Table Of Content(cid:13)c deGruyter2009
J.Math.Crypt. 3 (2009),1–18 DOI10.1515/JMC.2009.xxx
On a conjecture for balanced symmetric Boolean functions
ThomasW.Cusick, YuanLi and PantelimonSta˘nica˘
Communicatedbyxxx
Abstract.WegivesomeresultstowardstheconjecturethatX(2t,2t+1(cid:96)−1)aretheonlynonlinear
balancedelementarysymmetricpolynomialsoverGF(2), wheretand(cid:96)areanypositiveintegers
(cid:80)
andX(d,n)= x x ···x .
1≤i1<i2<···<id≤n i1 i2 id
Keywords.Cryptography,balancedness,symmetry,Booleanfunctions.
AMSclassification.06E30,05A10,11B65,94C10.
Balancedness is sometimes required for Boolean functions, since we often desire
our cryptographic primitives to be unbiased in output. Symmetry is also often re-
quired[2,3],andnaturally,onewouldaskwhenthetwofeatureswillintersect. In[5],
weconjecturedthatthepolynomialsX(2t,2t+1(cid:96)−1)aretheonlynonlinearbalanced
(cid:88)
elementarysymmetricpolynomials,whereX(d,n)= x ···x .
i1 id
1≤i1<···<id≤n
Inthepresentpaperwegivesomeresultstowardsthisconjecture. Infact,weprove
theconjectureformanycasesoftheparametersinvolved,buttherearesomecasesstill
open(whichwillbementionedexplicitlylaterinRemark3.19).
1 Preliminaries
Throughout, x = (x ,...,x ) and ⊕ is the addition modulo 2. If f: GF(2)n −→
1 n
GF(2), then f can be uniquely expressed in the following form, called the algebraic
normalform(ANF):
(cid:77)
f(x1,x2,...,xn)= ak1k2...knx1k1x2k2···xnkn,
k1,k2,...,kn∈GF(2)
whereeachcoefficienta isaconstantinGF(2).
k1k2...kn
The function f(x) is called an affine function if f(x) = a x ⊕···⊕a x ⊕a .
1 1 n n 0
If a = 0, f(x) is also called a linear function. We will denote by F the set of
0 n
all functions of n variables and by L the set of affine ones. We will call a function
n
nonlinearifitisnotinL . Letwt(a)denotetheHammingweightofavectorawith
n
entries0or1. Thefunctionf(x)iscalledsymmetricifanypermutationofthex leaves
i
thevalueofthefunctionunchanged.
ResearchofthethirdauthorwaspartiallysupportedbytheNavalPostgraduateSchoolRIPfunding.
Report Documentation Page Form Approved
OMB No. 0704-0188
Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and
maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information,
including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington
VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it
does not display a currently valid OMB control number.
1. REPORT DATE 3. DATES COVERED
2009 2. REPORT TYPE 00-00-2009 to 00-00-2009
4. TITLE AND SUBTITLE 5a. CONTRACT NUMBER
On a conjecture for balanced symmetric Boolean functions
5b. GRANT NUMBER
5c. PROGRAM ELEMENT NUMBER
6. AUTHOR(S) 5d. PROJECT NUMBER
5e. TASK NUMBER
5f. WORK UNIT NUMBER
7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION
Naval Postgraduate School,Department of Applied REPORT NUMBER
Mathematics,Monterey,CA,93943
9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S)
11. SPONSOR/MONITOR’S REPORT
NUMBER(S)
12. DISTRIBUTION/AVAILABILITY STATEMENT
Approved for public release; distribution unlimited
13. SUPPLEMENTARY NOTES
14. ABSTRACT
We give some results towards the conjecture that X(2t; 2t+1‘ �� 1) are the only nonlinear
balanced elementary symmetric polynomials over GF(2), where t and ‘ are any positive integers and X(d;
n) = P 1i1<i2< <idn xi1xi2 xid .
