Boolean functions optimizing most of the cryptographic criteria

Discrete Applied Mathematics 160 (2012) 427–435

Contents lists available at SciVerse ScienceDirect

Discrete Applied Mathematics journal homepage: www.elsevier.com/locate/dam

Boolean functions optimizing most of the cryptographic criteria Ziran Tu a , Yingpu Deng b,∗ a

Faculty of Science, Henan University of Science and Technology, Luoyang 471003, People’s Republic of China

b

Key Laboratory of Mathematics Mechanization, Academy of Mathematics and Systems Science, Chinese Academy of Sciences, Beijing 100190, People’s Republic of China

article

info

Article history: Received 31 January 2011 Received in revised form 27 July 2011 Accepted 5 August 2011 Available online 6 September 2011 Keywords: Boolean function Correlation immunity Algebraic immunity Resiliency Balancedness Nonlinearity Algebraic degree

abstract In this paper, we construct a class of 2k-variable Boolean functions which have optimal algebraic degree, very high nonlinearity, optimal algebraic immunity, and are 1-resilient. These properties are unconditional except the algebraic immunity property, which is optimal under some unproven assumptions. However, since the assumptions are verified to be true for k ≤ 29, so these functions have optimal algebraic immunity at least for k ≤ 29. © 2011 Elsevier B.V. All rights reserved.

1. Introduction In many symmetric cryptosystems, Boolean functions are critical building blocks. To resist known attacks, there have been many criteria for designing Boolean functions. Generally speaking, before 2003, cryptographic Boolean functions were usually required to be balanced, have high algebraic degree and high nonlinearity. The concept of correlation immunity was proposed by Siegenthaler [25], then Xiao and Massey [28] gave a simple spectral characterization. Many papers discussed functions with high nonlinearity and high-order correlation immunity, and there have been many constructions [2,7,13,21], but many of which are Maiorana–McFarland like functions. When n is small, some resilient functions with maximal nonlinearity have been obtained [18,22,24]. Since 2003, the algebraic attacks proposed by Courtois and Meier [1,8,9,19] have received the world’s attention, as a result, the algebraic immunity of Boolean functions has been introduced, and the study of annihilators of Boolean functions becomes important. Definition 1.1 ([19]). The algebraic immunity AIn (f ) of an n-variable Boolean function is defined to be the lowest degree of nonzero functions g such that fg = 0 or (f + 1)g = 0. To resist standard algebraic attacks, cryptographic Boolean functions should have high algebraic immunity. Up to now, several classes of Boolean functions which are achieving the optimal algebraic immunity have been proposed in [4,6,11, 15,16,20]. Designing Boolean functions to meet all relevant criteria has been proved to be a really hard challenge. All the above constructions that attain the optimum algebraic immunity order are not suitable for cryptographic applications due to unsatisfactory values of other cryptographic criteria. In 2008, Carlet and Feng made a breakthrough at this point, they

∗

Corresponding author. E-mail addresses: [email protected] (Z. Tu), [email protected] (Y. Deng).

0166-218X/$ – see front matter © 2011 Elsevier B.V. All rights reserved. doi:10.1016/j.dam.2011.08.006

428

Z. Tu, Y. Deng / Discrete Applied Mathematics 160 (2012) 427–435

constructed in [5] an infinite class of n-variable Boolean functions with optimal algebraic immunity, maximal algebraic degree and high nonlinearity. It was the first class of functions which meet most of the cryptographic criteria. Very recently, Tu and Deng proposed in [26] a class of algebraic immunity optimal functions of even number variables under an assumption of a combinatoric conjecture, the nonlinearity of these functions were even better than the functions proposed in [5]. Although Carlet proved in [3] that the functions in [26] were weak against fast algebraic attacks, he could repair this weakness through small modifications. However, among all the main designing criteria of Boolean functions, the correlation immunity or resiliency was ignored in [5,26] and in all other designing methods of functions with optimal algebraic immunity. In this paper, we propose an infinite class of 2k-variable Boolean functions, which satisfy all the main cryptographic criteria: 1-resilient, algebraic degree optimal, and very high nonlinearity. Based on the conjecture proposed in [26], it can be proved that the algebraic immunity of our functions is at least suboptimal. Moreover, when k is odd, the algebraic immunity is actually optimal, and for even k, we find that the algebraic immunity is optimal at least for k ≤ 29. We do not consider the resistance to fast algebraic attack [8] of our functions in this paper. Maybe these functions are also weak against fast algebraic attacks. In fact, the construction of functions that in addition provide a good resistance to fast algebraic attacks (thus completely optimized functions) is quite a hard challenge. However, to the best of our knowledge, this is the first instance of resilient functions satisfying most of the cryptographic criteria. The rest of this paper is organized as follows. In Section 2, we give some useful definitions and tools used later in the paper. In Section 3, we discuss our construction methods of functions, as well as their cryptographic properties. We give conclusions in Section 4. 2. Preliminaries Let n be a positive integer. A Boolean function on n variables is a mapping from Fn2 into F2 , which is the finite field with two elements. We denote by Bn the set of all n-variable Boolean functions. Every Boolean function f in Bn has a unique representation as a multivariate polynomial over F2



