Abstract

Symmetric cryptography is a cornerstone of everyday digital security, where two parties must share a common key to communicate. The most common primitives in symmetric cryptography are stream ciphers and block ciphers that guarantee confidentiality of communications and hash functions for integrity. Thus, for securing our everyday life communication, it is necessary to be convinced by the security level provided by all the symmetric-key cryptographic primitives. The most important part of a stream cipher is the key stream generator, which provides the overall security for stream ciphers. Nonlinear Boolean functions were preferred for a long time to construct the key stream generator. In order to resist several known attacks, many requirements have been proposed on the Boolean functions. Attacks against the cryptosystems have forced deep research on Boolean function to allow us a more secure encryption. In this work we describe all main requirements for constructing of cryptographically significant Boolean functions. Moreover, we provide a construction of Boolean functions (semi-bent Boolean functions) which can be used in the construction of orthogonal variable spreading factor codes used in code division multiple access (CDMA) systems as well as in certain cryptographic applications.

Keywords: symmetric cryptography, Boolean functions, Walsh spectrum, nonlinearity, resiliency, (fast) algebraic attack

#### 1. Introduction

Cryptography has become a branch of information theory and is used within a mathematical approach to study the transmission of information from place to place. In a modern society, exchange and storage of information in an efficient, reliable, and secure manner are of fundamental importance. Applications of cryptography are present in many aspects of our society, and they include authentication and encryption (bank cards, wireless telephone, e-commerce), access control (car lock systems, ski lifts), and payment (prepaid telephone cards, e-cash). Behind all the previously mentioned applications, an underlying cryptographic system has to satisfy a number of security goals. Some important aspects in information security are data confidentiality, data integrity, authentication, and non-repudiation, and some of these goals will be elaborated later in the framework of Boolean

functions. Therefore, cryptography is evermore important for business and industry as well as for society at large.

A classic example of a cryptosystem is depicted in Figure 1. Such a cryptosystem primitive is also called symmetric-key encryption algorithm, since the transmitted message (plaintext) is encrypted (into ciphertext) and decrypted with the same secret key which is shared between both sender and recipient. Symmetric cryptography is best introduced with an easy-to-understand problem: There are two users, Alice and Bob, who want to communicate over an insecure channel. The actual problem starts with the bad guy, Oscar, who has access to the channel, for instance, by hacking into an Internet router or by listening to the radio signals of a Wi-Fi communication. This type of unauthorized listening is called eavesdropping. Obviously, there are many situations in which Alice and Bob would prefer to communicate without Oscar listening. For instance, if Alice and Bob represent two offices of a car manufacturer, and they are transmitting documents containing the business strategy for the introduction of new car models in the next few years, these documents should not get into the hands of their competitors or of foreign intelligence agencies for that matter. In this situation, symmetric cryptography offers a powerful solution: Alice encrypts her message m using a symmetric algorithm, yielding the ciphertext c. Bob receives the ciphertext and decrypts the message. Decryption is, thus, the inverse process of encryption. What is the advantage? If we have a strong encryption algorithm, the ciphertext will look like random bits to Oscar and will contain no information whatsoever that is useful to him.

Symmetric-key cryptography comprises two large families of cryptographic primitives, namely, block and stream ciphers (see Figure 2). Since both block and stream ciphers provide significant performance improvement compared to publickey encryption techniques, they are commonly used as encryption schemes in practice. However, the design rules for these two primitives are quite different.

In general, symmetric-key cryptography is much more computationally efficient than public-key cryptography (approximately 1000 faster), and it requires shorter key length to ensure the same level of security. On the other hand, every pair of users that wants to communicate using symmetric encryption must share a common secret key. If n users want to ensure a pairwise secure communication, a total of n nð Þ �<sup>1</sup> <sup>2</sup> secret keys need to be exchanged, and every user must store and keep safe n � 1 different secret keys, which is in many cases highly impractical. In comparison, public-key cryptography offers a functionality of only keeping a single private key secret.

The security of symmetric cryptosystems is strongly influenced by Boolean functions. They are often used as nonlinear combining functions in stream ciphers based on linear feedback shift register. Those functions allow making the relationship between the plaintext and the ciphertext as complex as possible. More precisely, a bit of the ciphertext is obtained from a bit of the plaintext by adding

bitwise a key digit (the output of the Boolean function) whose dependence upon the LFSR entries (the secret information) is nonlinear. Thus, the security of such cryptosystems deeply relies on the choice of the Boolean function because the complexity of the relationship between the plaintext and the ciphertext depends entirely on the Boolean function. Indeed, some properties of the Boolean function can be exploited to gain access to the contents of encrypted messages, even if the key is unknown. Therefore, Boolean functions need to have some important characteristics that are called security criteria to resist several types of attacks (see Section 3). Furthermore, the research fields of Boolean functions regarding the cryptography include the design and implementation, the properties of Boolean functions, the construction and counting of Boolean functions with certain properties, the trade-off between different properties, and the properties

Symmetric-key encryption schemes. (a) Stream cipher using algorithmic bit stream generator. (b) Block cipher.

Implementing Symmetric Cryptography Using Sequence of Semi-Bent Functions

DOI: http://dx.doi.org/10.5772/intechopen.85023

A special class of Boolean functions defined as semi-bent function has been introduced in 1994, by scientists Chee, Lee, and Kim [1]. The motivation for their study is firstly related to their use in cryptography (in the design of cryptographic functions). Indeed, semi-bent functions can be balanced and resilient. They also possess various desirable characteristics such as low autocorrelation, a maximal

according to new attacks.

Figure 2.

3

Figure 1. Model of classic cryptosystem.

Implementing Symmetric Cryptography Using Sequence of Semi-Bent Functions DOI: http://dx.doi.org/10.5772/intechopen.85023

bitwise a key digit (the output of the Boolean function) whose dependence upon the LFSR entries (the secret information) is nonlinear. Thus, the security of such cryptosystems deeply relies on the choice of the Boolean function because the complexity of the relationship between the plaintext and the ciphertext depends entirely on the Boolean function. Indeed, some properties of the Boolean function can be exploited to gain access to the contents of encrypted messages, even if the key is unknown. Therefore, Boolean functions need to have some important characteristics that are called security criteria to resist several types of attacks (see Section 3). Furthermore, the research fields of Boolean functions regarding the cryptography include the design and implementation, the properties of Boolean functions, the construction and counting of Boolean functions with certain properties, the trade-off between different properties, and the properties according to new attacks.

A special class of Boolean functions defined as semi-bent function has been introduced in 1994, by scientists Chee, Lee, and Kim [1]. The motivation for their study is firstly related to their use in cryptography (in the design of cryptographic functions). Indeed, semi-bent functions can be balanced and resilient. They also possess various desirable characteristics such as low autocorrelation, a maximal

functions. Therefore, cryptography is evermore important for business and

will contain no information whatsoever that is useful to him.