15. SUBJECT TERMS
16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF 18. NUMBER 19a. NAME OF
ABSTRACT OF PAGES RESPONSIBLE PERSON
a. REPORT b. ABSTRACT c. THIS PAGE Same as 18
unclassified unclassified unclassified Report (SAR)
Standard Form 298 (Rev. 8-98)
Prescribed by ANSI Std Z39-18
2 ThomasW.Cusick, YuanLi and PantelimonSta˘nica˘
2 Thebalancednessofelementarysymmetricpolynomialsover
GF(2)
Definition 2.1.For integers n and d, 1 ≤ d ≤ n we define the elementary symmetric
polynomialby
(cid:88)
X(d,n)= x x ···x . (2.1)
i1 i2 id
1≤i1<i2<···<id≤n
We summarize here some of the results proven in [5]. We let C(n,k) denote the
binomialcoefficient(recallthatifn<k,thenC(n,k)=0).
Theorem2.2.TheelementarysymmetricpolynomialX(d,n)isbalancedifandonlyif
(cid:80) C(n,j)(−1)C(j,d) =0.IfX(d,n)isbalanced,thend≤(cid:100)n/2(cid:101). Furthermore,
0≤j≤n
ift,(cid:96)arepositiveintegers,thenX(2t,2t+1(cid:96)−1)isbalanced.
Weconjectured[5]thatthefunctionsinTheorem2.2aretheonlybalancedones.
Conjecture 1. There are no nonlinear balanced elementary symmetric polynomials
exceptforX(2t,2t+1(cid:96)−1),wheretand(cid:96)areanypositiveintegers.
3 TheResults
TheremainderofthepaperwillbedevotedtothestudyofConjecture1andprovingit
forvariousvaluesoftheparameterst,(cid:96). ABooleanfunctionf(x)innvariablesissaid
to satisfy the Strict Avalanche Criterion (“is SAC” for short) if changing any one of
thenbitsintheinputxresultsintheoutputofthefunctionbeingchangedforexactly
half of the 2n vectors x with the changed input bit. The SAC concept is relevant for
ourworkbecauseof
Lemma 3.1.The function f(x) = X(d,n) is SAC if and only if X(d−1,n−1) is
balanced.
Proof. By definition, f is SAC if and only if f(x)⊕f(x⊕a) is balanced for all a ∈
GF(2)n, with wt(a) = 1. We have f(x)⊕f(x⊕(0,...,0,1)) = X(d−1,n−1), so
thelemmaisproved. (cid:50)
Bydefinitionanysymmetricfunctioniscompletelydeterminedbytheweightofits
input,sowecandefinev (i)for0≤i≤nbyf(x)=v (wt(x)). Moreover,recallthe
f f
usualalgebraicnormalform(ANF)ofaBooleanfunctionf innvariables
n n
f(x ,...,x )=(cid:77)λ (i) (cid:77) (cid:89)xuj,
1 n f j
i=0 u,wt(u)=ij=1
(cid:77) (cid:77)
where v (i) = λ (j), and λ (i) = v (j), over GF(2) (j (cid:22) i means that the
f f f f
j(cid:22)i j(cid:22)i
binary expansion of j is less than the binary expansion of i, in lexicographical order)
(see[3,Propositions1and2,p. 2792]).
OnaconjectureforbalancedsymmetricBooleanfunctions 3
TheANFofasymmetricfunctionbecomes
n
(cid:77)
f(x ,...,x )= λ (d)X(d,n), (3.1)
1 n f
d=0
inournotations. Further,whenf isanelementarysymmetricfunction,thenλ (d)=1
f
istheonlynonzerocoefficientintherepresentation(3.1). Moreover,
(cid:40)
v (i)=(cid:77)λ (j)= λf(d), if d(cid:22)i (3.2)
f f
0, otherwise.
j(cid:22)i
Weneedthefollowingfurtherlemmas. WedefinethewellknownWalshtransform
W (w)by
f
(cid:88)
W (w)= (−1)f(x)+x·w.
f
x∈GF(2)n
Lemma3.2.ABooleanfunctionf innvariablesisSACifandonlyifforeveryvector
uwithwt(u)=1andeveryvectorv,wehave
(cid:88)
W (w⊕v)2 =2wt(u¯)+n.
