Semifields, Relative Difference Sets, and Bent Functions Alexander - - PowerPoint PPT Presentation

Semifields, Relative Difference Sets, and Bent Functions

Alexander Pott

Otto-von-Guericke-University Magdeburg

December 09, 2013

1 / 34

Outline, or:

2 / 34

Outline, or: Why I am nervous

2 / 34

Outline, or: Why I am nervous

◮ bent functions ... CLAUDE CARLET, TOR HELLESETH

2 / 34

Outline, or: Why I am nervous

◮ bent functions ... CLAUDE CARLET, TOR HELLESETH ◮ relative difference sets (uninteresting generalization?)

2 / 34

Outline, or: Why I am nervous

◮ bent functions ... CLAUDE CARLET, TOR HELLESETH ◮ relative difference sets (uninteresting generalization?) ◮ Z4 (very old?)

2 / 34

Describe connection between ...

◮ relative difference sets ◮ semifields ◮ projections of relative difference sets ◮ KNUTH operation on semifields ◮ bent functions ◮ Z4-valued bent functions

3 / 34

The team

◮ YUE ZHOU ◮ KAI-UWE SCHMIDT ◮ ALEX. P.

4 / 34

The team

◮ YUE ZHOU ◮ KAI-UWE SCHMIDT ◮ ALEX. P.

... all this is also related to KATHY HORADAM’s work, but less general and more concrete...

4 / 34

Bent functions, even characteristic

◮ Bent functions f : F2n → F2 such that f(x + a) − f(x) is

balanced for all a = 0.

Example

f(x) = Trace(βx3) on F2n: f(x + a) − f(x) = Trace(β(x2a + a2x + a2)) = Trace(x2β(a + βa4) + βa2) hence 1 + a3β = 0 for all a = 0. Necessary condition n = 2m is even.

5 / 34

Bent functions, odd characteristic

◮ Bent functions f : Fpn → Fp such that f(x + a) − f(x) is

balanced for all a = 0.

Example

f(x) = Trace(βx2): f(x + a) − f(x) = Trace(2xβa) + βa2. Any n.

6 / 34

Vectorial versions, even characteristic

◮ Bent functions F : Fn 2 → Fk 2 such that F(x + a) − F(x) is

balanced for all a = 0. Component functions Trace(βF(x)) are bent. Hence: Vector space of bent functions. Necessary condition n = 2m is even and k ≤ m.

Example

F(x, y) = xy (x, y ∈ F2m) is vectorial bent F2m × F2m → F2m

7 / 34

Vectorial versions, odd characteristic

◮ Bent functions F : Fn p → Fk p such that F(x + a) − F(x) is

balanced for all a = 0. Component functions Trace(βF(x)) are bent. Hence: Vector space of bent functions. Necessary condition k ≤ n.

Example

F(x) = x2: F(x + a) − F(x) = 2xa + a2.

8 / 34

F : F n

p → F k p bent

p = 2 p odd n even and k ≤ n 2 k ≤ n k = n: planar functions

9 / 34

Bent functions and relative difference sets

If F : Fn

p → Fk p is bent, the set

GF := {(x, F(x)) : x ∈ Fn

p} ⊆ Fn p × Fk p

is a relative difference set:

10 / 34

Bent functions and relative difference sets

If F : Fn

p → Fk p is bent, the set

GF := {(x, F(x)) : x ∈ Fn

p} ⊆ Fn p × Fk p

is a relative difference set: Every element outside {0} × Fk

p has the same number of

difference representations g = d − d′ with d, d′ ∈ GF: x − y = a, F(x) − F(y) = b is equivalent to F(y + a) − F(y) = b

10 / 34

Other groups?

◮ group G ◮ subgroup N (forbidden subgroup) ◮ subset D

g ∈ G \ N has constant number of representations g = d − d′ with d, d′ ∈ D, no element in N.

Example

D = {1, 2, 4} ⊆ Z8, forbidden subgroup {0, 4}. In this talk: |D| = |G|

|N|, hence from each coset of N exactly one

element.

11 / 34

The projection construction

If U < N is a normal subgroup of G and D relative difference set, then D/U is a relative difference set in G/U with forbidden subgroup N/U. The size is |D/U| = |D|. One relative difference set produces a chain of relative difference sets.

12 / 34

Planar functions: n = k

Definition

A function F : Fpn → Fpn is planar if F(x + a) − F(x) is a permutation for all a = 0. We obtain (vectorial) bent functions via projection. p must be odd.