f (x1 , x2 , . . . , xn ) =

aI

I ⊆{1,...,n}



xi ,

i∈I

where aI ’s are in F2 , such kind of representation is called the algebraic normal form (ANF). The algebraic degree deg (f ) of f is defined to be the maximum degree of those monomials with nonzero coefficients in its algebraic normal form. A Boolean function f is called affine if deg (f ) ≤ 1, we denote by An the set of all affine functions in Bn . The support of f is defined as supp(f ) = {x ∈ Fn2 : f (x) = 1}, and w t (f ) is the number of vectors which lie in supp(f ). For two functions f and g in Bn , the Hamming distance d(f , g ) between f and g is defined as w t (f + g ). The nonlinearity nl(f ) of a Boolean function f is defined as the minimum Hamming distance between f and all affine functions, i.e. nl(f ) = Ming ∈An d(f , g ). For any a ∈ Fn2 , the value Wf (a) =



(−1)f (x)+⟨x,a⟩

x∈Fn2

is called the Walsh spectrum of f at a, where ⟨x, a⟩ denotes the inner product between x and a, i.e. ⟨x, a⟩ = x1 a1 + · · · + xn an . If Wf (a) = 0 for 1 ≤ w t (a) ≤ m, then f is called m-th order correlation immune, this is the famous Xiao–Massey [28] characterization of correlation immune functions. Moreover, if f is also balanced, we call f is m-th order resilient. The nonlinearity of a Boolean function f can be expressed via its Walsh spectra by the next formula nl(f ) = 2n−1 −

1

max |Wf (a)|. 2 a∈Fn2

Notice that for f : F2n −→ F2 , the Walsh spectrum of f at a ∈ F2n is defined by Wf (a) =



(−1)f (x)+tr (a·x) ,

x∈F2n

where the trace function tr is a mapping from F2n onto F2 given by tr (x) = spectrum of f at (a, b) ∈ F2k × F2k is defined by Wf (a, b) =



n−1 i=0

i

x2 . For f : F2k × F2k −→ F2 , the Walsh

(−1)f (x,y)+tr (a·x+b·y) ,

(x,y)∈F2k ×F2k

where tr is the trace function from F2k onto F2 . It is well-known that the nonlinearity satisfies the following inequality n

nl(f ) ≤ 2n−1 − 2 2 −1 . When n is even, the above upper bound can be attained, and such Boolean functions are called bent [23]. Bent function has n several equivalent definitions, for instance, a function f is bent is equivalent to say that supp(f ) is a (2n , 2n−1 ± 2 2 −1 , 2n−2 ± n − 1 n 2 2 )-difference set in the additive group of F2 .

Z. Tu, Y. Deng / Discrete Applied Mathematics 160 (2012) 427–435

429

3. The construction method and cryptographic properties In this section, we give our construction inspired by Dillon’s partial spread function [12] and discuss its main cryptographic properties. First, we recall Dillon’s functions. Dillon’s Construction ([12]). Let n = 2k, F2n ≈ F2k × F2k , g : F2k −→ F2 is a balanced function which vanishes at 0, define f : F2k × F2k → F2 by k f (x, y) = g (xy2 −2 )

then f is bent. In the following construction, we try to consider functions’ resiliency property in addition to algebraic degree, nonlinearity and algebraic immunity. Construction 3.1. Let n = 2k, k ≥ 3 and F2k be the finite field with 2k elements, α be a primitive element of F2k . Set k−1

A = {0, 1, α, α 2 , . . . , α 2 −1 }. We define an n-variable Boolean function f : F2k × F2k → F2 , whose support supp(f ) is constituted by the following four disjoint parts:

• • • •

{(x, y) : y = α i x, x ∈ F∗2k , i = 1, 2, . . . , 2k−1 − 1} {(x, y) : y = x, x ∈ A} {(x, 0) : x ∈ F2k \ A} {(0, y) : y ∈ F2k \ A}.

3.1. 1-resiliency, algebraic degree and nonlinearity Proposition 3.2. Let function f be defined as in Construction 3.1; then f is 1-resilient. Proof. Since w t (f ) = (2k − 1)(2k−1 − 1) + (2k−1 + 1) + (2k−1 − 1) + (2k−1 − 1) = 2n−1 , so f is balanced. We need to verify that Wf (a, b) = 0 for each (a, b) ∈ F2k × F2k satisfying w t (a, b) = 1. In fact, we can prove more. When a, b are not all zero, first note that

(−1)tr (ax+by) =

 (x,y)∈F2k ×F2k



(−1)tr (ax) ·

x∈F k 2



(−1)tr (by) = 0,

y∈F k 2

where tr is the trace function from F2k onto F2 . Then we have

(−1)f (x,y)+tr (ax+by)



Wf (a, b) =

(x,y)∈F2k

= −2

(−1)tr (ax+by) .