f
w(cid:22)u¯
Proof. ThisisaspecialcaseofProposition1ofCarlet[4,p. 35]. (cid:50)
Lemma3.3.Iff(x)innvariablesisSAC,then
(cid:88) (cid:88)
W (w)2 = W (w)2 =22n−1. (3.3)
f f
w:wn=0 w:wn=1
Proof. WeuseLemma3.2withv = 0andu = (0,...,0,1). Itfollowsthatwt(u¯) =
n−1,sothefirstsumin(3.3)equals22n−1. Thetwosumsaddupto22n byParseval’s
Theorem,sothesecondsumisalso22n−1. (cid:50)
Lemma3.4.Iff(x)=X(d,n)isSACanddisodd,then
W (0)=2n−2wt(f) andW (1)=2wt(f). (3.4)
f f
Proof. Thefirstequationin(3.4)isclearforanyf,whetherornotdisodd.
Forthesecondequation,weobservethatby(3.2)ourhypothesesimplythatv (k)=
f
0forallevenk. Since
n
(cid:88)
Wf(0)= (−1)vf(k)C(n,k)and
k=0
n
(cid:88)
Wf(1)= (−1)vf(k)+kC(n,k),
k=0
acomputationgives
W (0)+W (1)=2n.
f f
Nowthesecondequationin(3.4)followsfromthefirstone. (cid:50)
4 ThomasW.Cusick, YuanLi and PantelimonSta˘nica˘
Wedefine
A=0,0,1,1; A¯ =1,1,0,0; B =0,1,0,1;B¯ =1,0,1,0;
(3.5)
C =0,1,1,0; C¯ =1,0,0,1; D =0,0,0,0;D¯ =1,1,1,1.
ThenexttwolemmasareusedintheproofofourTheorem3.8.
Lemma3.5.(FolkloreLemma[1,Lemma3.7.2])Anyaffinefunctionf onnvariables,
n ≥ 2, is a linear string of length 2n made up of 4-bit blocks I ,...,I given as
1 2n−2
follows:
1. ThefirstblockI isoneofA,B,C,D,A¯,B¯,C¯ orD¯.
1
2. ThesecondblockI isI orI¯ .
2 1 1
3. ThenexttwoblocksI ,I areI ,I orI¯ ,I¯ .
3 4 1 2 1 2
····································
n−1. The2n−3 blocksI ,...,I areI ,...,I orI¯ ,...,I¯ .
2n−3+1 2n−2 1 2n−3 1 2n−3
(cid:88)
Lemma3.6.Wehave (−1)x·w =0forallw(cid:54)=0or1.
x,wt(x)even
Proof. LetE(w)denotethe2n−1-vectorofbitsx·w (mod 2),wherexrunsthrough
then-vectorsxofevenweightinlexicographicalorder. ThusE(w)liststheexponents
in the sum in the lemma. Consider the 2n−1 by n array of the vectors x with even
weight, taken in lexicographical order. By the Folklore Lemma, each column in this
array is a 2n−1-vector which gives the truth table of a nonconstant linear function in
n − 1 variables. In fact, taking the columns left to right, the functions are simply
x ,x ,...,x ,x ⊕x ⊕···⊕x . Thevectorsumofanysubsetofatleastoneand
1 2 n−1 1 2 n−1
atmostn−1ofthencolumns(correspondingtow(cid:54)=0or1)isthusthetruthtableof
anonconstantlinearfunctionandsoitisbalanced. EachvectorE(w)isoneofthese
vectorsums,sothesuminthelemmais0. (cid:50)
Remark3.7.ThesuminLemma3.6isthesumoftheKrawtchoukpolynomials[9,pp.
130and150–153](variabley =wt(w))
k
(cid:88) (cid:88)
P (y,n) = (−1)x·w = (−1)jC(y,j)C(n−y,k−j)
k
x,wt(x)=k j=0
ofevendegreekiny.
