You are on page 1of 10

A New Property of Maiorana-M

Farland
Fun tions

Yuliang Zheng
S hool of Network Computing
Monash University
M Mahons Road, Frankston, VIC 3199, Australia
Email: yuliang.zhenginfote h.monash.edu.au
Xian-Mo Zhang
S hool of Information Te hnology & Computer S ien e
University of Wollongong
Wollongong, NSW 2522, Australia
Email: xianmo s.uow.edu.au
Abstra t
Maiorana-M Farland fun tions were originally introdu ed in ombinatori s. These fun tions are useful in onstru ting bent fun tions,
although only in spe ial ases. An interesting problem is therefore
to investigate whether Maiorana-M Farland fun tions that are not
bent an be used, indire tly, to obtain bent fun tions. This question
is given an armative answer in this paper. More spe i ally, we
show that the non-zero terms in the Fourier transform of a MaioranaM Farland fun tion that is asso iated with an one-to-one mapping,
an be used to form the sequen e of a bent fun tion. This result
presents new insights into the usefulness and properties of MaioranaM Farland fun tions.

Key Words

Bent Fun tions, Fourier Transform, Maiorana-M Farland Fun tions.

Motivation

Let Vn be the ve tor spa e of n tuples of elements from GF (2). For positive
integers k and m, let Q be a mapping from Vk to Vm and r be a (Boolean)
fun tion on Vk . De ne a fun tion f (y; x) on Vm+k as

f (y; x) = Q(y)xT

 r(y)

where x 2 Vm and y 2 Vk . Then we say that f is a Maiorana-M Farland


fun tion. Maiorana-M Farland fun tions play an important role in the
design of ryptographi fun tions that satisfy ryptographi ally desirable
properties su h as high nonlinearity, propagation hara teristi s and orrelation immunity[1, 2, 7, 8.
It is known that when k = m and Q is a permutation on Vk , f is a
bent fun tion on V2k [3, 4. This provides us with a powerful method for
k
onstru ting as many as (2k !)22 di erent bent fun tions on V2k . If we use
nonsingular linear transformations on the variables, we will obtain even
more bent fun tions from this kind of bent fun tions. Of ourse, there exist
bent fun tions that are not equivalent to Maiorana-M Farland fun tions by
any nonsingular linear transformation on the variables [5.
We know that when k < m, a Maiorana-M Farland fun tion is not a
bent fun tion. This observation motivates us to ask a question, namely,
given a Maiorana-M Farland fun tion that is not bent in its own right,
an it still be used to obtain a bent fun tion after a simple transformation
? In this work, we provide an armative answer for the ase of k  m.
More spe i ally, we show that if k  m and Q is an one-to-one mapping,
then the non-zero terms in the Fourier transform of a Maiorana-M Farland
fun tion f (y; x) = Q(y)xT  r(y), when on atenated together, form the
sequen e of a bent fun tion on V2k .
2

Boolean Fun tions

The truth table of a fun tion f on Vn is a (0; 1)-sequen e de ned by


(f ( 0 ); f ( 1 ); : : : ; f ( 2n 1 ));
and the sequen e of f is a (1; 1)-sequen e de ned by
(( 1)f ( 0 ) ; ( 1)f ( 1 ) ; : : : ; ( 1)f ( 2n

1)

);

where 0 = (0; : : : ; 0; 0), 1 = (0; : : : ; 0; 1), : : :, 2n 1 1 = (1; : : : ; 1; 1). The


matrix of f is a (1; 1)-matrix of order 2n de ned by
M = (( 1)f ( i  j ) )
2

where  denotes the addition in GF (2).