(x,y)∈supp(f )

We can see



tr (ax+by)

(−1)

(x,y)∈supp(f )

2k−1 −1

=

  i=1

(−1)tr ((a+bα )x) + i

x∈F∗k 2

   (−1)tr ((a+b)x) + (−1)tr (ax) + (−1)tr (by) . x∈A

x∈F k \A 2

y∈F k \A 2

We consider the Walsh spectra at two kinds of points: 1. a ̸= 0, b = 0, then



(−1)tr (ax+by) = 1 − 2k−1 + 2k − |A| +

(x,y)∈supp(f )



(−1)tr (ax) +

 (−1)tr (ax) ; x∈A

x∈F k \A 2

2. b ̸= 0, a = 0, then



(−1)tr (ax+by) = 1 − 2k−1 + 2k − |A| +

(x,y)∈supp(f )



(−1)tr (by) +

y∈F k \A 2

 (−1)tr (by) . y∈A

Combining with the equality |A| = 2k−1 + 1, it is obvious to see that Wf (a, b) = 0 for ab = 0. Therefore f is 1-resilient.



From Siegenthaler’s inequality[25], we know that for an n-variable, m-th order resilient Boolean function g, it should be satisfied that m + deg (g ) ≤ n − 1. We will see that f in Construction 3.1 is algebraic degree optimal in this sense. Proposition 3.3. Let function f be defined as in Construction 3.1; then deg (f ) = n − 2. Proof. Let g , h : F2k × F2k → F2 be two Boolean functions as defined by supp(g ) = {(x, y) : y = α i x, x ∈ F∗2k , i = 0, 1, . . . , 2k−1 − 1} and by supp(h) = {(0, 0)} ∪ {(x, x) : x ∈ F2k \ A} ∪ {(x, 0) : x ∈ F2k \ A} ∪ {(0, y) : y ∈ F2k \ A}. So f = g + h. Since g is a function in the PS− class, it is a bent function, we know that deg (g ) ≤ k < n − 2 from [23]. To prove

430

Z. Tu, Y. Deng / Discrete Applied Mathematics 160 (2012) 427–435

deg (f ) = n − 2, we only need to prove deg (h) = n − 2. By Lagrange’s interpolation formula, we have k k h(x, y) = (x2 −1 + 1)(y2 −1 + 1) +

 k k ((x + a)2 −1 + 1)((y + a)2 −1 + 1) a̸∈A

 k  k k k ((x + a)2 −1 + 1)(y2 −1 + 1) + (x2 −1 + 1)((y + a)2 −1 + 1). + a̸∈A

a̸∈A

Expanding the terms, we have h(x, y) =

k −1 2 k −1   2  2k − 1   2k − 1 

a̸∈A i=1

i

j=1

j

k k x2 −1−i y2 −1−j ai+j .

k k It is easy to see deg (h) ≤ n − 2. The coefficient of x2 −1−1 y2 −1−1 is

 

2

a =

k−1

1 + α2

2

1+α

a̸∈A

which is obviously nonzero in F2k . Therefore deg (h) = n − 2.



Now we consider the nonlinearity of functions from Construction 3.1. We need a result in [5]. Proposition 3.4 ([5]). Let ω ∈ F∗2n be a primitive element and λ ∈ F2n , denote 2 n −2

(−1)tr (λω ) . i



Sλ =

i=2n−1 −1

If λ ̸= 0, then n

|Sλ | ≤ 2 2 n · ln 2 + 1. k

Proposition 3.5. Let function f be defined as in Construction 3.1; then nl(f ) ≥ 2n−1 − 2k−1 − 3 · k · 2 2 ln 2 − 7. Proof. From the above proof we only need to consider K(a,b) =



(−1)tr (ax+by)

(x,y)∈supp(f )

for (a, b) ∈ F2k × F2k with a · b ̸= 0, and where tr is the trace function from F2k onto F2 . We know that 2k−1 −1

K(a,b) =

  i=1

(−1)tr ((a+bα )x) + i

x∈F∗k



(−1)tr ((a+b)x) +

x∈A

2



x∈F k \A 2

By Proposition 3.4, we know that

     2  k −2     i  tr (ax)  tr (aα )   (−1)  (−1) =   x̸∈A  i=2k−1     2    k k−1 −1   −2   i tr (aα )  tr (aα 2 )   ≤ (−1)  + (−1)  i=2k−1 −1  k

(−1)tr (ax) +

k

≤ (k · 2 2 ln 2 + 1) + 1 = k · 2 2 ln 2 + 2. Similarly, we have

    k  tr (by)   (−1)  ≤ k · 2 2 ln 2 + 2.  y̸∈A  If a + b ̸= 0, we also have

         k   tr ((a+b)x)  tr ((a+b)x)  (−1)  (−1)  = −  ≤ k · 2 2 ln 2 + 2.  x∈A   x̸∈A 

 y∈F k \A 2

(−1)tr (by) .