Symmetric-key cryptography comprises two large families of cryptographic primitives, namely, block and stream ciphers (see Figure 2). Since both block and stream ciphers provide significant performance improvement compared to publickey encryption techniques, they are commonly used as encryption schemes in practice. However, the design rules for these two primitives are quite different. In general, symmetric-key cryptography is much more computationally efficient than public-key cryptography (approximately 1000 faster), and it requires shorter key length to ensure the same level of security. On the other hand, every pair of users that wants to communicate using symmetric encryption must share a common secret key. If n users want to ensure a pairwise secure communication, a total

<sup>2</sup> secret keys need to be exchanged, and every user must store and keep safe n � 1 different secret keys, which is in many cases highly impractical. In comparison, public-key cryptography offers a functionality of only keeping a single private

The security of symmetric cryptosystems is strongly influenced by Boolean functions. They are often used as nonlinear combining functions in stream ciphers based on linear feedback shift register. Those functions allow making the relationship between the plaintext and the ciphertext as complex as possible. More precisely, a bit of the ciphertext is obtained from a bit of the plaintext by adding

A classic example of a cryptosystem is depicted in Figure 1. Such a cryptosystem primitive is also called symmetric-key encryption algorithm, since the transmitted message (plaintext) is encrypted (into ciphertext) and decrypted with the same secret key which is shared between both sender and recipient. Symmetric cryptography is best introduced with an easy-to-understand problem: There are two users, Alice and Bob, who want to communicate over an insecure channel. The actual problem starts with the bad guy, Oscar, who has access to the channel, for instance, by hacking into an Internet router or by listening to the radio signals of a Wi-Fi communication. This type of unauthorized listening is called eavesdropping. Obviously, there are many situations in which Alice and Bob would prefer to communicate without Oscar listening. For instance, if Alice and Bob represent two offices of a car manufacturer, and they are transmitting documents containing the business strategy for the introduction of new car models in the next few years, these documents should not get into the hands of their competitors or of foreign intelligence agencies for that matter. In this situation, symmetric cryptography offers a powerful solution: Alice encrypts her message m using a symmetric algorithm, yielding the ciphertext c. Bob receives the ciphertext and decrypts the message. Decryption is, thus, the inverse process of encryption. What is the advantage? If we have a strong encryption algorithm, the ciphertext will look like random bits to Oscar and

industry as well as for society at large.

Modern Cryptography – Current Challenges and Solutions

of n nð Þ �<sup>1</sup>

key secret.

Figure 1.

2

Model of classic cryptosystem.

nonlinearity among balanced plateaued functions, but they cannot have high algebraic degree. In terms of linear feedback shift-register synthesis, they are usually generated by certain power polynomials over a finite field and in addition are characterized by a low cross-correlation and high nonlinearity. Besides their practical use in cryptography, they are also widely used in code division multiple access (CDMA) communication systems for sequence design [2, 3]. In this context, families of maximum length linear feedback shift-register sequences having threevalued cross-correlation are used. Such sequences have received a lot of attention since the late 1960s and can be generated by a semi-bent function. Even though a lot of work has been done on semi-bent functions, there are a few generic methods of constructing semi-bent functions that can be found in the literature. The classification of these functions is still elusive, especially their construction are challenging problems. Some open problems and an overview of the known construction related on semi-bent functions can be found in the book of Mesnager [4]. The rest of this chapter is organized as follows. In Section 2 the essential background on Boolean functions is given. Some main requirements for constructing significant Boolean function are given in Section 3. An infinity class of semi-bent function specified by employing some sufficient conditions is given in Section 4. Some concluding remarks are given in Section 5.

A Boolean function f xð Þ is called plateaued if its Walsh spectrum only takes three

Wfð Þ� ω Wg ð Þ¼ ω 0: (4)

:

<sup>2</sup> , denoted by Daf xð Þ, is a Boolean function defined

DVf xð Þ¼ DakDak�<sup>1</sup>…Da<sup>1</sup> f xð Þ, (7)

<sup>2</sup> . The notion of the derivative of a Boolean

�: (5)

2

(6)

<sup>2</sup> . The k-th

Wfð Þ <sup>ω</sup> � � �

<sup>2</sup> . Moreover, f is said to be semi-bent function if for all ω∈F<sup>n</sup>

, where λ is some positive integer.

Implementing Symmetric Cryptography Using Sequence of Semi-Bent Functions

In terms of Walsh spectra, the nonlinearity of f is given by

Wfð Þ ω ∈

Nf <sup>¼</sup> <sup>2</sup>n�<sup>1</sup> � <sup>1</sup>

8 ><

>:

Suppose f g <sup>a</sup>1; …; ak is a basis of a <sup>k</sup> dimensional subspace <sup>V</sup> of <sup>F</sup><sup>n</sup>

derivative of f with respect to V, denoted by DVf xð Þ, is a Boolean function

3. Cryptographic requirements for constructing Boolean functions

One of the fundamental research topics in cryptography is the construction of cryptographically significant Boolean functions, that is, a function which possesses

1. High algebraic degree aims to increase the linear complexity in ciphers. Using Boolean functions of high degree in block ciphers leads to more complicated systems of equations describing the cipher and hence makes cryptanalysis of the cipher more difficult. All cryptosystems using Boolean functions for confusion can be attacked if the functions have relatively low algebraic degree, i.e., the Berlekamp-Massey attack [5] or the Ronjom-Helleseth attack [6] can be applied. Note that the algebraic degree of a Boolean function in n-variables

2. In order to prevent the system from leaking statistical dependence between the input and output, the concept of balancedness implies that a given Boolean function outputs equally many zeros and ones over all possible input values. To avoid distinguishing attacks [7], cryptographic function must be balanced.

2 max ω∈F<sup>n</sup> 2

An n-variable Boolean function f is said to be bent if its Walsh transform takes

A function is balanced if and only if Wfð Þ¼ 0 0, i.e., #fxfx j g ð Þ¼ 0 ¼

0; �2 nþ1 2 n o, if n is odd

0; �2 nþ2 2 n o, if n is even

Two Boolean functions f xð Þ,g xð Þ are said to be a pair of disjoint spectra

values, 0 and �2<sup>λ</sup>

for all ω∈F<sup>n</sup>

#fxfx j g ð Þ¼ 1 .

defined by

for all x∈ F<sup>n</sup>

2 :

some of the following properties:

is at most n.