Given two sequen es a~ = (a1 ;    ; am ) and ~b = (b1 ;    ; bm ), we de ne the
omponent-wise produ t of the two sequen es by a~  ~b = (a1 b1 ;    ; am bm ).
In parti ular, if m = 2n and a~, ~b are the sequen es of fun tions f and g on
Vn respe tively, then a~  ~b is the sequen e of f  g, where  denotes the
addition in GF (2).
Let a~ = (a1 ;    ; am ) and ~b = (b1 ;    ; bm ) be two sequen es or ve tors,
the s alar produ t of a~ and ~b, denoted by ha~; ~bi, is de ned as the sum of
omponent-wise multipli ations. In parti ular, when a~ and ~b are from Vm ,
ha~; ~bi = a1 b1      am bm, where the addition and multipli ation
are over
P
GF (2), and when a~ and ~b are (1; 1)-sequen es, ha~; ~bi = m
a
b
, where
i
i
i=1
the addition and multipli ation are over the reals.
An ane fun tion f on Vn is a fun tion that takes the form of
f (x1 ; : : : ; xn ) = a1 x1      an xn  , where aj ; 2 GF (2), j = 1; 2; : : : ; n.
Furthermore f is alled a linear fun tion if = 0.
A (1; 1)-matrix A of order n is alled a Hadamard matrix if AAT =
nIn , where AT is the transpose of A and In is the identity matrix of order
n. A Sylvester-Hadamard matrix of order 2n, denoted by Hn , is generated
by the following re ursive relation


H
H
n
1
n
1
H0 = 1; Hn = H
Hn 1 ; n = 1; 2; : : : :
n 1
Let `i , 0  i  2n 1, be the i row of Hn . It is known that `i
is the sequen e of a linear fun tion 'i (x) de ned by the s alar produ t
'i (x) = h i ; xi, where i is the ith ve tor in Vn a ording to the as ending
alphabeti al order.
The Hamming weight of a (0; 1)-sequen e  , denoted by HW ( ), is the
number of ones in the sequen e. Given two fun tions f and g on Vn , the
Hamming distan e d(f; g) between them is de ned as the Hamming weight
of the truth table of f (x)  g(x), where x = (x1 ; : : : ; xn ).
Let f be a fun tion on Vn and  denote the sequen e of f . Then we all
a sequen e de ned by
1
2 2 n Hn
the Fourier
transform of the fun tion f . Note that
generally
ea h oordinate
1
1
2 n to 2 2 n . An interesting fa t
take
a
value
ranging
from
2
of 2 21 n Hn an
1
is that if 2 2 n Hn is a (1; 1)-sequen e, then f must be a bent fun tion
[6.
A bent fun tion on Vn exists only for n even. The algebrai degree
of bent fun tions on Vn is at most 21 n [6. From the same paper, it is
known that f is a bent fun tion on Vn if and only if the matrix of f is
an Hadamard matrix. Although the on ept of bent fun tions was initially
introdu ed in ombinatori s, they have sin e found numerous appli ations
in logi synthesis, digital ommuni ations and ryptography.
3

Maiorana-M Farland Fun tions

Consider a Maiorana-M Farland fun tion de ned by

f (z ) = f (y; x) = Q(y)xT

 r(y)

(1)

where Q is a mapping from Vk to Vm , r is a fun tion on Vk , x 2 Vm , y 2 Vk


and z = (y; x).
Let 0 ; 1 ; : : : ; 2k 1 be an arbitrary (1; 1)-sequen e of length 2k and
fj0 ; j1 ; : : : ; j2k 1 g be an arbitrary subset of f0; 1; : : : ; 2m 1g, where j0 , j1 ,
: : :, j2k 1 are not ne essarily mutually distin t. Let `i denote the ith row
of Hm , 0  i  2m 1. Set

 = 0 `j0 ; 1 `j1 ; : : : ; 2k 1 `j2k

(2)

where fj0 ; j1 ; : : : ; j2k 1 g = f0; 1; : : : ; 2k 1g.