Z. Tu, Y. Deng / Discrete Applied Mathematics 160 (2012) 427–435

431

Table 1 The nonlinearity of functions in Construction 3.1. n

n

2n−1 − 2 2 −1

nl(f )

6 8 10 12 14 16 18

28 120 496 2016 8128 32640 130816

24 112 484 1996 8100 32588 130760

Now we can obtain an upper bound for |K(a,b) | easily: 1. a + b = 0, then

        tr (ax) tr (by)  K(a,b)  = (2k−1 − 1)(−1) + (2k−1 + 1) + (−1) + (−1)    x̸∈A y̸∈A k

≤ 2 + 2 · (k · 2 2 ln 2 + 2); 2. a + bα i = 0 for some i, 0 < i < 2k−1 , then

       K(a,b)  = (2k − 1) + (−1) · (2k−1 − 2) + (−1)tr ((a+b)x) + (−1)tr (ax)   x∈A x∈F k \A 2     k + (−1)tr (by)  ≤ 2k−1 + 1 + 3 · (k · 2 2 ln 2 + 2);  y∈F k \A 2 3. otherwise

       K(a,b)  = −(2k−1 − 1) + (−1)tr ((a+b)x) + (−1)tr (ax)   x∈A x∈F k \A 2     k (−1)tr (by)  ≤ 2k−1 + 1 + 3 · (k · 2 2 ln 2 + 2). +  y∈F k \A 2 Finally, we get nl(f ) = 2n−1 −

1

max |Wf (a, b)| = 2n−1 − max |K (a, b)| 2 a,b∈F2k a,b∈F∗k 2

k

≥ 2n−1 − 2k−1 − 3 · k · 2 2 ln 2 − 7.  In fact, we can improve this lower bound according to the method in [27]. We use Magma system to compute the nonlinearity of f in Construction 3.1; see Table 1. We can see that the nonlinearity of f is very high and satisfying. 3.2. The algebraic immunity In this section, we discuss the algebraic immunity property of Boolean functions from Construction 3.1. We first recall a combinatorial conjecture proposed in [26]. Conjecture 3.6 ([26]). Assume k ∈ Z, k > 1. For every x ∈ Z, 0 ≤ x ≤ 2k − 1, we expand x as a binary string of length k, and denote the number of one’s in the string by w(x). For any t ∈ Z, 0 < t < 2k − 1, let St = {(a, b)|a, b ∈ Z, 0 ≤ a, b < 2k − 1, a + b = t mod 2k − 1, w(a) + w(b) ≤ k − 1} then |St | ≤ 2k−1 . In fact, the authors designed in [26] an algorithm and validated their conjecture until k ≤ 29. As a cornerstone of the algebraic immunity property of functions in [26], the conjecture has attracted researchers’ attention. The authors in [10,14] tried to attack this problem theoretically and some advances had been made, and they verified that the conjecture is correct for many cases of t. In the remainder of this paper, we always assume that this conjecture is correct.

432

Z. Tu, Y. Deng / Discrete Applied Mathematics 160 (2012) 427–435

In the course of the proof, we need the knowledge of BCH code (see, for example, [17]). For the convenience of the reader, we recall the definition of a BCH code. Theorem 3.7 (The BCH Bound). Let Φ be a cyclic code of length n and with generator polynomial g (x) such that for some integers b ≥ 0, δ ≥ 1 g (α b ) = g (α b+1 ) = · · · = g (α b+δ−2 ) = 0 i.e. the code has a string of δ − 1 consecutive powers of α as zeros, where α is a primitive n-th root of unity, then the minimal distance of Φ is at least δ . This induces the definition of a BCH code. Definition 3.8. A cyclic code of length n over Fq is a BCH code of designed distance δ if, for some integer b ≥ 0, g (x) = lcm{m(b) (x), m(b+1) (x), . . . , m(b+δ−2) (x)} i.e. g (x) is the lowest degree monic polynomial over Fq having α b , α b+1 , . . . , α b+δ−2 as zeros, where m(i) (x) is the minimal polynomial of α i over Fq . We will use the BCH bound repeatedly, for later convenience we introduce the following corollary: Corollary 3.9. Let f (x) be a univariate polynomial over the finite field F2k with deg (f ) ≤ 2k − 2, α be a primitive element of F2k . If f (x) has δ − 1 consecutive roots α s , α s+1 , . . . , α s+δ−2 , in which s is a nonnegative integer, and if f is not the zero polynomial, then the number of nonzero coefficients in f (x) is larger than or equal to δ . k

