A new characterization of group action-based perfect nonlinearity

(1)

Contents lists available atScienceDirect

Discrete Applied Mathematics

journal homepage:www.elsevier.com/locate/dam

A new characterization of group action-based perfect nonlinearity

Laurent Poinsot

^∗

Laboratoire d’Informatique de l’Université Paris-Nord, UMR CNRS 7030, Institut Galilée, Avenue J. B. Clément, 93430 Villetaneuse, France

a r t i c l e i n f o

Article history:

Received 7 February 2006

Received in revised form 15 January 2009 Accepted 7 February 2009

Available online 5 March 2009 Keywords:

Bent functions Perfect nonlinearity Finite Abelian groups Group actions G-perfect nonlinearity Hermitian spaces

a b s t r a c t

The left-regular multiplication is explicitly embedded in the notion of perfect nonlinearity.

But there exist many other group actions. By replacing translations by another group action the new concept of group action-based perfect nonlinearity has been introduced. In this paper we show that this generalized concept of nonlinearity is actually equivalent to a new bentness notion that deals with functions defined on a finite Abelian groupGthat acts on a finite setXand with values in the finite-dimensional vector space of complex-valued functions defined onX.

1. Introduction

The DES cryptosystem seems to be vulnerable to a differential attack [1] unless the system is designed so that the difference of outputs from the S-boxes is ‘‘balanced’’ by using highly nonlinear Boolean functions. Among these functions, perfect nonlinear ones [6] have been adopted by the designers of the AES. This well-known cryptographic concept hides the assumption that the internal operation considered is the modulo-2 sum. But there are many other possible choices to operate on bit strings, other group actions on the Abelian 2-groupZ^m2. Then the notion of perfect nonlinearity can naturally be extended by using other group actions. Actually if we consider two finite Abelian groupsGandHsuch thatGacts on a finite nonempty setX, a functionf

:

X

→

His calledG-perfect nonlinear [9,10] if for all nonzero

α ∈

Gthe ‘‘difference’’

(also called ‘‘derivative’’ seeDefinition 15)x

7→

f

(α ·

x

) −

f

(

^x

)

^{, where}

α ·

xis the action of

α

^on^x

∈

X, is balanced, or in other words, its values are uniformly distributed overH. So this is exactly the notion of perfect nonlinearity in the finite Abelian group setting where individual translations

β 7→ α + β

have been substituted by the ‘‘actions’’x

7→ α ·

x.

In the traditional setting, perfect nonlinearity is closely related to bent functions [4,5,12]: a function

φ :

G

→

_Cis called bent if the magnitude of its discrete Fourier transform is a constant equal to

|

G

|

, the cardinality of the (finite Abelian) groupG. In this paper we present a very natural way to extend this definition by consideringH-valued rather thanC-valued functions (defined onG) whereHis a Hermitian space,i.e., a finite-dimensional complex vector space equipped with an inner-product: such a function

φ

^{is called}Hermitian bentif the square of the norm (that comes from the inner-product) of the vector inHcorresponding to the Fourier transform of each component functions of

φ

is a constant equal to

|

G

|

. In other words, we replace the complex modulus by the norm ofHwith respect to its inner-product.

Finally we show thatG-perfect nonlinearity can be characterized in terms of Hermitian bentness for a particular vector spaceH. More formally we prove that a functionf

:

X

→

HisG-perfect nonlinear (whereGacts onX) if and only if for all nontrivial character

χ

^of^{H, the map}

φ(χ ◦

f

) :

G

→

_C

[

X

]

, whereC

[

X

]

is the vector space ofC-valued functions defined on X, which is defined for

α ∈

Gbyx

7→ χ ◦

f

(α ·

x

) ∈

_C

[

X

]

, is Hermitian bent.

∗Tel.: +33 4 94 14 25 66; fax: +33 1 48 26 07 12.

E-mail address:[email protected].

doi:10.1016/j.dam.2009.02.001

(2)

2. Bentness and perfect nonlinearity: The classical approach

The concept of bentness was originally and independently introduced by Dillon [4] and Rothaus [12]. A functionf

:

_Z^m₂

→

Z2isbentif for all nonzero

α

ⁱⁿZ^m2,

X

x∈_Z^m₂

( −

1

)

^f⁽^x⁾^⊕^α^·^x

= ±

2^m² (1)

where ‘‘

⊕

’’ denotes the modulo-2 sum and ‘‘

·

’’ the dot-product ofZ^m2.

Allowing groups to be more general than the simple Abelian 2-groups, Logachev et al., [5] generalized this notion. In order to understand it, we need to recall the theory of characters and the definition of the (discrete) Fourier transform.

By convention, whenGis an additive (resp. multiplicative) group, its identity element is denoted by 0_G(resp. 1_G). The neutral element for the multiplication law of a unitary ringAis also denoted by 1_A.

