Skip to content
BY 4.0 license Open Access Published by De Gruyter January 29, 2021

Using Inclusion / Exclusion to find Bent and Balanced Monomial Rotation Symmetric Functions

  • Elizabeth M. Reid EMAIL logo

Abstract

There are many cryptographic applications of Boolean functions. Recently, research has been done on monomial rotation symmetric (MRS) functions which have useful cryptographic properties. In this paper we use the inclusion/exclusion principle to construct formulas for the weights of two subclasses of MRS functions: degree d short MRS functions and d-functions. From these results we classify bent and balanced functions of these forms.

MSC 2010: 94C10; 94A60; 06E30

1 Introduction

A Boolean function f in n variables is a mapping from the n-dimensional vector space 𝕍n over 𝔽2 to 𝔽2. For i ∈ {1, 2, . . . , n}, the cyclic permutation ρi is defined as ρi(x1, x2, . . . , xn) = (x1+i, x2+i, . . . , xi). We say f is rotation symmetric if f (ρ(x1, . . . , xn)) = f (x1, . . . , xn). Similarly, f is k-rotation symmetric if f (ρk(x1, . . . , xn)) = f (x1, . . . , xn), but f (ρl(x1, . . . , xn)) β‰  f (x1, . . . , xn) for any l ∈ {1, 2, . . . , k βˆ’ 1}. Cryptographic applications of rotation symmetric functions can be found in [2]. In this paper we consider monomial rotation symmetric (MRS) functions: rotation symmetric functions that are constructed by summing the powers of ρ on a single monomial. Extending this idea further, a k-MRS function is constructed by summing the powers of ρk on a single monomial. For example, f (x1, x2, x3) = x1x2 + x2x3 + x3x1 is a MRS function in 3 variables with generating monomial x1x2, while g(x1, x2, x3, x4, x5, x6) = x1x2x3 + x3x4x5 + x5x6x1 is a 2-MRS function in 6 variables with generating monomial x1x2x3. Recent work on 2-MRS functions can be found in [4]. There has been a focus on these types of functions because their structure allows for less storage space and faster computation. We say that the degree of a monomial is the number of variables in the monomial. The degree of a function f is the maximum degree of any monomial of f. If every monomial of f is the same degree then f is homogeneous and if the degree of f is 1 we say f is affine. Additionally, f is defined to be linear if it is both homogeneous and affine.

Let v0 = (0, 0, . . . , 0), v1 = (0, 0, . . . , 1), . . ., v2nβˆ’1 = (1, 1, . . . , 1) be the 2n vectors in 𝕍n listed in lexicographical order. Then the truth table of f is defined as the 2n-tuple given by (f (v0), f (v1), . . . , f (v2nβˆ’1)). For example, the truth table for f (x1, x2, x3) = x1x2 + x2x3 + x3x1 is (0, 0, 0, 1, 0, 1, 1, 1). The weight of f, denoted by wt(f), is the number of 1's in the truth table for f. The distance between two functions f and g, denoted by d(f, g), is defined as d(f, g) = wt(f βŠ• g). The nonlinearity of a function f, denoted by NL(f), is the minimum distance between f and any affine function.

A function of n variables is called balanced if its weight is exactly 2nβˆ’1. Since the weight is exactly 2nβˆ’1, balanced functions are resistant to correlation attacks. Intuitively, a function f is called bent if it is as nonlinear as possible, making bent functions resistant to linear cryptanalysis. Due to their structure, balanced and bent functions have applications in cryptography and coding theory. Some of these applications can be found in [2]. For a MRS function f we say that it is short if f has fewer than n monomials. Note that for a rotation symmetric function of degree greater than 1, if each variable appears exactly once then the function is short. Let d|n and k=nd . We say f is a d-function if f (x1, . . . , xn) = x1x2 . . . xd + xd+1xd+2 . . . x2d + Β· Β· Β· + x(kβˆ’1)d+1 . . . xn. Note that if f is a d-function then deg(f) = d and f is a d-MRS function. In this paper we consider short monomial rotation symmetric functions and d-functions. We develop formulas for the weight of such functions and use these results to find bent and balanced functions of these forms.

2 Bent and Balanced short MRS functions

In this section we construct a formula for the weight of short MRS functions and determine which are bent or balanced. The following lemmas are well known results and are included here for reference.

Lemma 1

Let f be a Boolean function. f is bent if and only if the nonlinearity of f is 2nβˆ’1βˆ’2n2βˆ’1 . Also if f is bent, then wt(f)=2nβˆ’1Β±2n2βˆ’1 .

Remark 2

Lemma 3 and Lemma 4 are Theorem 4 and Lemma 5 in [3].