Proof. Write f (x) = a0 + a1 x +· · ·+ a2k −2 x2 −2 with ai ∈ F2k . From the assumed condition, we know that (a0 , a1 , . . . , a2k −2 ) is a codeword in some BCH code of length 2k − 1 over F2k , having α s , α s+1 , . . . , α s+δ−2 as zeros and with designed distance δ . According to the BCH bound, if this codeword is nonzero, then its weight should be larger than or equal to δ .  First, we show that the algebraic immunity in Construction 3.1 is at least suboptimal. For this we need the following lemma. Lemma 3.10. For every 0 < t < 2k − 1, the modular equation a + b = t mod 2k − 1, w(a) + w(b) = k − 1 has at least one pair of solution. Proof. At first we observe that, if t and t ′ belong to a same cyclotomic coset mod 2k − 1, then the modular equations for t and for t ′ have exactly the same number of solutions. Without loss of generality, we suppose that t has the following form: t = 11  · · · 1 00 · · 1 0 · · 1 0 · · · 0 1 · · 0 · · · 1 · · 0 .  ·  ·    ·  · n1

n2

n3

n2r −1

n4

n2r

In order to prove the lemma, we only need to construct a pair of (a, b) to be a solution. If 0 ≤ a, b < 2k − 1 satisfy a + b = t mod 2k − 1, then w(a) + w(b) = w(t ) + s, in which s represents the number of carries when doing the modular addition. Since w(t ) = n1 + n3 + · · · + n2r −1 and k = n1 + n2 + · · · + n2r −1 + n2r , we have that (a, b) is a required solution if and only if a + b = t mod 2k − 1 and the number of carries is n2 + n4 + · · · + n2r − 1 when doing the modular addition. If n2r > 1, we construct a pair (a, b) as follows: a=1 · · 1 0 1 · · 11 1 · · 1 0 1 · · 11 · · · 1 · · 1 0 1 · 110  ·  ·   ·  ·   ·  · · n 1 −1

n2

n 3 −1

n4

n2r −1 −1

n2r

b=0 · · 0 0 0 · · 01 0 · · 0 0 0 · · 01 · · · 0 · · 0 0 0 · 010 .  ·  ·   ·  ·   ·  · · n 1 −1

n2

n 3 −1

n4

n2r −1 −1

n2r

If n2r = 1, we construct (a, b) as a=1 · · 1 0 1 · · 11 1 · · 1 0 1 · · 11 · · · 1 · · 1 0  ·  ·   ·  ·   · n 1 −1

n2

n 3 −1

n4

n2r −1

b=0 · · 0 0 0 · · 01 0 · · 0 0 0 · · 01 · · · 0 · · 0 0.  ·  ·   ·  ·   · n 1 −1

n2

n 3 −1

n4

n2r −1

It is not difficult to verify that (a, b) is a required solution.



Proposition 3.11. Assume Conjecture 3.6 is correct. Let n = 2k; then the algebraic immunity of function f in Construction 3.1 is at least suboptimal, i.e. AIn (f ) ≥ k − 1.

Z. Tu, Y. Deng / Discrete Applied Mathematics 160 (2012) 427–435

433

Proof. We need to prove that both f , f + 1 have no annihilators with degrees ≤ k − 2. Let h : F2k × F2k → F2 satisfy deg (h) ≤ k − 2 and f · h = 0. We will prove h = 0. Observe that h can be written as a polynomial of two variables on F2k as 2 k −1 2 k −1

h(x, y) =

 i =0

hi,j xi yj ,

j=0

where hi,j ∈ F2k . By deg (h) ≤ k − 2, we have hi,j = 0 with w(i) + w(j) ≥ k − 1. Since h(x, γ x) = 0 for x ∈ F∗2k , γ ∈ ∆ := k−1 −1

{α, α 2 , . . . , α 2

}. Write 2k −2

h(x, γ x) =



hi,j xi (γ x)j = h0,0 +



i,j

ht (γ )xt

t =1

in which 2k −2



ht (γ ) =

h t − j ,j γ j .

j =0

We have h0,0 = 0, ht (γ ) = 0 for 1 ≤ t ≤ 2k − 2, γ ∈ ∆. Since ht has consecutive 2k−1 − 1 roots, by Corollary 3.9, if ht is not the zero polynomial, then the number of nonzero coefficients of ht should be greater than or equal to 2k−1 . Set J = { j | j ∈ Z, 0 ≤ j ≤ 2k − 2, w(t − j)+w(j) ≤ k − 2}. However, by Conjecture 3.6 and Lemma 3.10, we have | J | ≤ 2k−1 − 1. Hence ht = 0 for 1 ≤ t ≤ 2k − 2. So h = 0. Since supp(f + 1) ⊇ {(x, α i x) | x ∈ F∗2k , i = 2k−1 , . . . , 2k − 2}, a similar argument is applicable to f + 1, and we can show that f + 1 has no annihilator of degree ≤ k − 2. Therefore AIn (f ) ≥ k − 1.  In fact, we can analyze the algebraic immunity of the given functions in Construction 3.1 more accurately. We will prove that the functions in Construction 3.1 have optimal algebraic immunity when k is odd under the assumption of the correctness of Conjecture 3.6. For this we need the following lemma. Lemma 3.12. With the notation of Conjecture 3.6. Assume Conjecture 3.6 is correct. Let k be an odd integer. If w(t ) ≤ k−2 1 , then |St | is strictly less than 2k−1 . Proof. The proof is straightforward. If (a, b) ∈ St , then obviously (b, a) ∈ St . Since

