Codes from bent functions over finite fields Sihem Mesnager - PowerPoint PPT Presentation

Codes from bent functions over finite fields Sihem Mesnager University of Paris VIII, Department of mathematics and University of Paris XIII LAGA and Telecom Paris-Tech, France Seminar at Telecom Paris September 2016 1 / 41

Outline Background on p -ary functions 1 Bent functions over finite fields 2 Two generic constructions of linear codes from bent 3 functions Explicit constructions of linear codes from bent functions 4 Conclusion 5 2 / 41

p -ary functions ☞ Functions from the finite field F p n to the prime field F p = Z / p Z ( p -ary functions) play an important role in coding theory and cryptography ! Functions F p n → F p Families of codes Symmetric cryptosystems ex. Reed-Muller codes (secret key) Coding theory Cryptography 3 / 41

p -ary functions Algebraic Normal Form (A.N.F) of f : F n p → F p : f ( x 1 , . . . , x n ) = � p a u x u , with x u = � n i = 1 x u i i and a u ∈ F p . u ∈ F n Polynomial form of f : F p n → F p : � Tr p o ( j ) / p ( A j x j ) + A p n − 1 x p n − 1 , x ∈ F p n f ( x ) = j ∈ Γ n Γ n is the set of the integers obtained by choosing the smallest element in each cyclotomic class modulo p n − 1 , cyclotomic class C ( j ) = { j , jp , jp 2 , jp 3 , · · · , jp o ( j ) − 1 } containing j ; o ( j ) is the size of C ( j ) , c.a.d. o ( j ) the smallest positive integer such that jp o ( j ) ≡ j ( mod p n − 1 ) ; A j ∈ F p o ( j ) ; A p n − 1 ∈ F p ; Tr p n / p ( · ) the absolute trace function on F p n : Tr p n / p ( x ) = � n − 1 i = 0 x p i . 4 / 41

Background on Boolean functions : representation f : F n 2 → F 2 an n -variable Boolean function. D EFINITION (A LGEBRAIC N ORMAL F ORM (A.N.F)) Let f : F n 2 → F 2 be a Boolean function. Then f can be expressed as : �� � � � a u x u , a I ∈ F 2 f ( x 1 , . . . , x n ) = = a I x i i ∈ I u ∈ F n I ⊂{ 1 ,..., n } 2 n � where I = supp ( u ) = { i = 1 , . . . , n | u i = 1 } and x u = x u i i . i = 1 The A.N.F exists and is unique. D EFINITION (T HE ALGEBRAIC DEGREE ) The algebraic degree deg ( f ) is the degree of the A.N.F . Affine functions f ( deg ( f ) ≤ 1 ) : f ( x ) = a 0 ⊕ a 1 x 1 ⊕ a 2 x 2 ⊕ · · · ⊕ a n x n , a i ∈ F 2 5 / 41

Background on Boolean functions : representation D EFINITION Let n be a positive integer. Every Boolean function f defined on F 2 n has a (unique) trace expansion called its polynomial form : � Tr o ( j ) ( a j x j ) + ǫ ( 1 + x 2 n − 1 ) , ∀ x ∈ F 2 n , f ( x ) = a j ∈ F 2 o ( j ) 1 j ∈ Γ n D EFINITION (A BSOLUTE TRACE OVER F 2 ) Let k be a positive integer. For x ∈ F 2 k , the (absolute) trace Tr k 1 ( x ) of x over F 2 is defined by : k − 1 � x 2 i = x + x 2 + x 2 2 + · · · + x 2 k − 1 ∈ F 2 Tr k 1 ( x ) := i = 0 6 / 41

Background on Boolean functions : representation D EFINITION Let n be a positive integer. Every Boolean function f defined on F 2 n has a (unique) trace expansion called its polynomial form : � Tr o ( j ) ( a j x j ) + ǫ ( 1 + x 2 n − 1 ) , ∀ x ∈ F 2 n , f ( x ) = a j ∈ F 2 o ( j ) 1 j ∈ Γ n Γ n is the set obtained by choosing one element in each cyclotomic class of 2 modulo 2 n − 1 , o ( j ) is the size of the cyclotomic coset containing j ( that is o ( j ) is the smallest positive integer such that j 2 o ( j ) ≡ j ( mod 2 n − 1 ) ) ǫ = wt ( f ) modulo 2 D EFINITION (T HE H AMMING WEIGHT OF A B OOLEAN FUNCTION ) wt ( f ) = # supp ( f ) := # { x ∈ F 2 n | f ( x ) = 1 } 7 / 41