LetGbe a finite Abelian group. ThecharactersofGare the group homomorphisms fromGto the unit circleSof the complex fieldC. When equipped with the point-wise multiplication of functions, the set of all charactersbGis a group isomorphic to Gitself. In the remainder of this contribution, we always suppose some isomorphism fromGtobGto be fixed and we denote by

χ

G^αthe image of

α ∈

GinbGby this isomorphism.

Now let

φ :

G

→

_C. ItsFourier transformis the mapb

φ

^{defined as} b

φ :

G

→

_C

α 7→

X

x∈G

φ(

^x

)χ

G^α

(

^x

).

⁽²⁾

Definition 1. LetGbe a finite Abelian group. A function

φ :

G

→

_Sis called bent (with respect to the theory of Logachev et al.) if for all nonzero

α ∈

G,

|b φ(α) |

²

= |

G

|

(3)

where

|

z

|

denotes the complex modulus ofz

∈

_Cand

|

G

|

is the cardinality ofG.

In what follows, we use the convenient notationG^∗to denote the set of all nonidentity elements of a groupG.

This notion of bentness is closely related to the concept of perfect nonlinearity introduced by Nyberg [6].

Definition 2. LetGandH be two finite groups (respectively in multiplicative and additive representations). A function f

:

G

→

His perfect nonlinear if for all

α ∈

G^∗and for all

β ∈

H,

|{

x

∈

X

|

f

(α

^x

) −

f

(

^x

) = β }| = |

_G

|

H

| .

⁽⁴⁾

Recently, Carlet et al., [2] and Pott [11] discovered a characterization of bentness in the Abelian groups setting in terms of bent functions that generalizes a classical result of Dillon.

Theorem 3.Let G and H be two finite Abelian groups. A map f

:

G

→

H is perfect nonlinear if and only if for all

β ∈

H^∗, the map

χ

H^β

◦

f

:

G

→

_Sis bent.

3. Bentness and perfect nonlinearity: The group actions approach

Embedded in the definition of perfect nonlinearity is the left-regular action of a groupGon itself by multiplication. This kind of operation is a particular instance of group actions. So it is possible to refine the notion of perfect nonlinearity (and, by duality through the Fourier transform, of bentness) as it has been already done in [9,10].

LetGbe a group andX a nonempty set. Agroup actionofGonXis a group homomorphismΦ^from^G^to^S

(

^X

)

^{, the} symmetric group ofX. It is calledfaithfulwhenΦis an injective map. Instead of writing ‘‘Φ

(α)(

^x

)

^{’’ for}

(α,

^x

) ∈

G

×

X, we use the convenient notation ‘‘

α ·

x’’.

The action ofGon itself by translation (or multiplication) is the group action used in the definitions of perfect nonlinearity and bentness (by duality). But one can naturally replace it by any group action.

Definition 4. Let G be a finite group acting faithfully on a finite nonempty set X and H a finite group in additive representation. A functionf

:

X

→

His calledG-perfect nonlinear if for all

α ∈

G^∗and for all

β ∈

H,

|{

x

∈

X

|

f

(α ·

x

) −

f

(

^x

) = β }| = |

X

|

H

| .

⁽⁵⁾

(3)

If the group action is not faithful then there exists at least one

α ∈

G^∗such that for allx

∈

X,

α ·

x

=

xand then no function fromXtoHcan beG-perfect nonlinear (except in some trivial cases:GorHis the trivial group

{

0

}

).

In [9,10], we show the following characterization ofG-perfect nonlinearity.

Theorem 5. Let G and H be two finite Abelian groups. Suppose that G acts faithfully on a finite nonempty set X . A map f

:

X

→

H is G-perfect nonlinear if and only if for all

β ∈

H^∗and for all

α ∈

G,

1

|

X

|

X

x∈X

| (χ

^\H^β

◦

f₍_x₎

)(α) |

²

= |

G

|

(6)

where for each x

∈

X , we have f₍_x₎

:

G

→

H

α 7→

f

(α ·

x

).

⁽⁷⁾

Now let us introduce the concept ofG-bentness.

Definition 6. LetGbe a finite Abelian group acting faithfully on a finite nonempty setX. Let

φ :

X

→

_S. The map

φ

^{is called} G-bent if for all

α ∈

G^∗,

1

|

X

|

X

x∈X

|d φ

(x)

(α) |

²

= |

G

|

(8)

with for eachx

∈

X,

φ

(x)

:

G

→

_S

α 7→ φ(α ·

x

).

⁽⁹⁾

Informally, according to this definition, we can say that a map isG-bent if the sequence of functions

{ φ

(x)

}

_x_∈_XfromGtoSis bent in average over allx

∈

X.

Then using the notion ofG-bentness, we can rewriteTheorem 5in a form similar toTheorem 3.

