Bent function

The four 2-ary Boolean functions with Hamming weight 1 are bent; i.e., their nonlinearity is 1 (these Hadamard matrices show the Hamming distance to each of the eight linear and affine functions).

The following formula shows that a 2-ary function is bent when its nonlinearity is 1:

${\displaystyle 2^{2-1}-2^{{\frac {2}{2}}-1}=2-1=1}$

The Boolean function ${\displaystyle x_{1}x_{2}\oplus x_{3}x_{4}}$ is bent; i.e., its nonlinearity is 6 (which is what these Hadamard Matrices show).

The following formula shows that a 4-ary function is bent when its nonlinearity is 6:

${\displaystyle 2^{4-1}-2^{{\frac {4}{2}}-1}=8-2=6}$

In the mathematical field of combinatorics, a bent function is a Boolean function that is maximally non-linear; it is as different as possible from the set of all linear and affine functions when measured by Hamming distance between truth tables. Concretely, this means the maximum correlation between the output of the function and a linear function is minimal. In addition, the derivatives of a bent function are balanced Boolean functions, so for any change in the input variables there is a 50 percent chance that the output value will change.

The maximal nonlinearity means approximating a bent function by an affine (linear) function is hard, a useful property in the defence against linear cryptanalysis. In addition, detecting a change in the output of the function yields no information about what change occurred in the inputs, making the function immune to differential cryptanalysis.

Bent functions were defined and named in the 1960s by Oscar Rothaus in research not published until 1976. ^[1] They have been extensively studied for their applications in cryptography, but have also been applied to spread spectrum, coding theory, and combinatorial design. The definition can be extended in several ways, leading to different classes of generalized bent functions that share many of the useful properties of the original.

It is known that V. A. Eliseev and O. P. Stepchenkov studied bent functions, which they called minimal functions, in the USSR in 1962. ^[2] However, their results have still not been declassified.

Bent functions are also known as perfectly nonlinear (PN) Boolean functions. Certain functions that are as close as possible to perfect nonlinearity (e.g. for functions of an odd number of bits, or vectorial functions) are known as almost perfectly nonlinear (APN). ^[3]

Walsh transform

Bent functions are defined in terms of the Walsh transform. The Walsh transform of a Boolean function ${\displaystyle f:\mathbb {Z} _{2}^{n}\to \mathbb {Z} _{2}}$ is the function ${\displaystyle {\hat {f}}:\mathbb {Z} _{2}^{n}\to \mathbb {Z} }$ given by

${\displaystyle {\hat {f}}(a)=\sum _{\scriptstyle {x\in \mathbb {Z} _{2}^{n}}}(-1)^{f(x)+a\cdot x},}$

where a · x = a₁x₁ + a₂x₂ + … + a_nx_n (mod 2) is the dot product in Zⁿ
₂. ^[4] Alternatively, let S₀(a) = { x ∈ Zⁿ
₂ : f(x) = a · x } and S₁(a) = { x ∈ Zⁿ
₂ : f(x) ≠ a · x }. Then |S₀(a)| + |S₁(a)| = 2ⁿ and hence

${\displaystyle {\hat {f}}(a)=\left|S_{0}(a)\right|-\left|S_{1}(a)\right|=2\left|S_{0}(a)\right|-2^{n}.}$

For any Boolean function f and a ∈ Zⁿ
₂, the transform lies in the range

${\displaystyle -2^{n}\leq {\hat {f}}(a)\leq 2^{n}.}$

Moreover, the linear function f₀(x) = a · x and the affine function f₁(x) = a · x + 1 correspond to the two extreme cases, since

${\displaystyle {\hat {f}}_{0}(a)=2^{n},~{\hat {f}}_{1}(a)=-2^{n}.}$

Thus, for each a ∈ Zⁿ
₂ the value of ${\displaystyle {\hat {f}}(a)}$ characterizes where the function f(x) lies in the range from f₀(x) to f₁(x).

Definition and properties

Rothaus defined a bent function as a Boolean function ${\displaystyle f:\mathbb {Z} _{2}^{n}\to \mathbb {Z} _{2}}$ whose Walsh transform has constant absolute value. Bent functions are in a sense equidistant from all the affine functions, so they are equally hard to approximate with any affine function.