Given a Maiorana-M Farland fun tion f de ned in (1), let 0 ; 1 , : : : ,
2k 1 be the sequen e of r whi h is involved in the onstru tion of f . Furthermore let j0 be the integer representation of Q( 0 ), j1 the integer representation of Q( 1 ), : : :, and j2k 1 the integer representation of Q( 2k 1 ).
Then (2) is the sequen e of the fun tion f in (1).
Conversely, assume that we are given fj0 ; j1 ; : : : ; j2k 1 g  f0; 1; : : : ; 2m
1g, where j0 ; j1 ; : : : ; j2k 1 are not ne essarily mutually distin t, and a
(1; 1)-sequen e, 0 ; 1 ; : : : ; 2k 1 . Let r be the fun tion whose sequen e
is 0 ; 1 ; : : : ; 2k 1 , and similarly let Q be the mapping from Vk to Vm su h
that Q( 0 ) is the binary representation of j0 , Q( 1 ) is the binary representation of j1 , : : :, and Q( 2k 1 ) is the binary representation of j2k 1 . Then
(1) must be a fun tion whose sequen e is (2).
The above observations indi ate that the sequen e of ea h fun tion on
Vm+k , de ned in (1), an be expressed in (2), and onversely, ea h sequen e
in (2) an be expressed in (1).
4

Bent Fun tions via Maiorana-M Farland


Fun tions

Maiorana-M Farland fun tions play an important role in the onstru tion
of bent fun tions, as well as in the design of ryptographi fun tions that
satisfy ryptographi ally desirable properties. We are parti ularly interested in the ase when m = k and Q is a permutation on Vk . For the
sake of onvenien e, we use P to denote the permutation on Vk . Then the
Maiorana-M Farland fun tion introdu ed in (1) an be spe ialized as

f (z ) = f (y; x) = P (y)xT
4

 r(y)

(3)

where y; x 2 Vk and z = (y; x).


In [3, 4, Dillon proves that the fun tion f in (3) is a bent fun tion on
V2k .
Inter hanging x and y in (3) also gives a bent fun tion. Namely,

g(z ) = g(y; x) = P (x)yT

 r(x)

(4)

is also a bent fun tion on V2k , where x; y 2 Vk and z = (y; x).


In a sense, (3) and (4) omplement ea h other. A question that arises
naturally is how fun tions de ned in (3) relate to those de ned (4).

Notation 1 Let
2k denote the set of bent fun tions on V2k expressed in
(3), and similarly let 2k denote the set of bent fun tions on V2k expressed
in (4).
Then one an verify that f 2
2k \ 2k if and only if f (y; x) = xyT ,
where x; y 2 V2k . Hen e we have #(
2k \ 2k ) = 1. In addition, we
k
have #
2k = # 2k = (2k !)22 . Thus (3) and (4) allow us to onstru t
exponentially many bent fun tions all of whi h, ex ept f (y; x) = xyT , are
distin t.
We note that by the use of nonsingular linear transformations on the
variables, a further greater number of bent fun tions an be obtained from
those in
2k and 2k . Nevertheless, it is important to point out that there
exist bent fun tions that are neither in
2k or 2k , nor an they be obtained
by applying a nonsingular linear transformation on the variables of bent
fun tions in
2k or 2k (see [5).
To prove the main result in this paper, we examine in more detail the
sequen e of f in (4).

De nition 1 B = (bij ) is alled a 2k  2k permutation matrix


if there ex
1
if
i = (j )
k
ists a permutation  on f0; 1; : : : ; 2 1g su h that bij = 0 otherwise.
Let C = diag( 0 ; 1    2k 1 ) be a 2k  2k diagonal matrix where ea h
j = 1. Denote the entry on the ross of the ith row and the j th olumn
of Hk by hij , i; j = 0; 1; : : : ; 2k 1. Let hi denote the ith row of Hk , i.e.,
hi = (hi0 ; hi1 ; : : : ; hi2k 1 ). Set N = Hk BC . Denote the entry on the ross
of the ith row and the j th olumn of N by nij , i; j = 0; 1; : : : ; 2k 1. Let i
denote the ith row of N , i.e., i = (ni0 ; ni1 ; : : : ; ni2k 1 ), i = 0; 1; : : : ; 2k 1.
Hen e we have

i = ( 0 hi(0) ; 1 hi(1) ; : : : ; 2k 1 hi(2k

1)

(5)

Set

 = (0 ; 1 ;    ; 2k 1 );
5

(6)

Note that0  is a (1, -1)-sequen e of length 22k .