5

only two values �2

2 :

DOI: http://dx.doi.org/10.5772/intechopen.85023

n

The derivative of f xð Þ at <sup>a</sup>∈F<sup>n</sup>

by Daf xð Þ¼ f xð Þþ <sup>þ</sup> <sup>a</sup> f xð Þ, for all <sup>x</sup>∈F<sup>n</sup>

function is extended to higher orders as follows.

functions if

#### 2. Useful definitions and terms

Let F<sup>n</sup> <sup>2</sup> denote the n-dimensional vector space over the prime field F2. Let x ¼ ð Þ x1; …; xn be a vector over F<sup>2</sup> of length n.

<sup>A</sup> Boolean function f xð Þ <sup>1</sup>; …; xn in n-variables is an arbitrary function from <sup>F</sup><sup>n</sup> <sup>2</sup> to F2. It can also be interpreted as the output column of its truth table, i.e., a binary string of length 2<sup>n</sup>,

$$f = [f(\mathbf{0}, \mathbf{0}, \dots, \mathbf{0}), f(\mathbf{1}, \mathbf{0}, \dots, \mathbf{0}), \dots, f(\mathbf{1}, \mathbf{1}, \dots, \mathbf{1})].\tag{1}$$

An n-variable function f is said to be balanced if its output column in the truth table contains equal number of 1's and 0's.

Any Boolean function has a unique representation as a multivariate polynomial over Galois field of two elements, called algebraic normal form (ANF),

$$f(\mathbf{x}\_1, \dots, \mathbf{x}\_n) = a\_0 + \sum\_{1 \le i \le n} a\_i \mathbf{x}\_i + \sum\_{\substack{1 \le i < j \le n}} a\_{ji} \mathbf{x}\_i \mathbf{x}\_j + \dots + a\_{12\dots n} \mathbf{x}\_1 \mathbf{x}\_2 \dots \mathbf{x}\_n \tag{2}$$

where the coefficients a0, aij, …, a12…<sup>n</sup> belong to 0f g ; 1 .

The algebraic degree, denoted by degð Þf , is the number of variables in the highest order monomial with nonzero coefficient. A Boolean function with degð Þf ≤ 1 is said to be affine, and the set of all n-variable affine functions is denoted by An. An affine function with the constant term equal to zero is called a linear function.

The nonlinearity of an n-variable function f is Nf ¼ min<sup>g</sup> <sup>∈</sup> <sup>A</sup><sup>n</sup> d f ð Þ ; g , which measures the minimum distance between f and all n-variable affine functions.

Many properties of Boolean function can be deduced from its Walsh spectra. The Walsh transform of f xð Þ in point <sup>ω</sup>∈F<sup>n</sup> <sup>2</sup> is an integer-valued function over F<sup>n</sup> 2 defined by

$$W\_f(a) = \sum\_{\mathbf{x} \in \mathbb{F}\_2^n} (-\mathbf{1})^{f(\mathbf{x}) + \mathbf{x} \cdot a},\tag{3}$$

where <sup>x</sup> � <sup>ω</sup> <sup>¼</sup> <sup>x</sup>1ω<sup>1</sup> <sup>þ</sup> … <sup>þ</sup> xnω<sup>n</sup> is the inner product of two vectors over <sup>F</sup><sup>n</sup> <sup>2</sup> . The set {Wfð Þ <sup>ω</sup> : <sup>ω</sup>∈F<sup>n</sup> <sup>2</sup>g is called the Walsh spectrum of f.

Implementing Symmetric Cryptography Using Sequence of Semi-Bent Functions DOI: http://dx.doi.org/10.5772/intechopen.85023

A Boolean function f xð Þ is called plateaued if its Walsh spectrum only takes three values, 0 and �2<sup>λ</sup> , where λ is some positive integer.

Two Boolean functions f xð Þ,g xð Þ are said to be a pair of disjoint spectra functions if

$$\mathcal{W}\_f(a) \cdot \mathcal{W}\_{\mathcal{g}}(a) = \mathbf{0}.\tag{4}$$

for all ω∈F<sup>n</sup> 2 :

nonlinearity among balanced plateaued functions, but they cannot have high algebraic degree. In terms of linear feedback shift-register synthesis, they are usually generated by certain power polynomials over a finite field and in addition are characterized by a low cross-correlation and high nonlinearity. Besides their practical use in cryptography, they are also widely used in code division multiple access (CDMA) communication systems for sequence design [2, 3]. In this context, families of maximum length linear feedback shift-register sequences having threevalued cross-correlation are used. Such sequences have received a lot of attention since the late 1960s and can be generated by a semi-bent function. Even though a lot of work has been done on semi-bent functions, there are a few generic methods of constructing semi-bent functions that can be found in the literature. The classification of these functions is still elusive, especially their construction are challenging problems. Some open problems and an overview of the known construction related on semi-bent functions can be found in the book of Mesnager [4]. The rest of this chapter is organized as follows. In Section 2 the essential background on Boolean functions is given. Some main requirements for constructing significant Boolean function are given in Section 3. An infinity class of semi-bent function specified by employing some sufficient conditions is given in Section 4. Some concluding

<sup>2</sup> denote the n-dimensional vector space over the prime field F2. Let

An n-variable function f is said to be balanced if its output column in the truth

Any Boolean function has a unique representation as a multivariate polynomial

1≤i < j≤n

The algebraic degree, denoted by degð Þf , is the number of variables in the highest order monomial with nonzero coefficient. A Boolean function with degð Þf ≤ 1 is said to be affine, and the set of all n-variable affine functions is denoted by An. An affine function with the constant term equal to zero is called a linear function. The nonlinearity of an n-variable function f is Nf ¼ min<sup>g</sup> <sup>∈</sup> <sup>A</sup><sup>n</sup> d f ð Þ ; g , which measures the minimum distance between f and all n-variable affine functions. Many properties of Boolean function can be deduced from its Walsh spectra.

over Galois field of two elements, called algebraic normal form (ANF),

Wfð Þ¼ ω ∑

<sup>2</sup>g is called the Walsh spectrum of f.

x∈F<sup>n</sup> 2

where <sup>x</sup> � <sup>ω</sup> <sup>¼</sup> <sup>x</sup>1ω<sup>1</sup> <sup>þ</sup> … <sup>þ</sup> xnω<sup>n</sup> is the inner product of two vectors over <sup>F</sup><sup>n</sup>

aixi þ ∑

1≤i ≤n

where the coefficients a0, aij, …, a12…<sup>n</sup> belong to 0f g ; 1 .

f ¼ ½ � fð Þ 0; 0; …; 0 ; fð Þ 1; 0; …; 0 ; …; fð Þ 1; 1; …; 1 : (1)

aijxixj þ … þ a12…nx1x2…xn (2)

<sup>2</sup> is an integer-valued function over F<sup>n</sup>

ð Þ �<sup>1</sup> f xð Þþx�<sup>ω</sup>, (3)

<sup>2</sup> to

2

<sup>2</sup> . The

<sup>A</sup> Boolean function f xð Þ <sup>1</sup>; …; xn in n-variables is an arbitrary function from <sup>F</sup><sup>n</sup>

F2. It can also be interpreted as the output column of its truth table, i.e., a binary

remarks are given in Section 5.