Theorem 7. Let G and H be two finite Abelian groups. Suppose that G acts faithfully on a finite nonempty set X . A map f

:

X

→

H is G-perfect nonlinear if and only if for all

β ∈

H^∗, the map

χ

H^β

◦

f

:

X

→

_Sis G-bent.

Note that in [3,7], we have proved the existence of aG-perfect nonlinear functionf

:

X

→

Hsuch that there exists at least onex₀

∈

Xfor whichf₍_x₀₎

:

G

→

His not classical perfect nonlinear: we usedH

=

_Z₂,G

=

_Z^m₂ andX

=

_Z^2m₂ ⁺ⁿwhere mandnare both odd numbers andGacts by translations on the firstmcopies ofZ2inXand trivially on the otherm

+

n copies; due to the chosen parameters, no (classical) bent functions can exist fromGorXtoZ2(for more details see in [3] the

‘‘hyperplane construction’’ theorem 4.5, corollary 4.6 and the discussion which follows). It ensures the fact that the group action-based and the traditional versions of perfect nonlinearity are different.

In this paper, we present a second characterization ofG-perfect nonlinearity in terms of a new concept calledHermitian bentness.

4. Hermitian bentness

4.1. Component-wise Fourier transform

In this fourth section,Gis a finite Abelian group (in a multiplicative representation) andHis a finite-dimensional complex vector space equipped with any inner-product

h ., . i

_H(linear in the first variable and anti-linear in the second variable), i.e., His a Hermitian space. Its dimension overCas a vector space is denoted by dim_C

(

^H

)

^{. The}^norm^of^Hwith respect to the inner-product is defined foru

∈

_Has the non-negative real number

k

u

k

_Hsuch that

k

u

k

²_H

= h

u

,

^u

i

_H

.

⁽¹⁰⁾

We fixBas an orthogonal basis (with respect to

h ., . i

_H) ofH(then for every

(

^e

,

^e⁰

) ∈

B²,

h

e

,

^e⁰

i

_H

=

0 if and only ife

6=

e⁰but

k

e

k

_His not necessarily equal to 1, or in other words, the basis is not supposed to be orthonormal) and we use it to define a component-wise multiplication. For

(

^u

, v) ∈

_H², we have

u

· v =

X

e∈B

u_e

v

ee (11)

withu

=

P

e∈Bu_eeand

v =

P

e∈B

v

eethe decompositions ofuand

v

in the basisB.

(4)

Equipped with this multiplicationHbecomes a unitary commutative ring (the unit is 1_H

=

P

e∈Be). It is obviously not a field but the multiplicative group of invertible elements ofHis

{

u

∈

_H

|∀

e

∈

B

,

^ue

6=

0

}

and the inverse of an elementu of this set is simplyu⁻¹

=

P

e∈Bu⁻_e¹e.

The(component-wise) conjugateofu

∈

_His given byu

=

P

e∈Bu_ee. Using conjugation and multiplication overH, we also define acomponent-wise normofu

∈

_Hasu

·

u

=

P

e∈_B

|

u_e

|

²e. This ‘‘norm’’ can be connected to the classical norm.

h

u

·

u

,

¹H

i

_H

=

* X

e∈B

|

u_e

|

²e

,

X

e0∈B

e⁰ +

H

1_His written as X

e0∈B

e⁰

!

=

X

e∈B

|

u_e

|

²X

e0∈B

h

e

,

^e⁰

i

_H

=

X

e∈B

|

u_e

|

²

k

e

k

²_H

(sinceBis an orthogonal basis)

= k

u

k

²_H

.

(12)

Finally we define theunit sphereofHby

S

(

^H

) = {

u

∈

_H

|h

u

·

u

,

¹H

i

_H

=

1

} = {

u

∈

_H

|k

u

k

²_H

=

1

} .

⁽¹³⁾ In particular ifBis an orthonormal basis thene

∈

_S

(

^H

)

^whenever^e

∈

B.

Our objective is to introduce a notion of bentness for functions defined on the (finite Abelian) groupGand with values inH, thus we need to define a Fourier transform to deal with this kind of maps.

Definition 8. The component-wise Fourier transform of

φ :

G

→

_His defined as b

φ :

G

→

_H

α 7→

X

e∈B

φ

be

(α)

^e ⁽¹⁴⁾

where

φ

eis the component function with respect toe,i.e., for eachx

∈

G

φ

e

(

^x

) = (φ(

^x

))

e and in particular

φ(

^x

) =

X

e∈B

φ

e

(

^x

)

^e

.

⁽¹⁵⁾

One can note that for eache

∈

B, by uniqueness of a decomposition inB,

(

b

φ)

e

= (φ

de

)

. This relation explains the abuse of notation used to denote this component-wise Fourier transform. IfHreduces toC, classical and component-wise versions of the Fourier transform are identical.