Let 2k denote the set of all the fun tions on V2k , whose sequen es take
0
the form expressed in (6). We now prove that 2k = 2k .
Consider  whi h is de ned in (6). Re all that Hk is symmetri and
the ith row (the ith olumn) is the sequen e of a linear fun tion on Vk ,
denoted by '(x) = h i ; xi, where i is the binary representation of an
integer i, 0  i  2k 1. Hen e we have hij = ( 1)h j ; i i . From ,
a permutation on f0; 1; : : : ; 2k 1g, we de ne P , a new permutation on
Vk , as follows: P ( j ) = (j) , where j is the binary representation of an
integer j , j = 0; 1; : : : ; 2k 1. Furthermore, from 0 ; 1 ; : : : ; 2k 1 , we de ne
a fun tion r on Vk su h that 0 ; 1 ; : : : ; 2k 1 is the sequen e of r. Hen e
for any j; i 2 f0; 1; : : : ; 2k 1g, we have f ( j ; i ) = P ( j ) Ti  r( j ) =
(j) Ti  r( j ) = h (j) ; i i  r( j ). This proves that
( 1)f ( j ; i ) = ( 1)h (j) ; i ir( j ) = j hi(j)

(7)

Hen e we have 2k  2k .
0
k
Finally, it is easy to verify that # 2k = # 2k = 2k !  22 . This property,
0
0
together with the fa t that 2k  2k , shows that 2k = 2k is indeed true.
Thus we have proved the following result:

Lemma 1 For any positive integer k, any 2k  2k permutation matrix B


and any 2k  2k diagonal matrix C with diagonal entries 1, set N =
Hk BC . Denote the ith row of N by i , i = 0; 1; : : : ; 2k 1. Then (0 , 1 ,
: : :, 2k 1 ) is the sequen e of a bent fun tion on V2k .
This lemma will be used in the next se tion in proving Theorem 1, our
main result in this paper.
5

Bent Fun tions in the Fourier Transform of


Maiorana-M Farland Fun tions

Let k be a positive integer with k  m. Let F be a mapping from Vk to


Vm that satis es the ondition of F ( ) 6= F ( 0 ) for 6= 0 (i.e., F is an
one-to-one mapping). Also let r be a fun tion on Vk . Set

f (z ) = f (y; x) = F (y)xT

 r(y)

where x 2 Vm , y 2 Vk and z = (y; x).


Dis ussions in Se tion 3 indi ate that the sequen e of f an be expressed
as
 = ( 0 `j0 ; 1 `j1 ; : : : ; 2k 1 `j2k 1 )
6

where ea h j = 1, fj0 ; j1 ; : : : ; j2k 1 g is an arbitrary subset of f0; 1; : : : ; 2m


1g and ea h `i denotes the ith row of Hm , 0  i  2m 1. Sin e F is an
one-to-one mapping, j0 ; j1 ; : : : ; j2k 1 are mutually distin t.
Let Lj denote the j th row of Hm+k , 0  j  2m+k 1, and es the sth
row of Hk , 0  s  2k 1. Sin e Hm+k = Hk  Hm , where  denotes the
Krone ker produ t [9, we have
2

Li+2m
..
.