Let F<sup>n</sup>

defined by

4

set {Wfð Þ <sup>ω</sup> : <sup>ω</sup>∈F<sup>n</sup>

string of length 2<sup>n</sup>,

2. Useful definitions and terms

x ¼ ð Þ x1; …; xn be a vector over F<sup>2</sup> of length n.

Modern Cryptography – Current Challenges and Solutions

table contains equal number of 1's and 0's.

The Walsh transform of f xð Þ in point <sup>ω</sup>∈F<sup>n</sup>

f xð Þ¼ <sup>1</sup>; …; xn a<sup>0</sup> þ ∑

In terms of Walsh spectra, the nonlinearity of f is given by

$$N\_f = 2^{n-1} - \frac{1}{2} \max\_{\boldsymbol{\alpha} \in \mathbb{F}\_2^n} \left| W\_f(\boldsymbol{\alpha}) \right|. \tag{5}$$

A function is balanced if and only if Wfð Þ¼ 0 0, i.e., #fxfx j g ð Þ¼ 0 ¼ #fxfx j g ð Þ¼ 1 .

An n-variable Boolean function f is said to be bent if its Walsh transform takes only two values �2 n <sup>2</sup> . Moreover, f is said to be semi-bent function if for all ω∈F<sup>n</sup> 2

$$\mathcal{W}\_f(\boldsymbol{\alpha}) \in \begin{cases} \left\{ \boldsymbol{0}, \pm 2^{\frac{\boldsymbol{n} + 1}{2}} \right\}, \text{if } n \text{ is odd} \\ \left\{ \boldsymbol{0}, \pm 2^{\frac{\boldsymbol{n} + 2}{2}} \right\}, \text{if } n \text{ is even} \end{cases}. \tag{6}$$

The derivative of f xð Þ at <sup>a</sup>∈F<sup>n</sup> <sup>2</sup> , denoted by Daf xð Þ, is a Boolean function defined by Daf xð Þ¼ f xð Þþ <sup>þ</sup> <sup>a</sup> f xð Þ, for all <sup>x</sup>∈F<sup>n</sup> <sup>2</sup> . The notion of the derivative of a Boolean function is extended to higher orders as follows.

Suppose f g <sup>a</sup>1; …; ak is a basis of a <sup>k</sup> dimensional subspace <sup>V</sup> of <sup>F</sup><sup>n</sup> <sup>2</sup> . The k-th derivative of f with respect to V, denoted by DVf xð Þ, is a Boolean function defined by

$$D\_{\nabla}f(\mathbf{x}) = D\_{a\_k}D\_{a\_{k-1}}...D\_{a\_1}f(\mathbf{x}),\tag{7}$$

for all x∈ F<sup>n</sup> 2 :

#### 3. Cryptographic requirements for constructing Boolean functions

One of the fundamental research topics in cryptography is the construction of cryptographically significant Boolean functions, that is, a function which possesses some of the following properties:


Note that the algebraic degree of a Boolean balanced function in n-variables is at most n � 1.

which satisfy some of the properties above is practically impossible (unless the input variable space n is quite small). Indeed, the difficulty precisely lies in finding the best trade-offs between all criteria and proposing concrete constructions of functions achieving them. Thus, bringing new construction methods of these func-

f, algebraic degree d, and nonlinearity Nf . Siegenthaler [9] proved that

Implementing Symmetric Cryptography Using Sequence of Semi-Bent Functions

ð Þ 7; 2; 4; 56 function, one can generate a sequence of optimal plateaued

<sup>7</sup> <sup>þ</sup> <sup>3</sup>i; <sup>2</sup> <sup>þ</sup> <sup>2</sup>i; <sup>4</sup> <sup>þ</sup> <sup>i</sup>; <sup>2</sup><sup>7</sup>þ3i�<sup>1</sup> � 22þ2iþ<sup>1</sup> functions, 10 ð Þ ; <sup>4</sup>; <sup>5</sup>; <sup>480</sup> ,ð Þ <sup>13</sup>; <sup>6</sup>; <sup>6</sup>; <sup>3968</sup> , ð Þ 16; 8; 7; 32256 , etc: A modified version of Tarannikov's construction was presented in [16]. A construction of Boolean functions with maximum nonlinearity and small order of resiliency has also been considered in [17]. Later, Carlet [18] proposed a general framework for these iterative concatenation methods, unifying most of these techniques into a single method called "indirect sum." This construction leads to a multiple branching infinite tree of functions, but in order to employ this construction in the design of optimal plateaued functions in an iterative manner, there are certain conditions imposed on the initial pairs of disjoint spectra functions. A recursive construction method of optimal plateaued functions (the functions

iteration once again employs a 7ð Þ ; 2; 4; 56 function, whose 6-variable sub-functions have disjoint spectra, to construct a sequence of <sup>7</sup> <sup>þ</sup> <sup>4</sup>i; <sup>2</sup> <sup>þ</sup> <sup>3</sup>i; <sup>4</sup> <sup>þ</sup> <sup>i</sup>; 27þ4i�<sup>1</sup> � 22þ3iþ<sup>1</sup> optimal plateaued functions (whose 7ð Þ þ 4i � 1 -variable sub-functions are again disjoint spectra functions). Nevertheless, this iterative method generates the functions with relatively large order of resiliency ( 11 ð Þ ; 5; 5; 964 ,ð Þ 15; 8; 6; 15872 , ð Þ 19; 11; 7; 258048 , etc:), and in addition it only gives one infinite sequence of optimal plateaued functions. For instance, in the first step of iteration, an optimal plateaued 11 ð Þ ; 5; 5; 964 function is generated whose 10-variable sub-functions are again disjoint spectra functions (two 10 ð Þ ; 5; 4; 452 disjoint spectra functions), thus leaving some open slots concerning the construction of optimal plateaued functions when n ¼ 8, 9, 10. On the other hand, a modified Tarannikov construction has a slightly different effect, since the resiliency is increased by two at each step of iteration (but the degree is also increased by one) and the iteration step is three instead of four. Still, optimal plateaued functions cannot be generated for n ¼ 8 or