Lemma 3

Every Boolean function f of degree 2 is affinely equivalent to one of the following three types: If f is balanced, it is equivalent to

x1x2+x3x4+…+x2kβˆ’1x2k+x2k+1

for some k≀nβˆ’12 .

If f is not balanced, it is equivalent to

x1x2+x3x4+…+x2kβˆ’1x2k+b

for some k≀n2 and b ∈ GF(2). If wt(f) < 2nβˆ’1 then b = 0. If wt(f) > 2nβˆ’1 then b = 1.

Lemma 4

Let

h(x)=βˆ‘i=1kx2iβˆ’1x2i+βˆ‘i=2k+1naixi

be an n-variable function for k≀n2 . Then

NL(h)=2nβˆ’1βˆ’2nβˆ’kβˆ’1.

If all the linear terms vanish then its weight is the same as the nonlinearity; otherwise it is balanced.

Remark 5

The following theorem is well known. A proof can be found in [2].

Theorem 6

Let n be an even integer and m=n2 . Then

f0(x1,…,xn)=βˆ‘i=1mxixm+i

is a rotation symmetric bent function.

Lemma 7

Let g1, . . . , gk be arbitrary Boolean functions in n variables. Then

wt(βˆ‘i=1kgi)=βˆ‘i=1kwt(gi)βˆ’2βˆ‘i(1),i(2)wt(gi(1)gi(2))+…+ (βˆ’2)rβˆ’1βˆ‘i(1),…,i(r)wt(gi(1)…gi(r))+…+ (βˆ’2)kβˆ’1wt(g1…gk),

where we use the notation

βˆ‘i(1),…,i(r)wt(gi(1)…gi(r))

to denote summing over the weights of all possible products consisting of r Boolean functions from g1, . . . , gk.

Proof

This follows from induction on k, the number of Boolean functions, with the base case that for two Boolean functions g1 and g2, wt(g1 + g2) = wt(g1) + wt(g2) βˆ’ 2wt(g1g2).

Theorem 8

Let x = (x1, . . . , xn) and

f(x)=βˆ‘i=1kxixi+k…xi+(dβˆ’1)k

where d = deg(f) and k=nd . Then

wt(f(x))=βˆ‘i=1k(βˆ’2)iβˆ’1(ki)2nβˆ’id.

Proof

Define Ai(x) = xixi+k . . . xi+(dβˆ’1)k for 1 ≀ i ≀ k. Then

f(x)=βˆ‘i=1kAi.

By Lemma 7,

wt(f)=wt(βˆ‘i=1kAi)=βˆ‘i=1kwt(Ai)βˆ’2βˆ‘i(1),i(2)wt(Ai(1)Ai(2))+…+ (βˆ’2)rβˆ’1βˆ‘i(1),…,i(r)wt(Ai(1)…Ai(r))+…+ (βˆ’2)kβˆ’1wt(Ai(1)…Ai(k)),

where

βˆ‘i(1),…,i(r)wt(Ai(1)…Ai(r))

is defined as in Lemma 7.

Since each Ai has a disjoint set of variables, wt(Ai(1) . . . Ai(r)) = 2nβˆ’rd. Note that βˆ‘i(1),…,i(r)1=(kr) . Thus

βˆ‘i(1),…,i(r)wt(Ai(1)…Ai(r))=(ki)2nβˆ’rd.

Therefore

wt(f(x))=βˆ‘i=1k(βˆ’2)iβˆ’1(ki)2nβˆ’id.

Example 9

Consider f (x) = f (x1, . . . , x6) = x1x4 + x2x5 + x3x6. So n = 6, d = 2, and k = 3. By our formula above,

wt(f(x))=βˆ‘i=13(βˆ’2)iβˆ’1(31)26βˆ’2i=28.

Let A1(x) = x1x4, A2(x) = x2x5, and A3(x) = x3x6. Note that when i = 1 in our formula above, we have (31)24=48 . This represents the number of x so that AΞ±(x) = 1 for 1 ≀ Ξ± ≀ 3.

{x:A1(x)=1}={(100100),(100101),(100110),(100111),(101100),(101101),(101110),(101111),(110100),(110101),(110110),(110111),(111100),(111101),(111110),(111111)}β†’16

{x:A2(x)=1}={(010010),(010011),(010110),(010111),(011010),(011011),(011110),(011111),(110010),(110011),(110110),(110111),(111010),(111011),(111110),(111111)}β†’16

{x:A3(x)=1}={(001001),(001011),(001101),(001111),(011001),(011011),(011101),(011111),(101001),(101011),(101101),(101111),(111001),(111011),(111101),(111111)}β†’16

Note that in the sets of x above we have many duplicates. We also have included x from both {x : AΞ±(x) = 1} and {x : AΞ²(x) = 1} so that AΞ±(x) = 1 and AΞ²(x) = 1, where 1 ≀ Ξ±, Ξ² ≀ 3 and Ξ± β‰  Ξ². To correct for overcounting, we remove two times the number of x where AΞ±(x) = 1 and AΞ²(x) = 1. Note that when i = 2 from our formula above we have βˆ’2(32)22=βˆ’24 . This represents that we are removing two times the number of x so that AΞ±(x) = 1 and AΞ²(x) = 1, where 1 ≀ Ξ±, Ξ² ≀ 3 and Ξ± β‰  Ξ².