13 / 34

Planar functions: n = k

Definition

A function F : Fpn → Fpn is planar if F(x + a) − F(x) is a permutation for all a = 0. We obtain (vectorial) bent functions via projection. p must be odd. If p = 2, then generalize to ??

13 / 34

Two generalizations to characteristic 2

◮ almost perfect nonlinear functions (APN):

F(x + a) − F(x) = b has at most 2 solutions.

◮ relative difference sets in other groups (not elementary

abelian), related to semifields.

14 / 34

Two generalizations to characteristic 2

◮ almost perfect nonlinear functions (APN):

F(x + a) − F(x) = b has at most 2 solutions.

◮ relative difference sets in other groups (not elementary

abelian), related to semifields. Dream: Use the many semifields with p = 2 to construct many APN.

14 / 34

Semifields

(S, +, ⊙) is a finite (pre)semifield (field without associativity) if

◮ (S, +) is a finite abelian group. ◮ x ⊙ a = b has a unique solution x if a = 0. ◮ a ⊙ y = b has a unique solution y if a = 0. ◮ x ⊙ (y + z) = x ⊙ y + x ⊙ z and (x + y) ⊙ z = x ⊙ z + y ⊙ z.

Example: Finite field!

15 / 34

Semifields

(S, +, ⊙) is a finite (pre)semifield (field without associativity) if

◮ (S, +) is a finite abelian group. ◮ x ⊙ a = b has a unique solution x if a = 0. ◮ a ⊙ y = b has a unique solution y if a = 0. ◮ x ⊙ (y + z) = x ⊙ y + x ⊙ z and (x + y) ⊙ z = x ⊙ z + y ⊙ z.

Example: Finite field!

◮ Ta : S → S with Ta(x) := x ⊙ a is an isomorphism. ◮ Ta + Ta′ = Ta+a′.

Vector space of invertible linear mappings. S is elementary abelian (additive group of a field Fpn), multiplication not always commutative.

15 / 34

Why?

Construct projective plane from a semifield:

16 / 34

Why?

Construct projective plane from a semifield:

◮ Points: S × S ◮ Lines: {x, m ⊙ x + y : x ∈ S}.

16 / 34

How many?

◮ p odd: quite a few, but not many.

LAVRAUW, POLVERINO (2012).

◮ p = 2: very many commutative KANTOR (2003).

Question

Number is not bounded by a polynomial.

17 / 34

Semifields and relative difference sets

Any semifield gives rise to a relative difference set in a group of

• rder p2n with forbidden subgroup of order pn:

18 / 34

Semifields and relative difference sets

Any semifield gives rise to a relative difference set in a group of

• rder p2n with forbidden subgroup of order pn:

Consider the set S × S with addition ⊕ (a, b) ⊕ (a′, b′) = (a + a′, b + b′ + a ⊙ a′).

18 / 34

Semifields and relative difference sets

Any semifield gives rise to a relative difference set in a group of

• rder p2n with forbidden subgroup of order pn:

Consider the set S × S with addition ⊕ (a, b) ⊕ (a′, b′) = (a + a′, b + b′ + a ⊙ a′). Difference set: {(a, 0) : a ∈ S}

18 / 34

What are these strange groups?

Let S be commutative:

◮ F2n p if p is odd, ◮ Zn 4 if p = 2. Forbidden subgroup: 2Zn 4.

In the p odd case: Planar function.

19 / 34

The KNUTH cube

Basis ei of S ei ⊙ ej =

• k

ai,j,kek with ai,j,k ∈ Fp. Linear mappings are described by matrices (ai,k). Permuting the indices gives six semifields (KNUTH).

20 / 34

The KNUTH cube

Basis ei of S ei ⊙ ej =

• k

ai,j,kek with ai,j,k ∈ Fp. Linear mappings are described by matrices (ai,k). Permuting the indices gives six semifields (KNUTH). If S is commutative, the linear mappings associated with one of the 6 semifields are symmetric: Vector space of symmetric invertible matrices.

20 / 34

What are the projections of RDS, p odd?

One semifield in Knuth orbit of a commutative semifield is vector space of symmetric invertible matrices, another one can be described by planar function (RDS). The invertible matrices associated with F x → F(x + a) − F(x) − F(a) + F(0). are not symmetric.

21 / 34

What are the projections of RDS, p odd?