w

t  2

+w

t  2

= 2w(t ) ≤ k − 1. Hence if w(t ) ≤

k−1 , 2

t 2

 , 2t is a solution of St if and only if

then |St | must be odd, i.e. |St | is strictly less than 2k−1 .



Proposition 3.13. Assume Conjecture 3.6 is correct. Let n = 2k. If k is odd, then the algebraic immunity of the function f in Construction 3.1 is optimal, i.e. AIn (f ) = k. Proof. Similar to the proof of Proposition 3.11, we need to prove that both f , f + 1 have no annihilators with degrees ≤ k − 1. For the sake of completeness, we repeat appropriate parts of the proof of Proposition 3.11. Let h : F2k × F2k → F2 satisfy deg (h) ≤ k − 1 and f · h = 0. We will prove h = 0. Write 2 k −1 2 k −1

h(x, y) =

 i =0

hi,j xi yj ,

j =0

where hi,j ∈ F2k . By deg (h) ≤ k − 1, we have hi,j = 0 when w(i) + w(j) ≥ k. Since h(x, γ x) = 0 for x ∈ F∗2k , γ ∈ ∆ := k−1 −1

{α, α 2 , . . . , α 2

}. Write 2k −2

h(x, γ x) =



hi,j xi (γ x)j = h0,0 +



i,j

ht (γ )xt

t =1

in which 2k −2

ht (γ ) :=



h t − j ,j γ j .

j =0

We have h0,0 = 0, ht (γ ) = 0 for 1 ≤ t ≤ 2k − 2, γ ∈ ∆. Since ht has consecutive 2k−1 − 1 roots, by Corollary 3.9, if ht is not the zero polynomial, then the number of nonzero coefficients of ht should be greater than or equal to 2k−1 . Set Jt = { j | j ∈ Z, 0 ≤ j ≤ 2k − 2, w(t − j) + w(j) ≤ k − 1}. If w(t ) ≤ k−2 1 , by Lemma 3.12, we have | Jt | < 2k−1 . Hence ht = 0

for w(t ) ≤ k−2 1 . In particular, we have ht ,0 = 0 for w(t ) ≤ k−2 1 . Since h(x, 0) = 0 for x ∈ F2k \ A = {α 2 2 k −2

0 = h0,0 +

 i =1

hi,0 xi := h0 (x).

k−1

, . . . , α2

k −2

}, i.e.

434

Z. Tu, Y. Deng / Discrete Applied Mathematics 160 (2012) 427–435

By Corollary 3.9, if h0 is not the zero polynomial, then the number of nonzero coefficients of h0 should be greater than or (k−1)/2 k  k−1 equal to 2k−1 . Since the number of hi,0 for which 0 ≤ i ≤ 2k − 2 and w(i) ≤ k−2 1 is j=0 = 2 , the number of j nonzero coefficients of h0 is ≤ 2k − 1 − 2k−1 = 2k−1 − 1. So h0 = 0. Hence ht ,0 = 0 for all 1 ≤ t ≤ 2k − 2. Therefore, the number of nonzero coefficients of ht is ≤ 2k−1 − 1. So ht = 0 for all 1 ≤ t ≤ 2k − 2. We have h = 0. Since supp(f + 1) ⊇ {(x, α i x) | x ∈ F∗2k , i = 2k−1 , . . . , 2k − 2}

 k−1 {(x, 0) | x = 1, α, . . . , α 2 −1 },

a similar argument is applicable to f + 1, and we can show that f + 1 has no annihilator of degree ≤ k − 1. Therefore AIn (f ) = k.  For the case of even k, the actual computation by Magma system shows that the functions in Construction 3.1 have optimal algebraic immunity for small k. To deal with this case, we first make some assumption related to Conjecture 3.6. Assumption A. With the notation of Conjecture 3.6. Set T = {t | 1 ≤ t ≤ 2k − 2, |St | = 2k−1 }. Then |T | < 2k−1 . Remark 3.14. By Lemma 3.12, if Conjecture 3.6 is correct, then Assumption A is also true for odd k. For even k, we use the algorithm for validating Conjecture 3.6 in [26] to verify that Assumption A is true for all even k ≤ 29. Proposition 3.15. Assume both Conjecture 3.6 and Assumption A are correct. Let n = 2k. If k is even, then the algebraic immunity of the function f in Construction 3.1 is optimal, i.e. AIn (f ) = k. Proof. Similarly, we need to prove that both f , f + 1 have no annihilators with degrees ≤ k − 1. For the sake of completeness, we repeat appropriate parts of the proof of Proposition 3.11. Let h : F2k × F2k → F2 satisfy deg (h) ≤ k − 1 and f · h = 0. We will prove h = 0. Write 2k −1 2k −1

h(x, y) =

 i=0

hi,j xi yj ,

j =0

where hi,j ∈ F2k . By deg (h) ≤ k − 1, we have hi,j = 0 when w(i) + w(j) ≥ k. Since h(x, γ x) = 0 for x ∈ F∗2k , γ ∈ ∆ :=