Theorem 3.8.If f(x) = X(d,n) has odd degree d, then W (w) = −W (w¯) for all
f f
w(cid:54)=0or1.
OnaconjectureforbalancedsymmetricBooleanfunctions 5
Proof. Let f be an elementary symmetric function of degree d, that is f = X(d,n).
WecomputetheWalshtransform
(cid:88) (cid:88)
W (w)= (−1)f(x)+x·w = (−1)f(x)+x·(1+w)
f
x∈GF(2)n x∈GF(2)n
n
(cid:88) (cid:88) (cid:88)
= (−1)f(x)+wt(x)+x·w = (−1)f(x)+wt(x)+x·w
(3.6)
x∈GF(2)n k=0 x,wt(x)=k
n
(cid:88) (cid:88)
= (−1)vf(k)+k (−1)x·w.
k=0 x,wt(x)=k
Next, we use (3.2). Since d is odd, then any integer i with d (cid:22) i has to be odd, as
well. Itfollowsthatv (k)=0,foranyevenintegerk. Thus,(3.6)becomes
f
n
W (w) = (cid:88)(−1)vf(k)+k (cid:88) (−1)x·w
f
k=0 x,wt(x)=k
n n
= (cid:88) (−1)vf(k) (cid:88) (−1)x·w− (cid:88) (−1)vf(k) (cid:88) (−1)x·w
k=0,even x,wt(x)=k k=0,odd x,wt(x)=k
n
= (cid:88) (−1)x·w− (cid:88) (−1)vf(k) (cid:88) (−1)x·w.
x,wt(x)=even k=0,odd x,wt(x)=k
Since
n n
W (w) = (cid:88) (−1)vf(k) (cid:88) (−1)x·w+ (cid:88) (−1)vf(k) (cid:88) (−1)x·w
f
k=0,even x,wt(x)=k k=0,odd x,wt(x)=k
n
= (cid:88) (−1)x·w+ (cid:88) (−1)vf(k) (cid:88) (−1)x·w,
x,wt(x)=even k=0,odd x,wt(x)=k
toproveTheorem3.8itwillsufficetoshowthat
(cid:88)
(−1)x·w =0,
x,wt(x)=even
aslongasw(cid:54)=0,1,andthatfollowsfromLemma3.6. (cid:50)
Theorem3.9.Iff(x)=X(d,n)isSACanddisodd,thenW (0)=W (1).
f f
Proof. ByTheorem3.8,allofthetermsexceptW (0)2 andW (1)2 inthetwosums
f f
in (3.3) cancel out (for all other w, W (w) is in one sum and W (w¯) is in the other
f f
sum). ByLemma3.4,bothsquarerootsarepositiveandwegetTheorem3.9. (cid:50)
Corollary3.10.Ifdisoddandf(x)=X(d,n)isSAC,thenwt(f)=2n−2.
NowwedeterminewhenX(d,n)isSAC.Todealwiththecasewhendisaneven
integer,byLemma3.1,itisenoughtoshow:
6 ThomasW.Cusick, YuanLi and PantelimonSta˘nica˘
Lemma3.11.Ifd>1isodd,thenX(d,n)isnotbalanced.
Proof. Formula(3.2)showsthatwhenf = X(d,n)wehavev (i) = 1ifandonlyif
f
d(cid:22)i. Thuswehave
(cid:88) (cid:88)
wt(X(d,n))= C(n,i)≤ C(n,i)=2n−1, (3.7)
d(cid:22)i,i≤n iodd
where the inequality holds because d (cid:22) i and d odd implies i is odd. If d > 1, then
d(cid:22)icannotholdforalloddi≤n(inparticular,d(cid:54)(cid:22)d−2),sotheinequalityin(3.7)
isstrict. Therefore,X(d,n)isnotbalanced. (cid:50)
Lemma3.12.Supposed>1isodd. If
d=2t+1andn=2t+1(cid:96)forintegerst>0,(cid:96)>0, (3.8)
thenwt(X(d,n))=2n−2.