One semifield in Knuth orbit of a commutative semifield is vector space of symmetric invertible matrices, another one can be described by planar function (RDS). The invertible matrices associated with F x → F(x + a) − F(x) − F(a) + F(0). are not symmetric. p odd: Symmetric invertible matrix (ai,j) gives a bent function f(x1, . . . , xn) =

• i,j

ai,jxixj. These are the projections of the planar function F!

21 / 34

What are the projections of RDS, p odd?

One semifield in Knuth orbit of a commutative semifield is vector space of symmetric invertible matrices, another one can be described by planar function (RDS). The invertible matrices associated with F x → F(x + a) − F(x) − F(a) + F(0). are not symmetric. p odd: Symmetric invertible matrix (ai,j) gives a bent function f(x1, . . . , xn) =

• i,j

ai,jxixj. These are the projections of the planar function F! Nice representation of KNUTH operation in terms of relative difference sets.

21 / 34

p = 2: Difference set in Z n

4

KNUTH gives invertible symmetric matrices (ai,j). Projections are relative difference set in the group Z4 × Zn−1

2

.

22 / 34

p = 2: Difference set in Z n

4

KNUTH gives invertible symmetric matrices (ai,j). Projections are relative difference set in the group Z4 × Zn−1

2

. The group defined on the set Zn

2 × Z2 with addition

(v, x) ⊕ (w, y) = (v + w, x + y +

• i

ai,iviwi) is Z4 × Zn−1

2

.

22 / 34

p = 2: Difference set in Z n

4

KNUTH gives invertible symmetric matrices (ai,j). Projections are relative difference set in the group Z4 × Zn−1

2

. The group defined on the set Zn

2 × Z2 with addition

(v, x) ⊕ (w, y) = (v + w, x + y +

• i

ai,iviwi) is Z4 × Zn−1

2

. The set {(x,

• i<j

ai,jxixj) : x ∈ Zn

2}

is a projection RDS in that group.

22 / 34

The group Z4 × Zn−1

2

Consider the set Zn

2 × Z2 and define addition

(v, x) ⊕ (w, y) = (v + w, x + y + v, w)

23 / 34

The group Z4 × Zn−1

2

Consider the set Zn

2 × Z2 and define addition

(v, x) ⊕ (w, y) = (v + w, x + y + v, w) If f : Zn

2 → Z2, then

Gf := {(x, f(x)) : x ∈ Zn

2}

is a relative difference set in Z4 × Zn−1

2

if and only if f(x + a) + f(x) + x, a is balanced for all a = 0.

23 / 34

The group Z4 × Zn−1

2

Consider the set Zn

2 × Z2 and define addition

(v, x) ⊕ (w, y) = (v + w, x + y + v, w) If f : Zn

2 → Z2, then

Gf := {(x, f(x)) : x ∈ Zn

2}

is a relative difference set in Z4 × Zn−1

2

if and only if f(x + a) + f(x) + x, a is balanced for all a = 0. Character theoretic characterization:

• x∈Fn

2

(−1)x,a+f(x)iw(x)

• 2

= 2n negabent.

23 / 34

Construction of difference sets in Z4 × Zn−1

2

Theorem ( )

D, E difference sets in G. Then {0} × D ∪ {1} × E ∪ {2} × (G \ D) ∪ {3} × (G \ E) is a relative difference set in Z4 × G relative to 2Z4 × {0}. Start with bent function difference sets. If G = Zn−1

2

: negabent (equivalently Z4-valued bent).

24 / 34

Construction of difference sets in Z4 × Zn−1

2

Theorem (Arasu, Jungnickel, Ma, P . )

D, E difference sets in G. Then {0} × D ∪ {1} × E ∪ {2} × (G \ D) ∪ {3} × (G \ E) is a relative difference set in Z4 × G relative to 2Z4 × {0}. Start with bent function difference sets. If G = Zn−1

2

: negabent (equivalently Z4-valued bent).

24 / 34

Construction of difference sets in Z4 × Zn−1

2

Theorem (Arasu, Jungnickel, Ma, P . (1990))

D, E difference sets in G. Then {0} × D ∪ {1} × E ∪ {2} × (G \ D) ∪ {3} × (G \ E) is a relative difference set in Z4 × G relative to 2Z4 × {0}. Start with bent function difference sets. If G = Zn−1

2

: negabent (equivalently Z4-valued bent).