Background on Boolean functions : representation D EFINITION Let n be a positive integer. Every Boolean function f defined on F 2 n has a (unique) trace expansion called its polynomial form : � Tr o ( j ) ( a j x j ) + ǫ ( 1 + x 2 n − 1 ) , ∀ x ∈ F 2 n , f ( x ) = a j ∈ F 2 o ( j ) 1 j ∈ Γ n ☞ The algebraic degree of f denoted by deg ( f ) , is the maximum Hamming weight of the binary expansion of an exponent j for which a j � = 0 if ǫ = 0 and is n if ǫ = 1 . Affine functions : Tr n 1 ( ax ) + λ , a ∈ F 2 n , λ ∈ F 2 . 8 / 41

The discrete Fourier (Walsh) Transform of Boolean functions D EFINITION (T HE DISCRETE F OURIER (W ALSH ) T RANSFORM ) � ( − 1 ) f ( x )+ a · x , a ∈ F n χ f ( a ) = � 2 x ∈ F n 2 where " · " is the canonical scalar product in F n 2 defined by x · y = � n i = 1 x i y i , ∀ x = ( x 1 , . . . , x n ) ∈ F n ∀ y = ( y 1 , . . . , y n ) ∈ F n 2 , 2 . D EFINITION (T HE DISCRETE F OURIER (W ALSH ) T RANSFORM ) � ( − 1 ) f ( x )+ Tr n 1 ( ax ) , χ f ( a ) = � a ∈ F 2 n x ∈ F 2 n where " Tr n 1 " is the absolute trace function on F 2 n . 9 / 41

Characterization of bent functions A main characterization of "bentness" : n 2 , ( f is bent ) ⇐ ⇒ � χ f ( ω ) = ± 2 ∀ ω ∈ F 2 n Thanks to Parseval’s identity, one can determine the number of occurrences of each value of the Walsh transform of a bent function. T ABLE : Walsh spectrum of bent functions f with f ( 0 ) = 0 Value of � χ f ( ω ) , ω ∈ F 2 n Number of occurrences 2 n − 1 + 2 n − 2 n 2 2 2 n n − 2 2 n − 1 − 2 − 2 2 2 10 / 41

Bentness and nonlinearity D EFINITION (T HE H AMMING DISTANCE ) f , g : F 2 n → F 2 two Boolean functions. The Hamming distance between f and g : d H ( f , g ) := # { x ∈ F 2 n | f ( x ) � = g ( x ) } . D EFINITION (N ONLINEARITY ) f : F 2 n → F 2 a Boolean function. The nonlinearity denoted by nl ( f ) of f is nl ( f ) := min l ∈ A n d H ( f , l ) where A n := { l : F 2 n → F 2 , l ( x ) := a · x + b ; a ∈ F 2 n , b ∈ F 2 ( where " · " is an inner product in F 2 n )} is the set of affine functions on F 2 n . ➔ The nonlinearity of a function f is the minimum number of truth table entries that must be changed in order to convert f to an affine function. 11 / 41

General upper bound on the nonlinearity of Boolean functions The nonlinearity of f equals : nl ( f ) = 2 n − 1 − 1 2 max | � χ f ( a ) | a ∈ F n 2 ➔ Thanks to Parseval’s relation : � 2 ( a ) = 2 2 n 2 � χ f a ∈ F n χ f ( a )) 2 ≥ 2 n we have : max a ∈ F n 2 ( � Hence : for every n -variable Boolean function f , the nonlinearity is always upper bounded by 2 n − 1 − 2 n 2 − 1 ➔ It can reach this value if and only if n is even. 12 / 41