The idea of employing a set of disjoint spectra functions in construction of highly nonlinear resilient functions was firstly elaborated in [16]. Later, the sets of disjoint spectra functions were successfully used in constructions of almost optimal

function we specify an n-variable, m-resilient Boolean function

function for any given n and m while at the same

optimized function, such as the

<sup>2</sup> � 2) is given in [19]. The

m þ d≤n þ 1 if m ≤n � 2. The exact nature of trade-offs among order of correlation immunity, nonlinearity, and algebraic degree has also been investigated, for instance, ([12, 13]. Using the above bounds, one may naturally try to provide the

time attempting to optimize d and Nf . This optimization can be efficiently done for a small number of variables n≤ 5, but even some interesting open problems for n>5, related to the existence of 8ð Þ ; 1; 6; 116 and 7ð Þ ; 2; 4; 56 functions, were settled using some sophisticated computer search and theoretical results [14]. The importance of finding these optimized functions in small number of variables lies in the fact that one can use these functions recursively to obtain new instances of optimal functions in larger number of variables. For instance, Tarannikov [15] has provided a construction technique of optimized resilient Boolean functions with maximum possible nonlinearity. Basically Tarannikov's construction is a recursive one, and

tions is still a vivid research activity.

DOI: http://dx.doi.org/10.5772/intechopen.85023

construction of an n; m; d; Nf

using this technique and taking an n; m; d; Nf

of the form <sup>n</sup>; <sup>m</sup>; <sup>n</sup> � <sup>m</sup> � <sup>1</sup>; <sup>2</sup><sup>n</sup>�<sup>1</sup> � <sup>2</sup><sup>m</sup>þ<sup>1</sup> and for <sup>m</sup><sup>&</sup>gt; <sup>n</sup>

n ¼ 9 using the particular 7ð Þ ; 2; 4; 56 function.

7

By n; m; d; Nf


However, the major problem in construction of cryptographically strong functions is that the multiple criteria mentioned above have to be satisfied at the same time, while there exist intrinsic trade-offs between them. Such properties allow the system designer to quantify the level of resistance of the system to attacks. Since the number of Boolean functions in n-variables is 2<sup>2</sup><sup>n</sup> , an exhaustive search of functions which satisfy some of the properties above is practically impossible (unless the input variable space n is quite small). Indeed, the difficulty precisely lies in finding the best trade-offs between all criteria and proposing concrete constructions of functions achieving them. Thus, bringing new construction methods of these functions is still a vivid research activity.

By n; m; d; Nf function we specify an n-variable, m-resilient Boolean function f, algebraic degree d, and nonlinearity Nf . Siegenthaler [9] proved that m þ d≤n þ 1 if m ≤n � 2. The exact nature of trade-offs among order of correlation immunity, nonlinearity, and algebraic degree has also been investigated, for instance, ([12, 13]. Using the above bounds, one may naturally try to provide the construction of an n; m; d; Nf function for any given n and m while at the same time attempting to optimize d and Nf . This optimization can be efficiently done for a small number of variables n≤ 5, but even some interesting open problems for n>5, related to the existence of 8ð Þ ; 1; 6; 116 and 7ð Þ ; 2; 4; 56 functions, were settled using some sophisticated computer search and theoretical results [14]. The importance of finding these optimized functions in small number of variables lies in the fact that one can use these functions recursively to obtain new instances of optimal functions in larger number of variables. For instance, Tarannikov [15] has provided a construction technique of optimized resilient Boolean functions with maximum possible nonlinearity. Basically Tarannikov's construction is a recursive one, and using this technique and taking an n; m; d; Nf optimized function, such as the ð Þ 7; 2; 4; 56 function, one can generate a sequence of optimal plateaued <sup>7</sup> <sup>þ</sup> <sup>3</sup>i; <sup>2</sup> <sup>þ</sup> <sup>2</sup>i; <sup>4</sup> <sup>þ</sup> <sup>i</sup>; <sup>2</sup><sup>7</sup>þ3i�<sup>1</sup> � 22þ2iþ<sup>1</sup> functions, 10 ð Þ ; <sup>4</sup>; <sup>5</sup>; <sup>480</sup> ,ð Þ <sup>13</sup>; <sup>6</sup>; <sup>6</sup>; <sup>3968</sup> , ð Þ 16; 8; 7; 32256 , etc: A modified version of Tarannikov's construction was presented in [16]. A construction of Boolean functions with maximum nonlinearity and small order of resiliency has also been considered in [17]. Later, Carlet [18] proposed a general framework for these iterative concatenation methods, unifying most of these techniques into a single method called "indirect sum." This construction leads to a multiple branching infinite tree of functions, but in order to employ this construction in the design of optimal plateaued functions in an iterative manner, there are certain conditions imposed on the initial pairs of disjoint spectra functions.

A recursive construction method of optimal plateaued functions (the functions of the form <sup>n</sup>; <sup>m</sup>; <sup>n</sup> � <sup>m</sup> � <sup>1</sup>; <sup>2</sup><sup>n</sup>�<sup>1</sup> � <sup>2</sup><sup>m</sup>þ<sup>1</sup> and for <sup>m</sup><sup>&</sup>gt; <sup>n</sup> <sup>2</sup> � 2) is given in [19]. The iteration once again employs a 7ð Þ ; 2; 4; 56 function, whose 6-variable sub-functions have disjoint spectra, to construct a sequence of <sup>7</sup> <sup>þ</sup> <sup>4</sup>i; <sup>2</sup> <sup>þ</sup> <sup>3</sup>i; <sup>4</sup> <sup>þ</sup> <sup>i</sup>; 27þ4i�<sup>1</sup> � 22þ3iþ<sup>1</sup> optimal plateaued functions (whose 7ð Þ þ 4i � 1 -variable sub-functions are again disjoint spectra functions). Nevertheless, this iterative method generates the functions with relatively large order of resiliency ( 11 ð Þ ; 5; 5; 964 ,ð Þ 15; 8; 6; 15872 , ð Þ 19; 11; 7; 258048 , etc:), and in addition it only gives one infinite sequence of optimal plateaued functions. For instance, in the first step of iteration, an optimal plateaued 11 ð Þ ; 5; 5; 964 function is generated whose 10-variable sub-functions are again disjoint spectra functions (two 10 ð Þ ; 5; 4; 452 disjoint spectra functions), thus leaving some open slots concerning the construction of optimal plateaued functions when n ¼ 8, 9, 10. On the other hand, a modified Tarannikov construction has a slightly different effect, since the resiliency is increased by two at each step of iteration (but the degree is also increased by one) and the iteration step is three instead of four. Still, optimal plateaued functions cannot be generated for n ¼ 8 or n ¼ 9 using the particular 7ð Þ ; 2; 4; 56 function.