The component-wise Fourier transform has many properties that come from the discrete Fourier transform. For instance, we have for

α ∈

Gand

φ :

G

→

_H,

bb

φ(α) = |

G

| φ( − α) .

⁽¹⁶⁾ We can prove it by using the same well-known similar relation for the discrete Fourier transform on each component functions of

φ

and the relation

(

b

φ)

e

= (φ

de

)

. From this equality and the inversion formula of the discrete Fourier transform, we deduce theinversion formulain the component-wise setting.

Proposition 9. Let

φ :

G

→

_H. We have for each x

∈

G,

φ(

^x

) =

¹

|

G

|

X

e∈B

X

α∈G

φ

be

(α)χ

G^α

(

^x

)

^e

=

¹

|

G

|

X

α∈G

b

φ(α) · χ

G^α

(

^x

)

¹H

.

⁽¹⁷⁾

This transform also satisfies the Parseval equation. In order to show this we first introduce thecomponent-wise convolutional productof

(φ, ψ) ∈ (

^H^G

)

². It is defined for

α ∈

Gby

(φ ? ψ)(α) =

X

e∈B

(φ

e

∗ ψ

e

)(α)

^e ⁽¹⁸⁾

where the symbol ‘‘

∗

’’ denotes the classical (one-dimensional) convolutional product defined for

(

^f

,

^g

) ∈ (

C^G

)

²^by

(

^f

∗

g

)(α) =

X

x∈G

f

(

^x

)

^g

(

^x⁻¹

α).

⁽¹⁹⁾

(5)

By recalling that

(

\^f

∗

g

)(α) =

bf

(α)b

^g

(α)

, we easily prove that

(φ ? ψ)(α)

\

=

b

φ(α) ·

b

ψ(α) .

⁽²⁰⁾

Leti_G

:

G

→

Gsuch thati_G

(

^x

) =

x⁻¹and forf

:

G

→

_C, one definesf

:

G

→

_Csuch thatf

(

^x

) =

f

(

^x

)

. This last notation is generalized component-by-component to the case of functions fromGtoH. Let us computef[

◦

i_G

(α)

^for

α ∈

G.

f[

◦

i_G

(α) =

X

x∈G

f

◦

i_G

(

^x

)χ

G^α

(

^x

)

=

X

x∈G

f

(

^x⁻¹

)χ

G^α

(

^x

)

=

X

y∈G

f

(

^y

)χ

G^α

(

^y⁻¹

)

=

X

y∈G

f

(

^y

)χ

G^α⁻¹

(

^y

)

=

X

y∈G

f

(

^y

) χ

G^α

(

^y

)

=

X

y∈G

f

(

^y

)χ

G^α

(

^y

)

=

bf

(α) .

⁽²¹⁾

Let

φ :

G

→

_H. Let us also compute

φ

\

◦

i_G

(α)

^for

α ∈

G.

φ

\

◦

i_G

(α) =

X

e∈B

(φ

\

◦

i_G

)

e

(α)

^e

=

X

e∈B

(φ

\

◦

i_G

)

e

(α)

^e

=

X

e∈B

φ

\e

◦

i_G

(α)

^e

=

X

e∈B

φ

be

(α)

^e (according to(21))

=

b

φ(α).

⁽²²⁾

Now let us compute

(ψ ? ψ ◦

i_G

)(

¹G

)

^for

(φ, ψ) ∈ (

^H^G

)

². There are two ways to find the result. The first one is given by the definition of the component-wise convolutional product.

(ψ ? ψ ◦

i_G

)(

¹G

) =

X

e∈B

(φ

e

∗ (ψ ◦

i_G

)

e

)(

¹G

)

^e

=

X

e∈B

(φ

e

∗ ψ

e

◦

i_G

)(

¹G

)

^e

=

X

e∈B

X

x∈G

φ

e

(

^x

)ψ

e

(

^x

)

^e

=

X

x∈X

φ(

^x

).ψ(

^x

) .

⁽²³⁾

We use the inversion formula for the second way.

(φ ? ψ)(

¹G

) =

¹

|

G

|

X

α∈G

(φ ? ψ

\

◦

_i_G

)(α) · χ

G^α

(

¹G

)

¹H

=

¹

|

G

|

X

α∈G

(

b

φ(α). ψ

^\

◦

i_G

(α))

¹H

(according to(20))

=

¹

|

G

|

X

α∈G

b

φ(α) · ψ(α)

b

(according to(22))

.

⁽²⁴⁾

(6)

Using(23)we obtain X

x∈X

φ(

^x

) · ψ(

^x

) =

¹

|

G

|

X

α∈G

b

φ(α) · ψ(α)

⁽²⁵⁾

which is traditionally known as Plancherel relation whenH

=

_C. This relation is then used to obtain Parseval equation.