Hk  `i = 6
6
4

Li

Li+2m (2k

7
7
7
5
1)

for ea h xed i, 0  i  2m 1.
As in Se tion 3, we denote by hij the entry on the ross of the ith row
and the j th olumn of Hk , where i; j = 0; 1; : : : ; 2k 1, and denote by hi
the ith row of Hk , i.e., hi = (hi0 ; hi1 ; : : : ; hi2k 1 ). Then we have
(hs Hk )  `i =

2k

X1

u=0

hsu Li+u2m

(8)

Note that 2 k hs Hk = (0; : : : ; 0; 1; 0; : : : ; 0) where all the entries, ex ept the


sth, are zero. We further have
2 k (hs Hk )  `i = (0; : : : ; 0; `i; 0; : : : ; 0)

(9)

where ea h 0 denotes the all-zero sequen e of length 2m and the sth sequen e of length 2m is `i . Comparing (9) and (8), we on lude
(0; : : : ; 0; `i; 0; : : : ; 0) = 2

2k

X1

u=0

hsu Li+u2m

and hen e

 = ( 0 `j0 ; 1 `j1 ; : : : ; 2k 1 `j2k 1 )

k 1
k 1
2X
2X
= 2 k ( 0
h0u Lj0 +u2m ; 1
h1u Lj1 +u2m ; : : :

u=0

: : : ; 2k

2k

u=0

u=0

h2k 1u Lj2k

m
1+ 2

(10)

By using (10), we obtain


8
0
if i 6= j0 + u2m; j1 + u2m; : : : ; j2k 1 + u2m,
>
>
<
u = 0; 1; : : : ; 2k 1
(11)
h; Li i = > 2m s hsu where
if
i
=
j
s + u2m for some s and u,
>
:
0  s; u  2k 1
Let t0 ; t1 ; : : : ; t2k 1 be a rearrangement of j0 ; j1 ; : : : ; j2k 1 su h that
t0 < t1 <    < t2k 1 and  be the permutation on fj0 ; j1 ; : : : ; j2k 1 g su h
that
 (j0 ) = t0 ;  (j1 ) = t1 ; : : : ;  (j2k 1 ) = t2k 1 :
Note that tj +v2m < ti +u2m if v  u and j < i, where 0  u; v; i; j  2k 1.
Next we rearrange 0 ; 1 ; : : : ; 2k 1 in su h a way that s is pla ed before
s0 if and only if js < js0 . We write the rearranged sequen e as
b0 ; b1; : : : ; b2k 1 :
Now we an use (11) to list all the non-zero terms in 2 mHm+k , from the
left to the right, as follows
b0 ht0 0 ; b1 ht1 0 ; : : : ; b2k 1 ht2k 1 0 ;
b0 ht0 1 ; b1 ht1 1 ; : : : ; b2k 1 ht2k 1 1 ;
:::;
b0 ht0 2k 1 ; b1 ht1 2k 1 ; : : : ; b2k 1 ht2k 1 2k 1
(12)
Another way to look at the non-zero terms in 2 mHm+k , from the left to
the right, is as follows:
b0 h (j0 )0 ; b1 h (j1 )0 ; : : : ; b2k 1 h (j2k 1 )0 ;
b0 h (j0 )1 ; b1 h (j1 )1 ; : : : ; b2k 1 h (j2k 1 )1 ;
:::;
b0 h (j0 )2k 1 ; b1 h (j1 )2k 1 ; : : : ; b2k 1 h (j2k 1 )2k 1
(13)

Furthermore, we de ne a permutation  on f0; 1; : : : ; 2k 1g su h that


(0) = j0 ; (1) = j1 ; : : : ; (2k 1) = j2k 1 :
Sin e Hk is symmetri , (13) an be rewritten as
b0 h0(0) ; b1h0(1) ; : : : ; b2k 1 h0(2k 1) ;
b0 h1(0) ; b1h1(1) ; : : : ; b2k 1 h1(2k 1) ;
:::;
b0 h2k 1(0) ; b1 h2k 1(1) ; : : : ; b2k 1 h2k 1(2k 1)
(14)
Noting (5) and (6), together with Lemma 1, we have proved that (14) is
the sequen e of a bent fun tion on V2k . Thus the following theorem holds.
8

Theorem 1 Let k  m and F be an one-to-one mapping from Vk to Vm


and r be a fun tion on Vk . De ne a fun tion on Vk+m :
f (z ) = f (y; x) = F (y)xT

 r(y)

where x 2 Vm , y 2 Vk and z = (y; x). Let  denote the sequen e of f . Then


the sequen e obtained by on atenating the non-zero terms in 2 m Hm+k ,
from the left to the right, is the sequen e of a bent fun tion on V2k .