Proof. Firstweobserve
(cid:88)
wt(X(d,n))= C(n,i) (3.9)
d(cid:22)i,i≤n
becauseof(3.2),whichshowsthatwhenf =X(d,n)wehavev (i)=1ifandonlyif
f
d(cid:22)i. By(3.9),weneedtoshowthat
(cid:88)
wt(X(d,n))= C(n,i)=2n−2 (3.10)
d(cid:22)i,i≤n
ifandonlyif(3.8)holds. If(3.8)holds,thesumin(3.10)is
(cid:88) C(2t+1(cid:96),i)
2t+1(cid:22)i,i≤2t+1(cid:96)
= (cid:88) (cid:16)C(2t+1(cid:96)−1,i)+C(2t+1(cid:96)−1,i−1)(cid:17)
2t+1(cid:22)i,i≤2t+1(cid:96)
= (cid:88) (cid:16)C(2t+1(cid:96)−1,i)+C(2t+1(cid:96)−1,i−1)(cid:17)
2t(cid:22)i−1,i−1≤2t+1(cid:96)−1
= (cid:88) C(2t+1(cid:96)−1,j)=2n−2,
2t(cid:22)j,j≤2t+1(cid:96)−1
(noteiisnevereveninthefirstthreesums,sincethen2t+1(cid:22)iisfalse;thisjustifies
the second last equality, since in the last sum j runs through disjoint pairs of consec-
utive integers) where the last sum is wt(X(2t,2t+1(cid:96)−1) by (3.9) and so is 2n−2 by
Theorem2.2. Thuswehaveprovedthat(3.8)implies(3.10). (cid:50)
We would like to prove the converse of the previous lemma. The following work
moves toward that goal, but does not achieve it. Next, we prove five lemmas, which
establishmanycasesoftheconverseofLemma3.12.
OnaconjectureforbalancedsymmetricBooleanfunctions 7
Lemma 3.13.Let n = 2t+1(cid:96) for some strictly positive integers t,(cid:96). If j is odd and
2t+1<j <2t+1+1,thenwt(X(j,n))<2n−2.
Proof. The argument of the previous lemma shows that if (3.8) and (3.10) hold for
somegiventand(cid:96),thentheset
S(t,(cid:96))={i: 2t+1(cid:22)i, i≤2t+1(cid:96)=n}
gives a set of binomial coefficients {C(n,i) : i ∈ S(t,(cid:96))} whose sum is 2n−2. (It is
easytoseethatS(t,(cid:96))hasn/4elements,butwedonotneedthisfact.) Nowsuppose
that(3.10)holdsforn = 2t+1(cid:96)andforsomeoddd = j,say,satisfying2t+1 < j <
2t+1+1. Thenwt(j)>2,sotheset
T(j,n)={i: j (cid:22)i, i≤2t+1(cid:96)=n}
isapropersubsetofS(t,(cid:96)). Thereforethesumofthebinomialcoefficientsin{C(n,i):
i∈T(j,n)}is<2n−2,contradictingourassumptionthat(3.10)holdswithd=j. (cid:50)
Since we refer to it often, we include here for completeness an equation given by
Canteaut and Videau in [3] (these sums are called lacunary sums of binomial coeffi-
cients, see [8]). Results like this concerning the binomial coefficients are very old.
Someproofsandreferencesaregivenin[7].
Lemma3.14.Forpositiveintegersi,n,p,wehave
A2p(i)= (cid:88) C(n,j)
n
0≤j≤n
j≡i (mod2p)
(3.11)
2p(cid:88)−1−1(cid:18) (cid:18)jπ(cid:19)(cid:19)n (cid:18)j(n−2i)π(cid:19)
=2n−p+21−p 2cos cos
2p 2p
j=1
Lemma3.15.Lett,rbepositiveintegers. Supposethata >a ≥a ≥···≥a ,with
1 3 5 J
J =2K+1,arenonnegativeintegers. Definethesum
(cid:18) (cid:19)
(cid:88) jrπ
T= a sin .
j 2t+1
1≤j≤J
IfT=0,thenr ≡0 (mod 2t+1).