{x:A1(x)=1 and A2(x)=1}={(110110),(110111),(111110),(111111)}β†’4

{x:A1(x)=1 and A3(x)=1}={(101101),(101111),(111101),(111111)}β†’4

{x:A2(x)=1 and A3(x)=1}={(011011),(011111),(111011),(111111)}β†’4

So far we have counted x so that AΞ±(x) = 1, where 1 ≀ Ξ± ≀ 3, and removed x so that AΞ±(x) = 1 and AΞ²(x) = 1, where 1 ≀ Ξ±, Ξ² ≀ 3 and Ξ± β‰  Ξ². However we still need to make sure that we have x so that A1(x) = 1, A2(x) = 1, and A3(x) = 1. Note that {x : A1(x) = 1, A2(x) = 1, and A3(x) = 1} = {(111111)}. From our first step, we counted x = (111111) for each {x : AΞ±(x) = 1}, giving us 3. From our second step, we subtracted twice x = (111111) for each {x : AΞ±(x) = 1 and AΞ²(x) = 1}, giving us βˆ’2(3) = βˆ’6. Thus so far we have counted 3 βˆ’ 6 = βˆ’3 of x = (111111).

Note that when i = 3 from our formula above we have (βˆ’2)2(33)20=4 . This represents that we are adding four times the sum of the number of x so that A1(x) = 1, A2(x) = 1 and A3(x) = 1. Hence we are adding back 4 more (111111). Therefore we have counted 3 βˆ’ 6 + 4 = 1 of x = (111111), as desired.

Therefore the 48 βˆ’ 24 + 4 = 28 from our formula above is the number of x so that f (x) = 1. Thus wt(f (x)) = 28.

Remark 10

f(x)=βˆ‘i=1kxixi+k…xi+(dβˆ’1)k

where d = deg(f) and k=nd is a short function.

Corollary 11

Let x = (x1, . . . , xn) and

f(x)=βˆ‘i=1kxixi+k…xi+(dβˆ’1)k

where d = deg(f) and k=nd . Then

f(x)=x1+…+xn

is the only balanced function of this form.

Proof

By Theorem 8 it follows that

wt(f(x))=βˆ‘i=1k(βˆ’1)iβˆ’12iβˆ’1(ki)2nβˆ’id=2nβˆ’1(1βˆ’(2βˆ’d(2dβˆ’2))k).

Setting

2nβˆ’1(1βˆ’(2βˆ’d(2dβˆ’2))k)=2nβˆ’1

and solving for d, we see that d = 1. Hence k=nd=n1=n and so the only balanced function of the form above is f (x) = x1 + Β· Β· Β· + xn.

Corollary 12

Let x = (x1, . . . , xn) and

f(x)=βˆ‘i=1kxixi+k…xi+(dβˆ’1)k

where d = deg(f) and k=nd . Then

f(x)=x1xn2+1+…+xn2xn

is the only bent function of this form.

Proof

By Theorem 8 it follows that

wt(f(x))=βˆ‘i=1k(βˆ’1)iβˆ’12iβˆ’1(ki)2nβˆ’id=2nβˆ’1βˆ’2βˆ’1(2dβˆ’2)nd.

By the contrapositive of Lemma 1, if wt(f)β‰ 2nβˆ’1Β±2n2βˆ’1 then f is not bent. So we will only consider functions of the form above where wt(f)=2nβˆ’1Β±2n2βˆ’1 . Setting

2nβˆ’1βˆ’2βˆ’1(2dβˆ’2)nd=2nβˆ’1Β±2n2βˆ’1

and solving for d we see that d = 2. Hence k=nd=n2 and so the only function of the form above where wt(f)=2nβˆ’1Β±2n2βˆ’1 is f(x)=x1xn2+1+…+xn2xn . By Theorem 6, f(x)=x1xn2+1+…+xn2xn is bent.

Lemma 13

Let x = (x1, . . . , xn) and f (x) be a monomial rotation symmetric short function with disjoint variables and deg(f) β‰  2. Then

wt(f(x))β‰ 2nβˆ’1Β±2n2.