The simplest examples of bent functions, written in algebraic normal form, are F(x₁, x₂) = x₁x₂ and G(x₁, x₂, x₃, x₄) = x₁x₂ ⊕ x₃x₄. This pattern continues: x₁x₂ ⊕ x₃x₄ ⊕ … ⊕ x_n−1x_n is a bent function ${\displaystyle \mathbb {Z} _{2}^{n}\to \mathbb {Z} _{2}}$ for every even n, but there is a wide variety of other bent functions as n increases. ^[5] The sequence of values (−1)^f(x), with x ∈ Zⁿ
₂ taken in lexicographical order, is called a bent sequence; bent functions and bent sequences have equivalent properties. In this ±1 form, the Walsh transform is easily computed as

${\displaystyle {\hat {f}}(a)=W\left(2^{n}\right)(-1)^{f(a)},}$

where W(2ⁿ) is the natural-ordered Walsh matrix and the sequence is treated as a column vector. ^[6]

Rothaus proved that bent functions exist only for even n, and that for a bent function f, ${\displaystyle \left|{\hat {f}}(a)\right|=2^{n/2}}$ for all a ∈ Zⁿ
₂. ^[4] In fact, ${\displaystyle {\hat {f}}(a)=2^{n/2}(-1)^{g(a)}}$, where g is also bent. In this case, ${\displaystyle {\hat {g}}(a)=2^{n/2}(-1)^{f(a)}}$, so f and g are considered dual functions. ^[6]

Every bent function has a Hamming weight (number of times it takes the value 1) of 2ⁿ⁻¹ ± 2^n/2−1, and in fact agrees with any affine function at one of those two numbers of points. So the nonlinearity of f (minimum number of times it equals any affine function) is 2ⁿ⁻¹ − 2^n/2−1, the maximum possible. Conversely, any Boolean function with nonlinearity 2ⁿ⁻¹ − 2^n/2−1 is bent. ^[4] The degree of f in algebraic normal form (called the nonlinear order of f) is at most ⁠n/2⁠ (for n > 2). ^[5]

Although bent functions are vanishingly rare among Boolean functions of many variables, they come in many different kinds. There has been detailed research into special classes of bent functions, such as the homogeneous ones ^[7] or those arising from a monomial over a finite field, ^[8] but so far the bent functions have defied all attempts at a complete enumeration or classification.

Constructions

There are several types of constructions for bent functions. ^[2]

• Combinatorial constructions: iterative constructions, Maiorana–McFarland construction, partial spreads, Dillon's and Dobbertin's bent functions, minterm bent functions, bent iterative functions
• Algebraic constructions: monomial bent functions with exponents of Gold, Dillon, Kasami, Canteaut–Leander and Canteaut–Charpin–Kuyreghyan; Niho bent functions, etc.

Applications

As early as 1982 it was discovered that maximum length sequences based on bent functions have cross-correlation and autocorrelation properties rivalling those of the Gold codes and Kasami codes for use in CDMA. ^[9] These sequences have several applications in spread spectrum techniques.

The properties of bent functions are naturally of interest in modern digital cryptography, which seeks to obscure relationships between input and output. By 1988 Forré recognized that the Walsh transform of a function can be used to show that it satisfies the strict avalanche criterion (SAC) and higher-order generalizations, and recommended this tool to select candidates for good S-boxes achieving near-perfect diffusion. ^[10] Indeed, the functions satisfying the SAC to the highest possible order are always bent. ^[11] Furthermore, the bent functions are as far as possible from having what are called linear structures, nonzero vectors a such that f(x + a) + f(x) is a constant. In the language of differential cryptanalysis (introduced after this property was discovered) the derivative of a bent function f at every nonzero point a (that is, f_a(x) = f(x + a) + f(x)) is a balanced Boolean function, taking on each value exactly half of the time. This property is called perfect nonlinearity. ^[5]

Given such good diffusion properties, apparently perfect resistance to differential cryptanalysis, and resistance by definition to linear cryptanalysis, bent functions might at first seem the ideal choice for secure cryptographic functions such as S-boxes. Their fatal flaw is that they fail to be balanced. In particular, an invertible S-box cannot be constructed directly from bent functions, and a stream cipher using a bent combining function is vulnerable to a correlation attack. Instead, one might start with a bent function and randomly complement appropriate values until the result is balanced. The modified function still has high nonlinearity, and as such functions are very rare the process should be much faster than a brute-force search. ^[5] But functions produced in this way may lose other desirable properties, even failing to satisfy the SAC – so careful testing is necessary. ^[11] A number of cryptographers have worked on techniques for generating balanced functions that preserve as many of the good cryptographic qualities of bent functions as possible. ^{[12] [13] [14]}