Proof. Write b = a , for j = 2k +1. For convenience, let α = rπ . Then, using
k j 2t+1
Abel’ssummationformula,Tbecomes
K
(cid:88)
T = b sin((2k+1)α)
k
k=0
K−1 m K
(cid:88) (cid:88) (cid:88)
= (b −b ) sin((2k+1)α)+b sin((2k+1)α).
m m+1 K
m=0 k=0 k=0
8 ThomasW.Cusick, YuanLi and PantelimonSta˘nica˘
Note that for the first term where m = 0, we have (b − b )sinα (cid:54)= 0, if r (cid:54)= 0
0 1
(mod 2t+1). Also, (b −b ) ≥ 0, and b ≥ 0. The conclusion follows once we
m m+1 K
showthat
m
(cid:88)
sinα and sin((2k+1)α)
k=0
havethesamesign. Indeed
m m
(cid:88) 1(cid:88)
sinα sin((2k+1)α) = (cos(2kα)−cos((2k+2)α)
2
k=0 k=0
1
= (1−cos((2m+2)α)≥0.
2
Thelemmaisproved. (cid:50)
Remark3.16.NotethatTabovehasthesamesignassinα.
BecauseofTheorem2.2,thereisnolossofgeneralityintakingn≥2(d−1)inour
nextlemma.
Lemma3.17.Letr,tbepositiveintegers,d=2t+1,n=2t+1,andr (cid:54)≡0 (mod 2t+1).
Thenwt(X(d,n+r))(cid:54)=2n+r−2.
Proof. Let d := 1 + 2t be fixed. Now, using Pascal’s identity, we get that S :=
wt(X(d,n+r))satisfies
(cid:88) (cid:88)
S = C(n+r,i)= (C(n+r−1,i)+C(n+r−1,i−1))
d(cid:22)i≤n+r d(cid:22)i≤n+r
(cid:88) (cid:88)
= C(n+r−1,i)+ C(n+r−1,j)
d(cid:22)i≤n+r−1 2t(cid:22)j≤n+r−1
jeven
(cid:88) (cid:88)
= C(n+r−2,i)+ (C(n+r−1,j)+C(n+r−2,j)).
d(cid:22)i≤n+r−2 2t(cid:22)j≤n+r−1
jeven
OnaconjectureforbalancedsymmetricBooleanfunctions 9
Continuinginthismanner,weobtain
r
(cid:88) (cid:88) (cid:88)
S = C(2t+1,i)+ C(n+r−k,j)
d(cid:22)i≤n+r−r 2t(cid:22)j≤n+r−1k=1
jeven
r
(cid:88) (cid:88)
= 2n−2+ C(n+r−k,j)
2t(cid:22)j≤n+r−1k=1
jeven
r
(cid:88) (cid:88)
= 2n−2+ C(n+r−k,j)
k=12t(cid:22)j≤n+r−1
jeven
r 2t−1−1
(cid:88) (cid:88) (cid:88)
= 2n−2+ C(n+r−k,j).
k=1 s=0 j≡2s+2t (mod2t+1)
0≤j≤n+r−1
Wepushfurtherthepreviousidentity,bycomputingtheinnermostsum. So,
(cid:88) C(n+r−k,j)=A2t+1(2s+2t)
N
j≡2s+2t (mod2t+1)
0≤j≤n+r−1
inthenotationsofLemma3.14,whereN := n+r−k. Thus,usingequation(3.11),
weobtain
A2t+1(2s+2t)=2n+r−k−t−1+2−t2(cid:88)t−1(cid:16)2cos aπ (cid:17)Ncosa(N −4s−2t+1)π.
N 2t+1 2t+1
a=1
Since
a(N −4s−2t+1)π a(N −4s)π
cos =(−1)acos ,
2t+1 2t+1
weget
A2t+1(2s+2t)=2n+r−k−t−1+2−t2(cid:88)t−1(−1)a(cid:16)2cos aπ (cid:17)Ncosa(N −4s)π
N 2t+1 2t+1
a=1
