform is bent [6℄. we have Corollary 1 The sequen e of a bent fun tion on V2k . de. we also note that the 1 Fourier transform of f on Vk+m .

ned1 in Theorem 1. we an think of the bent fun tion de. However. but not 2 m Hk+m . as 2 2 (1k+m) Hk+m an be obtained by multiplying 2 mHk+m by a fa tor of 2 2 (m k) . is 2 2 (k+m) Hk+m .

ned in Theorem 1 as one that is \hidden" in (the non-zero terms of) the Fourier transform of f . the resultant Maiorana-M Farland fun tion is bent. We hope that this new property will ontribute to the further understanding of Maiorana-M Farland fun tions and its appli ations both in ombinatori s and engineering . provided that when k  m and Q is an one-to-one mapping. Results in this paper show that the Fourier transform of a Maiorana-M Farland fun tion ontains a \hidden" bent fun tion. 6 Con lusions It is well-known that when k = m and Q is a permutation in (1). when k < m the Maiorana-M Farland fun tion is not bent. and in ontrast.

7 A knowledgement The se ond author was supported by a Queen Elizabeth II Fellowship (227 23 1002).elds. 9 .

In Advan es in Cryptology . On orrelationimmune fun tions. New York. volume 576 of Le ture Notes in Computer S ien e. [2℄ C. pages 87{100. More orrelation-immune and resilient fun tions over Galois . 1991. Carlet. and N. Charpin. Codes. Camion. Heidelberg. Carlet and P.CRYPTO'91.Referen es [1℄ P. C. Berlin. SpringerVerlag. P. Sendrier.

New York. 1997. Springer-Verlag. pages 191{215.elds and Galois ring. [3℄ J. The NSA Te hni al Journal. Dillon. (un lassi. pages 422{433. A survey of bent fun tions. In Advan es in Cryptology EUROCRYPT'98. F. volume 1233 of Le ture Notes in Computer S ien e. Heidelberg. 1972. Berlin.

Zhang. Heidelberg. Springer-Verlag. 1975. pages 237{249. [6℄ O. On \bent" fun tions. F. Nonlinearity and propagation hara teristi s of balan ed boolean fun tions.ed). and Computing. Elementary Hadamard di eren e sets. and Y. F. 1995. Information and Computation. Zhang. Analysis and synthesis of bent sequen es. X. University of Maryland. X. A. pages 181{199. [4℄ J. Elementary Hadamard Di eren e Sets. dissertation. 1974. Rothaus. Zheng. 119(1):1{13. and Y. Dillon. [9℄ R. Graph Theory. [7℄ J. 1994. 1989. Dillon. In Advan es in Cryptology EUROCRYPT'93. [8℄ J. S. In Pro eeding of the Sixth Southeastern Conferen e on Combinatori s. Zheng.D. 1976. Ph. E. Journal of Combinatorial Theory. IEE Pro eedings (Part E). 10 . Ser. Seberry. M. M. On onstru tions and nonlinearity of orrelation immune fun tions. [5℄ J. Hershey. 20:300{305. volume 765 of Le ture Notes in Computer S ien e. New York. Yarlagadda and J. Berlin. Seberry. 136:112{123.