Theorem 10.Let

φ :

G

→

_H. We have X

x∈G

X

e∈B

| φ

e

(

^x

) |

²e

=

¹

|

G

|

X

α∈G

X

e∈B

| φ

be

(α) |

²e

.

⁽²⁶⁾

In particular

φ

also satisfies X

x∈G

k φ(

^x

) k

²_H

=

¹

|

G

|

X

α∈G

kb φ(α) k

²_H

.

⁽²⁷⁾

And if

φ

^is^S

(

^H

)

-valued the following formula holds X

α∈G

kb φ(α) k

²_H

= |

G

|

²

.

⁽²⁸⁾

Proof. According to(25), we have X

x∈X

φ(

^x

) · φ(

^x

) =

¹

|

G

|

X

α∈G

b

φ(α).φ(α)

⇔

X

x∈X

X

e∈B

| φ

e

(

^x

) |

²e

=

¹

|

G

|

X

α∈G

X

e∈B

| φ

be

(α) |

²e

.

⁽²⁹⁾

Then we also have

* X

x∈X

X

e∈B

| φ

e

(

^x

) |

²e

,

¹H

+

H

=

* 1

|

G

|

X

α∈G

X

e∈B

|b φ

e

(α) |

²e

,

¹H

+

H

⇔

X

x∈X

X

e∈B

| φ

e

(

^x

) |

²

h

e

,

¹H

i

_H

=

¹

|

G

|

X

α∈G

X

e∈B

|b φ

e

(α) |

²

h

e

,

¹H

i

_H

⇔

X

x∈_X

X

e∈_B

| φ

e

(

^x

) |

²

k

e

k

²_H

=

¹

|

G

|

X

α∈_G

X

e∈_B

| φ

be

(α) |

²

k

e

k

²_H

⇔

X

x∈G

k φ(

^x

) k

²_H

=

¹

|

G

|

X

α∈G

kb φ(α) k

²_H

.

(30)

The last equality of the theorem is obvious.

4.2. Hermitian bent functions

An appropriate notion of bentness occurs naturally in this setting.

Definition 11. Let

φ :

G

→

_S

(

^H

)

. This function is (Hermitian) bent if for all

α ∈

G, we have

kb φ(α) k

²_H

= |

G

|

(31)

or in other words X

e∈B

|b φ

e

(α) |

²

k

e

k

²_H

= |

G

| .

⁽³²⁾

Such notion has been previously introduced in [8] but in a slightly different way (note in particular that in [8] it is called

‘‘multidimensional bent’’ rather than ‘‘Hermitian bent’’). Another bentness notion, based on the component-wise norm, can be introduced in a way as natural as the previous one.

Definition 12. Let

φ :

G

→

_H. This function is component-wise bent if 1.

∀

x

∈

G,

φ(

^x

) · φ(

^x

) =

1_H(or equivalently,

∀

x

∈

Gand

∀

e

∈

B,

φ

e

(

^x

) ∈

_S);

2.

∀ α ∈

G,b

φ(α) ·

b

φ(α) = |

G

|

1_H(or equivalently,

∀ α ∈

G,

∀

e

∈

B,

φ

eis bent).

(7)

Obviously a function

φ

is component-wise bent if and only if each of its component functions are bent. Moreover if dim_C

(

^H

) =

1 the two concepts coincide with the classical bentness notion of Logachev et al. Nevertheless we will show in the sequel that component-wise and Hermitian bentness are two different notions. However there is a relation between the two approaches.

Lemma 13. Let

φ :

G

→

_H such that for all x

∈

G,

φ(

^x

) · φ(

^x

) =

1_H then

φ(

^x

) ∈

_S

(

^H

)

^{for all x}

∈

G if and only if

k

1_H

k

²_H

=

P

e∈B

k

e

k

²_H

=

1.

Proof. Letx

∈

G. We have

h φ(

^x

) · φ(

^x

),

¹H

i

_H

= k φ(

^x

) k

²_H

=

X

e∈B

| φ

e

(

^x

) |

²

k

e

k

²_H

=

X

e∈B

k

e

k

²_H

= k

1_H

k

²_H

.

⁽³³⁾ The result immediately follows.

According to the lemma above, if the basisBis orthonormal (and dim_C

(

^H

) >

1), we cannot find a function

φ :

G

→

_Hsuch that it satisfies at the same time

∀

_x

∈

_G,

φ(

^x

) · φ(

^x

) =

₁_H_and

φ(

^x

) ∈

_S

(

H

)

. So in this particular case, component-wise and Hermitian bentness are different. Now we exhibit a relation when

k

1_H

k

²_H

=

1.

Proposition 14. Suppose that

k

1_H

k

²_H

=

P

e∈B

k

e

k

²_H

=

1. Let

φ :

G

→ {

u

∈

_H

|

u

.