Proof

By Corollary 2.5 in [1],

wt(f)=2nβˆ’1βˆ’2ndβˆ’1(2dβˆ’1βˆ’1)nd.

Note that

2nβˆ’1βˆ’2ndβˆ’1(2dβˆ’1βˆ’1)nd=2nβˆ’1Β±2n2

if and only if d = 2. Hence if deg(f) β‰  2 then

wt(f(x))β‰ 2nβˆ’1Β±2n2.

Remark 14

Since every bent function has weight 2nβˆ’1Β±2n2βˆ’1 there are no bent monomial rotation symmetric short functions with disjoint variables of degree β‰  2.

Corollary 15

Let x = (x1, . . . , xn). Then

f(x)=x1xn2+1+…+xn2xn

is the only short bent monomial rotation symmetric function with disjoint variables.

Proof

Corollary 15 follows directly from Corollary 12 and Lemma 13.

3 Bent and Balanced d-functions

In this section we look at the weights of d-functions and determine whether or not they are bent or balanced.

Remark 16

Note that, up to a permutation of the variables,

f(x)=βˆ‘i=1kxixi+k…xi+(dβˆ’1)k

is equivalent to

g(x)=βˆ‘i=1kxd(iβˆ’1)+1xd(iβˆ’1)+2…xd(iβˆ’1)+d,

where d = deg(f) and k=nd , since each monomial in f and g is degree d and every variable appears exactly once in both functions. Therefore the results in this section follow directly from the results in the previous section.

Theorem 17

Let x = (x1, . . . , xn) and

g(x)=βˆ‘i=1kxd(iβˆ’1)+1xd(iβˆ’1)+2…xd(iβˆ’1)+d

where d = deg(g) and k=nd . Then

wt(g(x))=βˆ‘i=1k(βˆ’2)iβˆ’1(ki)2nβˆ’id.

Corollary 18

Let x = (x1, . . . , xn) and

g(x)=βˆ‘i=1kxd(iβˆ’1)+1xd(iβˆ’1)+2…xd(iβˆ’1)+d

where d = deg(g) and k=nd . Then

g(x)=x1+…+xn

is the only balanced function of this form.

Corollary 19

Let x = (x1, . . . , xn) and

g(x)=βˆ‘i=1kxd(iβˆ’1)+1xd(iβˆ’1)+2…xd(iβˆ’1)+d

where d = deg(g) and k=nd . Then

g(x)=x1x2+x3x4+…+xnβˆ’1xn

is the only bent function of this form.

4 Discussion / Conclusion

In this paper we constructed formulas for the weights of short MRS functions and d-functions by using the inclusion / exclusion principle. We used these results to determine which functions of those forms are bent or balanced. Next, it would be interesting to use the techniques demonstrated in this paper to develop formulas for weights of other rotation symmetric functions to potentially classify additional functions with cryptographic applications.

Acknowledgement

I would like to thank Thomas Cusick for his support and advice throughout this process.

  1. Author's Statement:

    There are no potential financial, personal, or professional conflics regarding the publication of this article.

  2. Biography:

    Elizabeth Reid earned her Ph.D. in Mathematics at the University at Buffalo. She is currently an Assistant Professor of Mathematics in the School of Computer Science and Mathematics at Marist College in Poughkeepsie, NY. Her research interests include Number Theory, Cryptography, and Combinatorics.

References

[1] T. W. Cusick and D. Padgett, A recursive formula for weights of Boolean rotation symmetric functions, Discrete Appl. Math. 160 (2011), 391–397.10.1016/j.dam.2011.11.006Search in Google Scholar

[2] T.W. Cusick and P. Stănică, Cryptographic Boolean Functions and Applications, 2nd ed., London: Academic Press (2017).10.1016/B978-0-12-811129-1.00005-5Search in Google Scholar

[3] H. Kim, S-M. Park, and S. G. Hahn, On the weight and nonlinearity of homogeneous rotation symmetric Boolean functions of degree 2, Discr. Appl. Math. 157 (2009), 428–432.10.1016/j.dam.2008.06.022Search in Google Scholar

[4] E. M. Reid and T. W. Cusick, Affine equivalence classes of 2-rotation symmetric cubic Boolean functions, Int. J. Comput. Math.: Computer Systems Theory 3:3 (2018), 145–159.10.1080/23799927.2018.1499496Search in Google Scholar

Received: 2020-05-20
Accepted: 2020-12-10
Published Online: 2021-01-29

Β© 2021 Elizabeth M. Reid, published by De Gruyter

This work is licensed under the Creative Commons Attribution 4.0 International License.

Downloaded on 1.3.2024 from https://www.degruyter.com/document/doi/10.1515/jmc-2020-0021/html
Scroll to top button