Some of this theoretical research has been incorporated into real cryptographic algorithms. The CAST design procedure, used by Carlisle Adams and Stafford Tavares to construct the S-boxes for the block ciphers CAST-128 and CAST-256, makes use of bent functions. ^[14] The cryptographic hash function HAVAL uses Boolean functions built from representatives of all four of the equivalence classes of bent functions on six variables. ^[15] The stream cipher Grain uses an NLFSR whose nonlinear feedback polynomial is, by design, the sum of a bent function and a linear function. ^[16]

Generalizations

More than 25 different generalizations of bent functions are described in Tokareva's 2015 monograph. ^[2] There are algebraic generalizations (q-valued bent functions, p-ary bent functions, bent functions over a finite field, generalized Boolean bent functions of Schmidt, bent functions from a finite Abelian group into the set of complex numbers on the unit circle, bent functions from a finite Abelian group into a finite Abelian group, non-Abelian bent functions, vectorial G-bent functions, multidimensional bent functions on a finite Abelian group), combinatorial generalizations (symmetric bent functions, homogeneous bent functions, rotation symmetric bent functions, normal bent functions, self-dual and anti-self-dual bent functions, partially defined bent functions, plateaued functions, Z-bent functions and quantum bent functions) and cryptographic generalizations (semi-bent functions, balanced bent functions, partially bent functions, hyper-bent functions, bent functions of higher order, k-bent functions).

The most common class of generalized bent functions is the mod m type, ${\displaystyle f:\mathbb {Z} _{m}^{n}\to \mathbb {Z} _{m}}$ such that

${\displaystyle {\hat {f}}(a)=\sum _{x\in \mathbb {Z} _{m}^{n}}e^{{\frac {2\pi i}{m}}(f(x)-a\cdot x)}}$

has constant absolute value m^n/2. Perfect nonlinear functions ${\displaystyle f:\mathbb {Z} _{m}^{n}\to \mathbb {Z} _{m}}$, those such that for all nonzero a, f(x + a) − f(a) takes on each value mⁿ⁻¹ times, are generalized bent. If m is prime, the converse is true. In most cases only prime m are considered. For odd prime m, there are generalized bent functions for every positive n, even and odd. They have many of the same good cryptographic properties as the binary bent functions. ^{[17] [18]}

Semi-bent functions are an odd-order counterpart to bent functions. A semi-bent function is ${\displaystyle f:\mathbb {Z} _{m}^{n}\to \mathbb {Z} _{m}}$ with n odd, such that ${\displaystyle \left|{\hat {f}}\right|}$ takes only the values 0 and m^(n+1)/2. They also have good cryptographic characteristics, and some of them are balanced, taking on all possible values equally often. ^[19]

The partially bent functions form a large class defined by a condition on the Walsh transform and autocorrelation functions. All affine and bent functions are partially bent. This is in turn a proper subclass of the plateaued functions. ^[20]

The idea behind the hyper-bent functions is to maximize the minimum distance to all Boolean functions coming from bijective monomials on the finite field GF(2ⁿ), not just the affine functions. For these functions this distance is constant, which may make them resistant to an interpolation attack.

Other related names have been given to cryptographically important classes of functions ${\displaystyle f:\mathbb {Z} _{2}^{n}\to \mathbb {Z} _{2}^{n}}$, such as almost bent functions and crooked functions. While not bent functions themselves (these are not even Boolean functions), they are closely related to the bent functions and have good nonlinearity properties.