24 / 34

If you want to find new objects related to RDS’s, look at

◮ Bernhard Schmidt’s thesis ◮ Davis/Jedwab

25 / 34

Another look at RDS in Zn

4

Consider the set F2n × F2n with addition (x, y) ⊕ (x′, y′) = (x + x′, y + y′ + x · x′). Group: Zn

4, and {(0, y) : y ∈ F2n} is elementary abelian

subgroup.

26 / 34

Another look at RDS in Zn

4

Consider the set F2n × F2n with addition (x, y) ⊕ (x′, y′) = (x + x′, y + y′ + x · x′). Group: Zn

4, and {(0, y) : y ∈ F2n} is elementary abelian

subgroup.

Question

Which subsets {(x, F(x)) : x ∈ F2n} are relative difference sets.

26 / 34

Another look at RDS in Zn

4

Consider the set F2n × F2n with addition (x, y) ⊕ (x′, y′) = (x + x′, y + y′ + x · x′). Group: Zn

4, and {(0, y) : y ∈ F2n} is elementary abelian

subgroup.

Question

Which subsets {(x, F(x)) : x ∈ F2n} are relative difference sets.

Theorem (ZHOU (2012))

Relative difference set if and only if F(x + a) − F(x) + a · x is a permutation for all a = 0. Such an F is called planar.

26 / 34

ridiculous example

F(x) = 0

27 / 34

ridiculous example

F(x) = 0 F(x + a) + F(x) + a · x = a · x is a permutation for all a = 0.

27 / 34

Many semifields

Thanks to KANTOR (2003): There are many semifields!

28 / 34

Many semifields

Thanks to KANTOR (2003): There are many semifields!

Theorem

K = K0 ⊃ K1 ⊃ · · · ⊃ Kn of characteristic 2 with [K : Kn] odd. Let tri be the relative trace from K to Ki. Then, for all nonzero ζ1, . . . , ζn ∈ K, the mapping F : K → K given by F(x) =

• x

n

• i=1

tri(ζix) 2 is planar. Examples are inequivalent.

28 / 34

Construction of new commutative semifields

◮ New symplectic spreads (symmetric invertible matrices)

(Italian school)

◮ New planar functions

(German-Chinese-Norwegian-Armenian school)

29 / 34

The COULTER-MATTHEWS (1998) example

The only known planar function not corresponding to semifields:

Theorem

The function F(x) = xd with d = 3a + 1 2 is PN in F3n iff gcd(a, n) = 1 and a odd.

30 / 34

The COULTER-MATTHEWS (1998) example

The only known planar function not corresponding to semifields:

Theorem

The function F(x) = xd with d = 3a + 1 2 is PN in F3n iff gcd(a, n) = 1 and a odd. p even???

30 / 34

Switching

Planar function such that image set of F has size 2?

Theorem (ZHOU 2012)

31 / 34

Switching

Planar function such that image set of F has size 2?

Theorem (ZHOU 2012)

No

31 / 34

Power mappings F(x) = α · xd

F(x + a) − F(x) + a · x permutation.

32 / 34

Power mappings F(x) = α · xd

F(x + a) − F(x) + a · x permutation. Known power mappings αxd which are planar: d condition 2k no folklore 2k + 1 n = 2k SCHMIDT, ZHOU 4k(4k + 1) n = 6k SCHERR, ZIEVE

32 / 34

Power mappings F(x) = α · xd

F(x + a) − F(x) + a · x permutation. Known power mappings αxd which are planar: d condition 2k no folklore 2k + 1 n = 2k SCHMIDT, ZHOU 4k(4k + 1) n = 6k SCHERR, ZIEVE

Theorem (M ¨

ULLER, ZIEVE (2013))

Let d be a positive integer such that d4 ≤ 2m and let c ∈ F2m be

• nonzero. Then the function x → αxd is planar on F2m if and
• nly if d is a power of 2.

32 / 34

Conclusion

◮ Semifields give RDS (old result) ◮ In the commutative case, projections give KNUTH operation

(new to me)

◮ Z4 valued bent functions have been studied before (new) ◮ Non-commutative case? (work in progress) ◮ p = 2 Planar functions of low weight (ZHOU) ◮ p = 2 Power planar? (ZHOU, SCHMIDT, ZIEVE, M ¨

ULLER,

SCHERR)

◮ p = 2 RDS not semifield (Open)

33 / 34

Epilogue: My dream

Use KANTOR to construct many APN.

34 / 34

Epilogue: My dream

Use KANTOR to construct many APN. Almost true, but the generalization lives on the wrong face of KNUTH cube (DEMPWOLFF, KANTOR (2013)).

34 / 34