{α, α 2 , . . . , α 2

k−1 −1

}. Write 2 k −2

h(x, γ x) =



hi,j x (γ x) = h0,0 + i

j

i,j



ht (γ )xt

t =1

in which 2 k −2

ht (γ ) :=



h t − j ,j γ j .

j=0

We have h0,0 = 0, ht (γ ) = 0 for 1 ≤ t ≤ 2k − 2, γ ∈ ∆. Since ht has consecutive 2k−1 − 1 roots, by Corollary 3.9, if ht is not the zero polynomial, then the number of nonzero coefficients of ht should be greater than or equal to 2k−1 . k−1 −1

Since h(x, x) = 0 for x ∈ {α, α 2 , . . . , α 2

2k −2

}, and h(x, x) = h0,0 +

2k−1 −1

2k −2 t =1

at xt , where at :=



i+j≡t

hi,j =

2k −2 i =0

h i ,t − i ,

we have t =1 at x = 0 for x ∈ {α, α , . . . , α }. Set T1 = {t | 1 ≤ t ≤ 2 − 2, |St | < 2 } and T2 = {t | 1 ≤ t ≤ 2k − 2, |St | = 2k−1 }. By Assumption A, we have |T2 | < 2k−1 . Hence |T1 | = 2k − 1 − |T2 | > 2k−1 − 1, i.e. |T1 | ≥ 2k−1 . For t ∈ T1 , since |St | < 2k−1 , we have ht = 0, hence at = 0. So the number of nonzero at (1 ≤ t ≤ 2k − 2) is at most 2k−1 − 1. By Corollary 3.9, we have at = 0 for all 1 ≤ t ≤ 2k − 2. Thus, since ht (1) = at , we have ht (γ ) = 0 for all 1 ≤ t ≤ 2k − 2 and t

2

k−1 −1

for γ ∈ {1, α, α 2 , . . . , α 2 Since

k

k−1

}. By Conjecture 3.6 and Corollary 3.9, we have ht = 0 for all 1 ≤ t ≤ 2k − 2, hence h = 0.

supp(f + 1) ⊇ {(x, α i x) | x ∈ F∗2k , i = 2k−1 , . . . , 2k − 2}

 k−1 k {(x, x) | x = α 2 , . . . , α 2 −2 },

a similar argument is applicable to f + 1, and we can show that f + 1 has no annihilator of degree ≤ k − 1. Therefore AIn (f ) = k.  4. Conclusion In this paper, we construct an infinite class of 2k-variable Boolean functions, which optimizes most of the cryptographic criteria for designing Boolean functions: 1-resilient, algebraic degree optimal, and very high nonlinearity. Based on the conjecture proposed in [26], it can be proved that the algebraic immunity of our functions is at least suboptimal. Moreover, when k is odd, the algebraic immunity is actually optimal, and for even k, we find that the algebraic immunity is optimal at least for k ≤ 29. We believe that this class of functions are of both theoretical and practical importance.