^u

=

1_H

}

. If

φ

is component-wise bent then it is also Hermitian bent.

Proof. According toLemma 13,

∀

x

∈

G,

φ(

^x

) ∈

_S

(

^H

)

. Moreover we have for

α ∈

G,

kb φ(α) k

²_H

= hb φ(α) ·

b

φ(α),

¹H

i

_H

= h|

G

|

1_H

,

¹H

i

_H

= |

G

|k

1_H

k

²_H

= |

G

| .

⁽³⁴⁾

In what follows we see that even if

k

1_H

k

²_H

=

1, we can find a Hermitian bent function which is not component-wise bent.

In a very similar way as for Logachev et al.’s, bent functions, it is possible to determine a combinatorial characterization of this notion using derivative and balancedness.

Definition 15. A functionf

:

G

→

_Cis balanced ifP

x∈Gf

(

^x

) =

0.

Thederivativeoff

:

G

→

_Cin

α ∈

Gis defined as d_αf

:

G

→

_C

x

7→

f

(α

^x

)

^f

(

^x

) .

⁽³⁵⁾

Then the(component-wise) derivativeof

φ :

G

→

_His simply defined as D_α

φ :

G

→

_H

x

7→

X

e∈B

d_α

φ

e

(

^x

)

^e

.

⁽³⁶⁾

In particular,

(

^Dα

φ)

e

=

d_α

φ

e.

A result by Logachev et al., gives a link between bentness, derivatives and balancedness.

Theorem 16 ([5]). A function f

:

G

→

_Sis bent if and only if for all

α ∈

G^∗, the derivative d_αf is balanced.

Our ambition is now to present a similar result for the Hermitian bentness.

Lemma 17. Let

φ :

G

→

_H. One defines the auto-correlation function of

φ

^by AC_φ

:

G

→

_H

α 7→

Dd_α

φ(

¹G

) =

X

e∈B

d[_α

φ

e

(

¹G

)

^e

.

⁽³⁷⁾

Then for all

α ∈

G,

ACd_φ

(α) =

b

φ(α) ·

b

φ(α) .

⁽³⁸⁾

(8)

Proof. For

α ∈

G, we have AC_φ

(α) =

X

e∈B

d[_α

φ

e

(

¹G

)

^e

=

X

e∈B

X

x∈G

d_α

φ

e

(

^x

)

^e

=

X

e∈B

X

x∈G

φ

e

(α

^x

)φ

e

(

^x

)

^e

=

X

e∈B

X

y∈G

φ

e

(α

^y⁻¹

)φ

e

(

^y⁻¹

)

^e

=

X

e∈B

(φ

e

∗ φ

e

◦

i_G

)(α)

^e

= (φ ? φ ◦

i_G

)(α) .

⁽³⁹⁾

Then using relations(20)and(22)we obtain

ACd_φ

(α) = (φ ? φ

^\

◦

i_G

)(α) =

b

φ(α) ·

b

φ(α) .

⁽⁴⁰⁾

Before presenting the expected result, we give two technical lemmas. The proof of the first one can be found in [2].

Lemma 18 ([2]).Let f

:

G

→

_C. Then f

(

^x

) =

0for all x

∈

G^∗if and only ifbf

(α) =

f

(

¹G

)

^{for all}

α ∈

G.

Lemma 19. Let

φ :

G

→

_Hand u

∈

_H. We define P_u

(φ) :

G

→

_C

x

7→ h φ(

^x

),

^u

i

_H

.

⁽⁴¹⁾

Then for all

α ∈

G, we have

P\_u

(φ)(α) =

P_u

(

b

φ)(α) = hb φ(α),

^u

i

_H

.

⁽⁴²⁾

Proof.

P\_u

(φ)(α) =

X

x∈_G

P_u

(φ)(

^x

)χ

G^α

(

^x

)

=

X

x∈G

h φ(

^x

),

^u

i

_H

χ

G^α

(

^x

)

=

X

x∈G

* X

e∈B

φ

e

(

^x

)

^e

,

^u +

H

χ

G^α

(

^x

)

=

* X

x∈G

X

e∈B

χ

G^α

(

^x

)φ

e

(

^x

)

^e

,

^u +

H

=

* X

e∈B

φ

be

(α)

^e

,

^u +

H

= hb φ(α),

^u

i

_H

.

⁽⁴³⁾

The combinatorial characterization for Hermitian bentness is given by the following result.

Theorem 20.Let

φ :

G

→

_S

(

^H

)

. The function

φ

is Hermitian bent if and only if for all

α ∈

G^∗, the map P₁_H

(

^Dα

φ) :

G

→

_C defined for x

∈

G by P_1H

(

^Dα

φ)(

^x

) = h

D_α

φ(

^x

),

¹H

i

_His balanced.