The idea of employing a set of disjoint spectra functions in construction of highly nonlinear resilient functions was firstly elaborated in [16]. Later, the sets of disjoint spectra functions were successfully used in constructions of almost optimal

Note that the algebraic degree of a Boolean balanced function in n-variables is

3. High nonlinearity is one of the most important properties in the design of symmetric-key cryptosystems, since it directly affects the resistance of the cipher to majority of cryptanalytic techniques. The nonlinearity simply measures the Hamming distance to the set of all affine functions. Therefore, a high nonlinearity implies a better resistance to affine approximation attacks [8]. According to the definition of nonlinearity, all affine functions have zero

nonlinearity. On the other hand, a Boolean function having nonzero nonlinearity implies the function is not affine. Thus, the nonlinearity of a

there is a class of Boolean functions, called bent functions, that have maximum

Boolean functions with high nonlinearity. However, this problem has been completely solved for quadratic Boolean functions (Boolean functions with the

4.In order to avoid correlation attack [9], the concept of correlation immune of order m implies that any sub-function deduced from a given Boolean function by fixing at most m inputs has the same output distribution as a given Boolean function. Correlation immune has long been recognized as one of the critical indicators of nonlinear combining functions of shift registers in stream generators. Moreover, if a balanced Boolean function f is correlation immune of order m, then f is said to be m-resilient. When used in stream cipher systems, a Boolean function is required to have high nonlinearity and resiliency for protection against correlation attacks. It is actually very difficult to find a balanced Boolean function which has a high correlation immunity order and at

5. Optimal algebraic immunity aims to provide resistance against algebraic attack. The algebraic immunity is the minimum value of d such that a given Boolean function f or its complement 1 þ f admits an annihilator (a nonzero Boolean function g such that fg ¼ 0) of algebraic degree d. In ciphers, Boolean functions with high algebraic immunity should be used in order to avoid the application of algebraic cryptanalysis [10]. Recall that algebraic attacks recover the secret key, or at least the initialization of the system, by solving a system of multivariate algebraic equations that describes a cipher. Although a high algebraic immunity is the necessary cryptographic requirement, it is not sufficient, because of a more general kind of attack introduced by Courtois [11] in 2003 called fast algebraic attack. It is well-known that maximum algebraic

2

constructing balanced Boolean functions with optimal algebraic immunity is thus of great significance. Moreover, several examples of functions having optimal algebraic immunity could be found but no example of correlation

However, the major problem in construction of cryptographically strong functions is that the multiple criteria mentioned above have to be satisfied at the same time, while there exist intrinsic trade-offs between them. Such properties allow the system designer to quantify the level of resistance of the system to attacks. Since the

. The problem of efficiently

, an exhaustive search of functions

). In general, it is not an easy problem to identify all

. On an even size Boolean space,

nonlinear Boolean function cannot exceed 2n�<sup>1</sup>

n <sup>2</sup>�1

Modern Cryptography – Current Challenges and Solutions

the same time has a high nonlinearity.

immunity of n-variable Boolean function is <sup>n</sup>

number of Boolean functions in n-variables is 2<sup>2</sup><sup>n</sup>

6

immune Boolean function with optimal algebraic immunity.

at most n � 1.

nonlinearity (2n�<sup>1</sup> � <sup>2</sup>

algebraic degree 2).

resilient functions. The generalized Maiorana-McFarland (GMM) construction method for obtaining the almost optimal resilient functions has been proposed in [20]. Namely, this construction generates the functions with relatively large number of variables and small order of resiliency. The resulting functions cannot be viewed as a pair of disjoint spectra almost optimal resilient functions. Recently, Zhang and Pasalic used GMM technique to obtain the strictly optimal resilient functions with high nonlinearity and good algebraic properties [21]. The design of some balanced functions that also achieve currently best known nonlinearity can be found in [22]. Although these construction methods achieve currently the best nonlinearity for a given function, these methods are only efficient for relatively large input space of variables.

One may define a Boolean function f with n even to be a quadratic bent function

h xð Þ¼ f xð Þþ g xð Þþ Daf xð Þþ Da½ � f xð Þg xð Þ

Another related approach, though without restriction on the degree of a single

Theorem 2. Let f be bent Boolean function in even number of variables. For a, α∈ F<sup>n</sup>

f xð Þþ <sup>þ</sup> <sup>a</sup> <sup>α</sup> � <sup>x</sup> <sup>þ</sup> <sup>d</sup> ,

¼ ½ f xð Þþ f xð Þ þ a � þ ½ � f xð Þþ αx þ d þ f xð Þþ þ a αx þ aα þ d

g xð Þ¼ f xð Þþ <sup>α</sup> � <sup>x</sup> <sup>þ</sup> <sup>d</sup>

h xð Þ¼ f xð Þþ g xð Þþ Daf xð Þþ Da½ � f xð Þg xð Þ

Daf xð Þþ Dag xð Þ¼ 1 if g xð Þ¼ f xð Þþ þ a αx þ d:

By Theorem 1 we deduce that h xð Þ¼ f xð Þþ g xð Þþ Daf xð Þþ Da½ � f xð Þg xð Þ is a semi-bent function. q.e.d. This result enables us to construct, for even n, an infinite sequence of semi-bent functions from bent functions. It would be of interest to find other examples or classes of bent functions g1, g2, apart from using affine equivalent functions g<sup>1</sup> and g2, satisfying Dag1ð Þ¼ x Dag2ð Þþ x 1. This appears to be a nontrivial task since apart

from establishing the fact that the used bent functions are indeed affine

<sup>þ</sup>x1x<sup>2</sup> <sup>þ</sup> <sup>x</sup>3x<sup>5</sup> <sup>þ</sup> <sup>x</sup>4x<sup>6</sup> <sup>þ</sup> <sup>x</sup>5x<sup>6</sup> be a bent function of degree 3 over <sup>F</sup><sup>6</sup>

inequivalent, at the same time, their derivatives need to satisfy the condition in

Example 1. Let f xð <sup>1</sup>; x2; x3; x4; x5; x6Þ ¼ x1x3x<sup>4</sup> þ x2x3x<sup>4</sup> þ x1x5x<sup>6</sup> þ x2x5x<sup>6</sup>

8 < :

¼

a ¼ ð Þ 0; 0; 1; 0; 0; 0 and α ¼ ð Þ 1; 0; 1; 0; 0; 0 such that a � α ¼ 1. Define the function g

�

Proof. Obviously, in both cases g is also a bent function, and if

Daf xð Þþ Dag xð Þ¼ ½ f xð Þþ f xð Þ þ a � þ ½ � g xð Þþ g xð Þ þ a

¼ a � α ¼ 1:

thermore, let <sup>g</sup> be a Boolean function defined as g xð Þ¼ f xð Þþ <sup>∑</sup><sup>n</sup>

Implementing Symmetric Cryptography Using Sequence of Semi-Bent Functions

is a quadratic semi-bent Boolean function.