Z. Tu, Y. Deng / Discrete Applied Mathematics 160 (2012) 427–435

435

Acknowledgments We thank Professor Xiangyong Zeng in Hubei University for his helpful suggestions, and we thank the anonymous referees for their many valuable suggestions on how to improve the presentation of this paper. The work of the first author was supported by the NNSF of China (Grant Nos 11071285 and 61003234). The work of the second author was supported by the NNSF of China (Grant Nos 11071285, 60821002 and 10971250) and 973 Project (2011CB302401). References [1] F. Armknecht, Improving fast algebraic attacks, in: 11th International Workshop on Fast Software Encryption, FSE 2004, in: LNCS, vol. 3017, 2004, pp. 65–82. [2] P. Camion, C. Carlet, P. Charpin, N. Sendrier, On correlation immune functions, in: Advances in Cryptology, Crypto 91, in: LNCS, vol. 576, 1992, pp. 86–100. [3] C. Carlet, On a weakness of the Tu–Deng function and its repair, Cryptology ePrint Archive, Report 2009/606, http://eprint.iacr.org/2009/606. [4] C. Carlet, D.K. Dalai, K.C. Gupta, S. Maitra, Algebraic immunity for cryptographically significant Boolean functions: analysis and construction, IEEE Transactions on Information Theory 52 (2006) 3105–3121. [5] C. Carlet, K. Feng, An infinite class of balanced functions with optimal algebraic immunity, good immunity to fast algebraic attacks and good nonlinearity, in: Advances in Cryptology, Asiacrypt 2008, in: LNCS, vol. 5350, 2008, pp. 425–440. [6] C. Carlet, X. Zeng, C. Li, L. Hu, Further properties of several classes of Boolean functions with optimum algebraic immunity, Designs, Codes and Cryptography 52 (2009) 303–338. [7] S. Chee, S. Lee, D. Lee, S.H. Sung, On the correlation immune functions and their nonlinearity, in: Advances in Cryptology, Asiacrypt 96, in: LNCS, vol. 1163, 1996, pp. 232–243. [8] N.T. Courtois, Fast algebraic attacks on stream ciphers with linear feedback, in: Advances in Cryptology, Crypto 2003, in: LNCS, vol. 2729, 2003, pp. 176–194. [9] N.T. Courtois, W. Meier, Algebraic attacks on stream ciphers with linear feedback, in: Advances in Cryptology, Eurocrypt 2003, in: LNCS, vol. 2656, 2003, pp. 345–359. [10] T.W. Cusick, Y. Li, P. Stănică, On a combinatoric conjecture, Integers 11 (2011) 185–203. [11] D.K. Dalai, S. Maitra, S. Sarkar, Basic theory in construction of Boolean functions with maximum possible annihilator immunity, Designs, Codes and Cryptography 40 (2006) 41–58. [12] J.F. Dillon, Elementary Hadamard Difference Sets, Ph.D. Thesis, University of Maryland, 1974. [13] E. Filiol, C. Fontaine, Highly nonlinear balanced Boolean functions with a good correlation-immunity, in: Advances in Cryptology, Eurocrypt 98, in: LNCS, vol. 1403, 1998, pp. 475–488. [14] J.P. Flori, H. Randriambololona, G. Cohen, S. Mesnager, On a conjecture about binary strings distribution, in: Sequences and their Applications-SETA 2010, LNCS vol. 6338, pp. 346–358. [15] N. Li, W. Qi, Construction and analysis of Boolean functions of 2t + 1 variables with maximum algebraic immunity, in: Advances in Cryptology, Asiacrypt 2006, in: LNCS, vol. 4284, 2006, pp. 84–98. [16] N. Li, L. Qu, W. Qi, G. Feng, C. Li, D. Xie, On the construction of Boolean functions with optimal algebraic immunity, IEEE Transactions on Information Theory 54 (2008) 1330–1334. [17] F.J. MacWilliams, N.J.A. Sloane, The Theory of Error-Correcting Codes, North-Holland, Amsterdam, 1977. [18] S. Maitra, E. Pasalic, Further constructions of resilient Boolean functions with very high nonlinearity, IEEE Transactions on Information Theory 48 (2002) 1825–1834. [19] W. Meier, E. Pasalic, C. Carlet, Algebraic attacks and decomposition of Boolean functions, in: Advances in Cryptology, Eurocrypt 2004, in: LNCS, vol. 3027, 2004, pp. 474–491. [20] E. Pasalic, Almost fully optimized infinite classes of Boolean functions resistant to (fast) algebraic cryptanalysis, in: Information Security and Cryptology-ICISC 2008, in: LNCS, vol. 5461, 2009, pp. 399–414. [21] E. Pasalic, T. Johansson, Further results on the relation between nonlinearity and resiliency of Boolean functions, in: IMA Conference on Cryptography and Coding, in: LNCS, vol. 1746, 1999, pp. 35–45. [22] E. Pasalic, S. Maitra, T. Johansson, P. Sarkar, New constructions of resilient and correlation immune boolean functions achieving upper bound on nonlinearity, in: International Workshop on Coding and Cryptography, in: Electronic Notes in Discrete Mathematics, vol. 6, 2001, pp. 158–167. [23] O.S. Rothaus, On bent functions, J. Combin. Theory 20 (1976) 300–305. [24] P. Sarkar, S. Maitra, Nonlinearity bounds and constructions of resilient Boolean functions, in: Advances in Cryptology, Crypto 2000, in: LNCS, vol. 1880, 2000, pp. 515–532. [25] T. Siegenthaler, Correlation-immunity of nonlinear combining functions for cryptographic applications, IEEE Transactions on Information Theory 30 (1984) 776–780. [26] Z. Tu, Y. Deng, A conjecture about binary strings and its applications on constructing Boolean functions with optimal algebraic immunity, Designs, Codes and Cryptography 60 (2011) 1–14. [27] Q. Wang, J. Peng, H. Kan, X. Xue, Constructions of cryptographiclly significant boolean functions using primitive polynomials, IEEE Transactions on Information Theory 56 (2010) 3048–3053. [28] G. Xiao, J. Massey, A spectral characterization of correlation immune combining functions, IEEE Transactions on Information Theory 34 (1988) 569–571.