Proof. The mapP₁_H

(

^Dα

φ)

is balanced for all

α ∈

G^∗

⇔∀ α ∈

G^∗

,

X

x∈G

P_1H

(

^Dα

φ)(

^x

) =

0

⇔∀ α ∈

G^∗

,

X

x∈G

h

D_α

φ(

^x

),

¹H

i

_H

=

0

(9)

⇔∀ α ∈

G^∗

,

* X

x∈G

D_α

φ(

^x

),

¹H

+

H

=

0

⇔∀ α ∈

G^∗

, h

AC_φ

(α),

¹H

i

_H

=

0

⇔∀ α ∈

G^∗

,

^P1H

(

^ACφ

)(α) =

0

⇔∀ α ∈

G

,

^P1H^\

(

^ACφ

)(α) =

P_1H

(

^ACφ

)(

¹G

)

(according toLemma 18)

.

Moreover byLemma 19, we have

P₁_H\

(

^ACφ

)(α) =

P₁_H

(

ACd_φ

)(α)

=

ACd_φ

(α),

¹H

H

=

D

b

φ(α) ·

b

φ(α),

¹H

E

H

(according toLemma 17)

= kb φ(α) k

²_H

.

(44)

On the other hand, P₁_H

(

^ACφ

)(

¹G

) =

* X

e∈B

\d₁_G

φ

e

(

¹G

)

^e

,

¹H

+

H

=

* X

e∈B

X

x∈G

| φ

e

(

^x

) |

²e

,

¹H

+

H

=

X

x∈G

| φ

e

(

^x

) |

²

k

e

k

²_H

=

X

x∈G

k φ(

^x

) k

²_H

= |

G

| (

^since

φ

^is^S

(

^H

)

^-valued.

)

⁽⁴⁵⁾

Finally we have:

the mapP_1H

(

^Dα

φ)

is balanced for all

α ∈

G^∗

⇔ ∀ α ∈

G,

kb φ(α) k

²_H

= |

G

|

⇔ φ

is Hermitian bent.

5. G-perfect nonlinearity as a particular kind of Hermitian bentness

In this section,Gis a finite Abelian group in multiplicative representation andHis the complex-vector space of functions from a nonempty finite setXto the complex field. This

|

X

|

-dimensional vector space is denoted byC

[

X

]

. We choose as inner- product ofC

[

X

]

the following sesquilinear form

h

f

,

^g

i

_C_[_X_]

=

X

x∈X

f

(

^x

)

^g

(

^x

)

⁽⁴⁶⁾

for

(

^f

,

^g

) ∈

_C

[

X

]

². The fixed orthogonal basis ofC

[

X

]

is given by the canonical basis of Dirac functions

δ

x

(

^y

) =

1 ifx

=

y

0 ifx

6=

y

.

⁽⁴⁷⁾

In particular for eachx

∈

X, we have

k δ

x

k

²

C[X]

=

¹

|X|and

k

1_C[X]

k

²

C[X]

=

P

x∈X

k δ

x

k

²

C[X]

=

^|^X^|

|X|

=

1.

In this setting a map

φ :

G

→

_S

(

C

[

X

] )

is Hermitian bent if for all

α ∈

G,

kb φ(α) k

²

C[X]

=

X

x∈X

|c φ

δx

(α) |

²

k δ

x

k

²_H

=

¹

|

X

|

X

x∈X

| φ

cδx

(α) |

²

= |

G

| .

We can already note that the last equality above is similar to the one given inDefinition 6.

Now suppose thatGacts faithfully on the setX.

For eachf

∈

_C

[

X

]

is associated the following map fromGtoC

[

X

]

.

φ(

^f

) :

G

→

_C

[

X

]

α 7→ φ(

^f

)(α) =

X

x∈G

f₍_x₎

(α)δ

x

=

X

x∈G

f

(α ·

x

)δ

x

.

⁽⁴⁸⁾

(10)

By uniqueness of the decomposition in the basis

{ δ

x

}

_x_∈_XofC

[

X

]

, we have in particular for eachx

∈

X,

φ(

^f

)

δx

=

f₍_x₎. Moreover if we suppose thatf isS-valued then

φ(

^f

)

^is^S

(

C

[

X

] )

-valued since for each

α ∈

G,

k φ(

^f

)(α) k

²

C[X]

=

¹

|

X

|

X

x∈X

| φ(

^f

)

δx

(α) |

²

=

¹

|

X

|

X

x∈X

|

f₍_x₎

(α) |

²

=

¹

|

X

|

X

x∈X

|

f

(α ·

x

) |

²

= |

X

|

X

| =

1

.

Theorem 21.Let f

:

_X

→

_S. Then f is G-bent if and only if

φ(

^f

)

is Hermitian bent.

Proof. Let us compute for

α ∈

G,[

φ(

^f

)(α)

^. [

φ(

^f

)(α) =

X

x∈X

φ(

\^f

)

δx

(α)δ

x

=

X

x∈X

fc₍_x₎

(α)δ

x

.