DOI: http://dx.doi.org/10.5772/intechopen.85023

such that a � α ¼ 1 define the function g as either

where d∈F2. Then, the function

A similar calculation gives that

g xð Þ¼ f xð Þþ <sup>x</sup><sup>1</sup> <sup>þ</sup> <sup>x</sup><sup>3</sup>

8 < :

where d ¼ 0∈F2.

f xð Þþ þ a x<sup>1</sup> þ x<sup>3</sup>

Let us take g xð Þ¼ f xð Þþ x<sup>1</sup> þ x3. We have

is a semi-bent function.

g xð Þ¼ f xð Þþ αx þ d, we have

Theorem 1.

as either

9

bent function used, is given by the following result.

<sup>i</sup>¼<sup>1</sup>bixi <sup>þ</sup> <sup>∑</sup><sup>1</sup>≤<sup>i</sup> <sup>&</sup>lt; <sup>j</sup>≤<sup>n</sup> ci,jxixj for suitably chosen bi, ci,j <sup>∈</sup> <sup>F</sup>2. Fur-

<sup>2</sup> is such that a � α ¼ 1, it can be shown that the function

<sup>i</sup>¼1αixi, where

<sup>2</sup> . Take

f xð Þþ x<sup>1</sup> þ x<sup>3</sup>

,

f xð Þþ x1x<sup>4</sup> þ x2x<sup>4</sup> þ x<sup>1</sup> þ x<sup>3</sup> þ x<sup>5</sup>

2

(9)

of the form f xð Þ¼ <sup>∑</sup><sup>n</sup>

α<sup>i</sup> ∈F2. Then, if a∈ F<sup>n</sup>

#### 4. A construction of semi-bent Boolean functions

As it is described in the previous section, in the design of cryptographic functions, there is a need to consider various nonlinear characteristics simultaneously. But some characteristics restrict each other. Bent functions, for example, have maximum nonlinearity and satisfy the propagation criteria with respect to every nonzero vector over the Boolean spaces on which they are defined. However, bent functions are not balanced and exist only on even size Boolean spaces. Furthermore, bent functions are not correlation immune, and they are not suitable for use in cryptosystems. Partially bent functions are highly nonlinear and can be balanced. However, except for bent functions, partially bent functions have nonzero linear structures that are cryptographically undesirable. For these reasons, people study other classes of Boolean functions to try to overcome the disadvantage of bent functions or partially bent functions. The class of plateaued Boolean functions is one candidate that is defined by a series of inequalities and examines the critical case of each inequality. Compared with other functions, plateaued functions may reach the upper bound on nonlinearity given by the inequalities.

In what follows we specify a simple generic method for deriving semi-bent functions. This method is deduced from two bent functions whose derivatives differ by a constant one. It should be noticed that there are strong connections behind the concepts of bentness and semi-bentness though many questions remain unanswered. In particular, it is not settled how the cardinality of the whole class of bent functions relates to the class of semi-bent functions. Most notably, it appears that certain classes of semi-bent functions derived in [23] defined for even n are not extendable to bent functions in n þ 2 variables. In [24] and recently in [25], a sufficient condition on two bent functions g and h used in the construction of semi-bent functions was given as the following theorem.

Theorem 1. Let n be even, and suppose that f and g are two bent Boolean functions in n-variables. If there exists an a∈F<sup>n</sup> <sup>2</sup> such that Daf xð Þ¼ Dag xð Þþ 1, then the function

$$h(\mathbf{x}) = f(\mathbf{x}) + \mathbf{g}(\mathbf{x}) + D\_d f(\mathbf{x}) + D\_a[f(\mathbf{x})\mathbf{g}(\mathbf{x})] \tag{8}$$

is a semi-bent function in even number of variables.

This condition immediately implies the possibility of constructing infinite classes of semi-bent functions using known classes of quadratic bent functions. Notice that all quadratic Boolean functions (including bent and semi-bent functions) are classified up to equivalence and any quadratic bent function is affine equivalent to the canonical form given by ∑<sup>n</sup>=<sup>2</sup> <sup>i</sup>¼<sup>1</sup>x2i�<sup>1</sup>x2<sup>i</sup>.

Implementing Symmetric Cryptography Using Sequence of Semi-Bent Functions DOI: http://dx.doi.org/10.5772/intechopen.85023

One may define a Boolean function f with n even to be a quadratic bent function of the form f xð Þ¼ <sup>∑</sup><sup>n</sup> <sup>i</sup>¼<sup>1</sup>bixi <sup>þ</sup> <sup>∑</sup><sup>1</sup>≤<sup>i</sup> <sup>&</sup>lt; <sup>j</sup>≤<sup>n</sup> ci,jxixj for suitably chosen bi, ci,j <sup>∈</sup> <sup>F</sup>2. Furthermore, let <sup>g</sup> be a Boolean function defined as g xð Þ¼ f xð Þþ <sup>∑</sup><sup>n</sup> <sup>i</sup>¼1αixi, where α<sup>i</sup> ∈F2. Then, if a∈ F<sup>n</sup> <sup>2</sup> is such that a � α ¼ 1, it can be shown that the function

$$h(\mathbf{x}) = f(\mathbf{x}) + \mathbf{g}(\mathbf{x}) + D\_d f(\mathbf{x}) + D\_a[f(\mathbf{x})\mathbf{g}(\mathbf{x})],$$

is a quadratic semi-bent Boolean function.

Another related approach, though without restriction on the degree of a single bent function used, is given by the following result.