As a onsequen e, we have

Corollary 1 The sequen e of a bent fun tion on V2k , obtained in Theorem


1, takes the form of (6), and also the form of (4).
It should be noted that Theorem 1 does not ontradi t the well-known
fa t that a fun tion is bent if and only if its Fourier transform is bent [6.
This is simply be ause the sequen e 2 m Hk+m in Theorem 1 is a (1; 1; 0)sequen e, but not a (1; 1)-sequen e. In addition, we also note that the
1
Fourier transform of f on Vk+m , de ned1 in Theorem 1, is 2 2 (k+m) Hk+m ,
but not 2 m Hk+m . However, as 2 2 (1k+m) Hk+m an be obtained by
multiplying 2 mHk+m by a fa tor of 2 2 (m k) , we an think of the bent
fun tion de ned in Theorem 1 as one that is \hidden" in (the non-zero
terms of) the Fourier transform of f .
6

Con lusions

It is well-known that when k = m and Q is a permutation in (1), the


resultant Maiorana-M Farland fun tion is bent; and in ontrast, when k <
m the Maiorana-M Farland fun tion is not bent. Results in this paper show
that the Fourier transform of a Maiorana-M Farland fun tion ontains a
\hidden" bent fun tion, provided that when k  m and Q is an one-to-one
mapping. We hope that this new property will ontribute to the further
understanding of Maiorana-M Farland fun tions and its appli ations both
in ombinatori s and engineering elds.
7

A knowledgement

The se ond author was supported by a Queen Elizabeth II Fellowship (227


23 1002).

Referen es

[1 P. Camion, C. Carlet, P. Charpin, and N. Sendrier. On orrelationimmune fun tions. In Advan es in Cryptology - CRYPTO'91, volume
576 of Le ture Notes in Computer S ien e, pages 87{100. SpringerVerlag, Berlin, Heidelberg, New York, 1991.
[2 C. Carlet and P. Codes. More orrelation-immune and resilient fun tions over Galois elds and Galois ring. In Advan es in Cryptology EUROCRYPT'98, volume 1233 of Le ture Notes in Computer S ien e,
pages 422{433. Springer-Verlag, Berlin, Heidelberg, New York, 1997.
[3 J. F. Dillon. A survey of bent fun tions. The NSA Te hni al Journal,
pages 191{215, 1972. (un lassi ed).
[4 J. F. Dillon. Elementary Hadamard Di eren e Sets. Ph.D. dissertation,
University of Maryland, 1974.
[5 J. F. Dillon. Elementary Hadamard di eren e sets. In Pro eeding of the
Sixth Southeastern Conferen e on Combinatori s, Graph Theory, and
Computing, pages 237{249, 1975.
[6 O. S. Rothaus. On \bent" fun tions. Journal of Combinatorial Theory,
Ser. A, 20:300{305, 1976.
[7 J. Seberry, X. M. Zhang, and Y. Zheng. On onstru tions and nonlinearity of orrelation immune fun tions. In Advan es in Cryptology EUROCRYPT'93, volume 765 of Le ture Notes in Computer S ien e,
pages 181{199. Springer-Verlag, Berlin, Heidelberg, New York, 1994.
[8 J. Seberry, X. M. Zhang, and Y. Zheng. Nonlinearity and propagation
hara teristi s of balan ed boolean fun tions. Information and Computation, 119(1):1{13, 1995.
[9 R. Yarlagadda and J. E. Hershey. Analysis and synthesis of bent sequen es. IEE Pro eedings (Part E), 136:112{123, 1989.

10