⁽⁴⁹⁾

Then we have

k

[

φ(

^f

)(α) k

²

C[X]

=

¹

|

X

|

X

x∈X

| φ(

\^f

)

δx

(α) |

²

=

¹

|

X

| |c

_f₍_x₎

(α) |

²

.

⁽⁵⁰⁾

Finally we conclude that fisG-bent

⇔∀ α ∈

G

, |

_X¹

|

X

x∈X

|c

f₍_x₎

(α) |

²

= |

G

|

⇔∀ α ∈

G

, k φ(

[^f

)(α) k

²

C[X]

= |

G

|

⇔ φ(

^f

)

is Hermitian bent

.

(51)

Corollary 22. Let G and H be two finite Abelian groups. Suppose that G acts faithfully on a finite nonempty set X . The map f

:

X

→

H is G-perfect nonlinear if and only if

∀ β ∈

H^∗, the map

φ(χ

H^β

◦

f

) :

G

→

_S

(

C

[

X

] )

is Hermitian bent.

Proof.

∀ β ∈

H^∗

, φ(χ

H^β

◦

f

)

is Hermitian bent

⇔∀ β ∈

H^∗

, χ

H^β

◦

f

:

X

→

_SisG-bent (according toTheorem 21)

⇔

fisG-perfect nonlinear (according toTheorem 7)

.

(52)

We have already mentioned (see in Section2the discussion that followsTheorem 7) that there exists a functionf

:

X

→

H such thatf isG-perfect nonlinear (and according to the previous corollary,

φ(χ

^β

◦

f

)

is Hermitian bent for each

β ∈

H^∗) and such that there existsx₀

∈

Xfor whichf₍_x₀₎

:

G

→

His not perfect nonlinear in the traditional setting. Then according toTheorem 3there exists

β

0

∈

H^∗, such that

χ

H^β⁰

◦

f₍_x₀₎

:

G

→

_Sis not bent, i.e., there is an element

α

0

∈

Gsuch that

| χ

H^β^\⁰

◦

f₍_x₀₎

(α

0

) |

²

6= |

G

|

. Then

φ(χ

H^β⁰

◦

f

)

is not component-wise bent. Indeed if we suppose that

φ(χ

H^β⁰

◦

f

)

is component- wise bent then for eachx

∈

X,

φ(χ

H^β⁰

◦

f

)

δx

= χ

H^β

◦

f₍_x₎is bent and it would also be the case in particular for

χ

H^β

◦

f₍_x₀₎. Then we have a function which is Hermitian but not component-wise bent. The reciprocal assertion ofProposition 14is then false.

References

[1] E. Biham, A. Shamir, Differential cryptanalysis of DES-like cryptosystems, Journal of Cryptology 4 (1) (1991) 3–72.

[2] C. Carlet, C. Ding, Highly nonlinear mappings, Journal of complexity 20 (2) (2004) 205–244.

[3] J. Davis, L. Poinsot,G-Perfect nonlinear functions, Design, Codes and Cryptography 46 (1) (2008) 83–96.

[4] J.F. Dillon, Elementary Hadamard difference sets, Ph.D. Thesis, University of Maryland, 1974.

[5] O.A. Logachev, A.A. Salnikov, V.V. Yashchenko, Bent functions on a finite Abelian group, Discrete Mathematics and Applications 7 (6) (1997) 547–564.

[6] K. Nyberg, Perfect nonlinear s-boxes, in: Advances in Cryptology - EUROCRYPT’91, in: Lecture Notes in Computer Science, vol. 547, Springer-Verlag, 1991, pp. 378–386.

[7] L. Poinsot, Non linéarité parfaite généralisée au sens des actions de groupes, contributions aux fondements de la solidité cryptographique (in English:

Group action-based perfect nonlinearity, contributions to the foundations of cryptographic solidity), Ph.D. Thesis, University of South Toulon-Var, 2005.

[8] L. Poinsot, Multidimensional bent functions, GESTS International Transactions on Computer Science and Engineering 18 (1) (2005) 185–195.

[9] L. Poinsot, S. Harari, Group actions based perfect nonlinearity (extended abstract), in: Proceeding of Workshop on Coding and Cryptography WCC 2005, Bergen, Norway, 2005, pp. 335–344.

[10] L. Poinsot, S. Harari, Group actions based perfect nonlinearity, GESTS International Transactions on Computer Science and Engineering 12 (1) (2005) 1–14.

[11] A. Pott, Nonlinear functions in Abelian groups and relative difference sets, Discrete Applied Mathematics 138 (1–2) (2004) 177–193.

[12] O.S. Rothaus, On bent functions, Journal of Combinatorial Theory A 20 (1976) 300–365.