See also

• Correlation immunity

References

1. O. S. Rothaus (May 1976). "On "Bent" Functions". Journal of Combinatorial Theory, Series A. 20 (3): 300–305. doi: 10.1016/0097-3165(76)90024-8 . ISSN   0097-3165.
2. N. Tokareva (2015). Bent functions: results and applications to cryptography. Academic Press. ISBN   9780128023181.
3. Blondeau; Nyberg (2015-03-01). "Perfect nonlinear functions and cryptography". Finite Fields and Their Applications. 32: 120–147. doi: 10.1016/j.ffa.2014.10.007 . ISSN   1071-5797.
4. C. Qu; J. Seberry; T. Xia (29 December 2001). "Boolean Functions in Cryptography" . Retrieved 14 September 2009.
5. W. Meier; O. Staffelbach (April 1989). Nonlinearity Criteria for Cryptographic Functions. Eurocrypt '89. pp. 549–562.
6. C. Carlet; L.E. Danielsen; M.G. Parker; P. Solé (19 May 2008). Self Dual Bent Functions (PDF). Fourth International Workshop on Boolean Functions: Cryptography and Applications (BFCA '08). Retrieved 21 September 2009.
7. T. Xia; J. Seberry; J. Pieprzyk; C. Charnes (June 2004). "Homogeneous bent functions of degree n in 2n variables do not exist for n > 3". Discrete Applied Mathematics. 142 (1–3): 127–132. doi: 10.1016/j.dam.2004.02.006 . ISSN   0166-218X . Retrieved 21 September 2009.
8. A. Canteaut; P. Charpin; G. Kyureghyan (January 2008). "A new class of monomial bent functions" (PDF). Finite Fields and Their Applications. 14 (1): 221–241. doi:10.1016/j.ffa.2007.02.004. ISSN   1071-5797. Archived from the original (PDF) on 21 July 2011. Retrieved 21 September 2009.
9. J. Olsen; R. Scholtz; L. Welch (November 1982). "Bent-Function Sequences". IEEE Transactions on Information Theory . IT-28 (6): 858–864. doi:10.1109/tit.1982.1056589. ISSN   0018-9448. Archived from the original on 22 July 2011. Retrieved 24 September 2009.
10. R. Forré (August 1988). The Strict Avalanche Criterion: Spectral Properties of Boolean Functions and an Extended Definition. CRYPTO '88. pp. 450–468.
11. C. Adams; S. Tavares (January 1990). The Use of Bent Sequences to Achieve Higher-Order Strict Avalanche Criterion in S-box Design. Technical Report TR 90-013. Queen's University. CiteSeerX   10.1.1.41.8374 .
12. K. Nyberg (April 1991). Perfect nonlinear S-boxes. Eurocrypt '91. pp. 378–386.
13. J. Seberry; X. Zhang (December 1992). Highly Nonlinear 0–1 Balanced Boolean Functions Satisfying Strict Avalanche Criterion. AUSCRYPT '92. pp. 143–155. CiteSeerX   10.1.1.57.4992 .
14. C. Adams (November 1997). "Constructing Symmetric Ciphers Using the CAST Design Procedure". Designs, Codes and Cryptography. 12 (3): 283–316. doi:10.1023/A:1008229029587. ISSN   0925-1022. S2CID   14365543. Archived from the original on 26 October 2008. Retrieved 20 September 2009.
15. Y. Zheng; J. Pieprzyk; J. Seberry (December 1992). HAVAL – a one-way hashing algorithm with variable length of output. AUSCRYPT '92. pp. 83–104. Retrieved 20 June 2015.
16. Hell, Martin; Johansson, Thomas; Maximov, Alexander; Meier, Willi (2006). "A Stream Cipher Proposal: Grain-128" (PDF). Proceedings 2006 IEEE International Symposium on Information Theory, ISIT 2006, The Westin Seattle, Seattle, Washington, USA, July 9–14, 2006. IEEE. pp. 1614–1618. doi:10.1109/ISIT.2006.261549. ISBN   1-4244-0505-X.
17. K. Nyberg (May 1990). Constructions of bent functions and difference sets. Eurocrypt '90. pp. 151–160.
18. Shashi Kant Pandey; B.K. Dass (September 2017). "On Walsh Spectrum of Cryptographic Boolean Function". Defence Science Journal. 67 (5): 536–541. doi:10.14429/dsj.67.10638. ISSN   0011-748X.
19. K. Khoo; G. Gong; D. Stinson (February 2006). "A new characterization of semi-bent and bent functions on finite fields" (PostScript). Designs, Codes and Cryptography. 38 (2): 279–295. CiteSeerX   10.1.1.10.6303 . doi:10.1007/s10623-005-6345-x. ISSN   0925-1022. S2CID   10572850 . Retrieved 24 September 2009.
20. Y. Zheng; X. Zhang (November 1999). Plateaued Functions. Second International Conference on Information and Communication Security (ICICS '99). pp. 284–300. Retrieved 24 September 2009.

Further reading

• C. Carlet (May 1993). Two New Classes of Bent Functions. Eurocrypt '93. pp. 77–101.
• J. Seberry; X. Zhang (March 1994). "Constructions of Bent Functions from Two Known Bent Functions". Australasian Journal of Combinatorics. 9: 21–35. CiteSeerX   10.1.1.55.531 . ISSN   1034-4942.
• Colbourn, Charles J.; Dinitz, Jeffrey H. (2006). Handbook of Combinatorial Designs (2nd ed.). CRC Press. pp.  337–339. ISBN   978-1-58488-506-1.
• Cusick, T.W.; Stanica, P. (2009). Cryptographic Boolean Functions and Applications. Academic Press. ISBN   9780123748904.