A main definition of a bent function General upper bound on the nonlinearity of any n -variable Boolean function : nl ( f ) ≤ 2 n − 1 − 2 n 2 − 1 D EFINITION (B ENT FUNCTION [R OTHAUS , 1975]) f : F 2 n → F 2 ( n even) is said to be a bent function if nl ( f ) = 2 n − 1 − 2 n 2 − 1 Bent functions have been studied for more than 40 years (initiators : [Dillon, 1974], [Rothaus, 1975]). 2 ( − 1 ) ˜ n 2 , defines the dual function ˜ f ( ω ) , ∀ ω ∈ F n χ f ( ω ) = 2 ☞ If f is bent then � f of f . 13 / 41

Bent Boolean functions in combinatorics Bent functions are combinatorial objects : D EFINITION Let G be a finite (abelian) group of order µ . A subset D of G of cardinality k is called ( µ, k , λ ) -difference set in G if every element g ∈ G , different from the identity, can be written as d 1 − d 2 , d 1 , d 2 ∈ D , in exactly λ different ways. Hadamard difference set in elementary abelian 2-group : ( µ, k , λ ) = ( 2 n , 2 n − 1 ± 2 2 − 1 , 2 n − 2 ± 2 n n 2 − 1 ) . T HEOREM (D ILLON 74) A Boolean function f over F n 2 is bent if and only if supp ( f ) := { x ∈ F n 2 | f ( x ) = 1 } is a Hadamard difference set in F n 2 . 14 / 41

Bent Boolean functions in combinatorics Example : Let f a Boolean function defined on F 4 2 ( n = 4 ) by f ( x 1 , x 2 , x 3 , x 4 ) = x 1 x 4 + x 2 x 3 The support of f is Supp ( f ) = { ( 1 , 0 , 0 , 1 ) , ( 1 , 0 , 1 , 1 ) , ( 1 , 1 , 0 , 1 ) , ( 0 , 1 , 1 , 0 ) , ( 0 , 1 , 1 , 1 ) , ( 1 , 1 , 1 , 0 ) } is a Hadamard ( 16 , 6 , 2 ) -difference set of F 4 2 . d 1 d 2 d 1 + d 2 1001 1011 0010 1001 1101 0100 1001 0110 1111 1001 0111 1110 1001 1110 0111 1011 1101 0110 1011 0110 1101 1011 0111 1100 1011 1110 0101 1101 0110 1011 1101 0111 1010 1101 1110 0011 0110 0111 0001 0110 1110 1000 0111 1110 1001 15 / 41

Bent functions in characteristic p The Walsh-Hadamard transform can be defined for p -ary functions f : F p n → F p : � f ( x ) − Tr pn / p ( bx ) S f ( b ) = ζ , p x ∈ F pn 2 π i p is the complex primitive p th root of unity and elements of F p where ζ p = e are considered as integers modulo p . D EFINITION A p -ary function f is called bent if all its Walsh-Hadamard coefficients satisfy | S f ( b ) | 2 = p n . A bent function f is called regular bent if for every b ∈ F p n , 2 S f ( b ) = ζ f ⋆ ( b ) for some p -ary function f ⋆ : F p n → F p . p − n p D EFINITION The bent function f is called weakly regular bent if there exist a complex 2 S f ( b ) = ζ f ⋆ ( b ) number u with | u | = 1 and a p -ary function f ⋆ such that up − n for p all b ∈ F p n . 16 / 41

Bent functions in characteristic p [Kummar, Scholtz, Welch 1985] Walsh-Hadamard transform coefficients of a p -ary bent function f with odd p satisfy � ± ζ f ⋆ ( b ) , if n is even or n is odd and p ≡ 1 ( mod 4 ) , p − n p 2 S f ( b ) = (1) ± i ζ f ⋆ ( b ) , if n is odd and p ≡ 3 ( mod 4 ) , p where i is a complex primitive 4 -th root of unity. Therefore, regular bent functions can only be found for even n and for odd n with p ≡ 1 ( mod 4 ) . Moreover, for a weakly regular bent function, the constant u (defined above) can only be equal to ± 1 or ± i . 17 / 41