Theorem 2. Let f be bent Boolean function in even number of variables. For a, α∈ F<sup>n</sup> 2 such that a � α ¼ 1 define the function g as either

$$\mathbf{g}(\mathbf{x}) = \begin{cases} f(\mathbf{x}) + a \cdot \mathbf{x} + d \\ f(\mathbf{x} + a) + a \cdot \mathbf{x} + d \end{cases},\tag{9}$$

where d∈F2. Then, the function

h xð Þ¼ f xð Þþ g xð Þþ Daf xð Þþ Da½ � f xð Þg xð Þ

is a semi-bent function.

resilient functions. The generalized Maiorana-McFarland (GMM) construction method for obtaining the almost optimal resilient functions has been proposed in [20]. Namely, this construction generates the functions with relatively large number of variables and small order of resiliency. The resulting functions cannot be viewed as a pair of disjoint spectra almost optimal resilient functions. Recently, Zhang and Pasalic used GMM technique to obtain the strictly optimal resilient functions with high nonlinearity and good algebraic properties [21]. The design of some balanced functions that also achieve currently best known nonlinearity can be found in [22]. Although these construction methods achieve currently the best nonlinearity for a given function, these methods are only efficient for relatively

As it is described in the previous section, in the design of cryptographic functions, there is a need to consider various nonlinear characteristics simultaneously. But some characteristics restrict each other. Bent functions, for example, have maximum nonlinearity and satisfy the propagation criteria with respect to every nonzero vector over the Boolean spaces on which they are defined. However, bent functions are not balanced and exist only on even size Boolean spaces. Furthermore, bent functions are not correlation immune, and they are not suitable for use in cryptosystems. Partially bent functions are highly nonlinear and can be balanced. However, except for bent functions, partially bent functions have nonzero linear structures that are cryptographically undesirable. For these reasons, people study other classes of Boolean functions to try to overcome the disadvantage of bent functions or partially bent functions. The class of plateaued Boolean functions is one candidate that is defined by a series of inequalities and examines the critical case of each inequality. Compared with other functions, plateaued functions may reach the

In what follows we specify a simple generic method for deriving semi-bent functions. This method is deduced from two bent functions whose derivatives differ by a constant one. It should be noticed that there are strong connections behind the concepts of bentness and semi-bentness though many questions remain unanswered. In particular, it is not settled how the cardinality of the whole class of bent functions relates to the class of semi-bent functions. Most notably, it appears that certain classes of semi-bent functions derived in [23] defined for even n are not extendable to bent functions in n þ 2 variables. In [24] and recently in [25], a sufficient condition on two bent functions g and h used in the construction of

Theorem 1. Let n be even, and suppose that f and g are two bent Boolean

<sup>i</sup>¼<sup>1</sup>x2i�<sup>1</sup>x2<sup>i</sup>.

This condition immediately implies the possibility of constructing infinite classes of semi-bent functions using known classes of quadratic bent functions. Notice that all quadratic Boolean functions (including bent and semi-bent functions) are classified up to equivalence and any quadratic bent function is affine equivalent to

<sup>2</sup> such that Daf xð Þ¼ Dag xð Þþ 1, then

h xð Þ¼ f xð Þþ g xð Þþ Daf xð Þþ Da½ � f xð Þg xð Þ (8)

large input space of variables.

4. A construction of semi-bent Boolean functions

Modern Cryptography – Current Challenges and Solutions

upper bound on nonlinearity given by the inequalities.

semi-bent functions was given as the following theorem.

is a semi-bent function in even number of variables.

functions in n-variables. If there exists an a∈F<sup>n</sup>

the canonical form given by ∑<sup>n</sup>=<sup>2</sup>

the function

8

Proof. Obviously, in both cases g is also a bent function, and if g xð Þ¼ f xð Þþ αx þ d, we have

$$\begin{aligned} D\_d f(\mathbf{x}) + D\_d \mathbf{g}(\mathbf{x}) &= [f(\mathbf{x}) + f(\mathbf{x} + a)] + [\mathbf{g}(\mathbf{x}) + \mathbf{g}(\mathbf{x} + a)] \\ &= [f(\mathbf{x}) + f(\mathbf{x} + a)] + [f(\mathbf{x}) + a\mathbf{x} + d + f(\mathbf{x} + a) + a\mathbf{x} + a\mathbf{a} + d] \\ &= \mathbf{a} \cdot \mathbf{a} = \mathbf{1}. \end{aligned}$$

A similar calculation gives that

$$D\_q f(\mathbf{x}) + D\_a \mathbf{g}(\mathbf{x}) = \mathbf{1} \circ \mathbf{f} \,\mathbf{g}(\mathbf{x}) = f(\mathbf{x} + \mathbf{a}) + a\mathbf{x} + d.\mathbf{x}$$

By Theorem 1 we deduce that h xð Þ¼ f xð Þþ g xð Þþ Daf xð Þþ Da½ � f xð Þg xð Þ is a semi-bent function. q.e.d.

This result enables us to construct, for even n, an infinite sequence of semi-bent functions from bent functions. It would be of interest to find other examples or classes of bent functions g1, g2, apart from using affine equivalent functions g<sup>1</sup> and g2, satisfying Dag1ð Þ¼ x Dag2ð Þþ x 1. This appears to be a nontrivial task since apart from establishing the fact that the used bent functions are indeed affine inequivalent, at the same time, their derivatives need to satisfy the condition in Theorem 1.

Example 1. Let f xð <sup>1</sup>; x2; x3; x4; x5; x6Þ ¼ x1x3x<sup>4</sup> þ x2x3x<sup>4</sup> þ x1x5x<sup>6</sup> þ x2x5x<sup>6</sup> <sup>þ</sup>x1x<sup>2</sup> <sup>þ</sup> <sup>x</sup>3x<sup>5</sup> <sup>þ</sup> <sup>x</sup>4x<sup>6</sup> <sup>þ</sup> <sup>x</sup>5x<sup>6</sup> be a bent function of degree 3 over <sup>F</sup><sup>6</sup> <sup>2</sup> . Take a ¼ ð Þ 0; 0; 1; 0; 0; 0 and α ¼ ð Þ 1; 0; 1; 0; 0; 0 such that a � α ¼ 1. Define the function g as either

$$g(\mathbf{x}) = \begin{cases} f(\mathbf{x}) + \mathbf{x}\_1 + \mathbf{x}\_3 \\ f(\mathbf{x} + a) + \mathbf{x}\_1 + \mathbf{x}\_3 \end{cases} = \begin{cases} f(\mathbf{x}) + \mathbf{x}\_1 + \mathbf{x}\_3 \\ f(\mathbf{x}) + \mathbf{x}\_1 \mathbf{x}\_4 + \mathbf{x}\_2 \mathbf{x}\_4 + \mathbf{x}\_1 + \mathbf{x}\_3 + \mathbf{x}\_5 \end{cases},$$

where d ¼ 0∈F2. Let us take g xð Þ¼ f xð Þþ x<sup>1</sup> þ x3. We have

$$D\_4 f(\mathbf{x}) = f(\mathbf{x}) + f(\mathbf{x} + \mathbf{a}) = f(\mathbf{x}) + f(\mathbf{x}) + \mathbf{x}\_1 \mathbf{x}\_4 + \mathbf{x}\_2 \mathbf{x}\_4 + \mathbf{x}\_5 = \mathbf{x}\_1 \mathbf{x}\_4 + \mathbf{x}\_2 \mathbf{x}\_4 + \mathbf{x}\_5.$$

Proof. Assume that g xð Þ¼ f xð Þþ þ a αx þ d. Without loss of generality, we can

Implementing Symmetric Cryptography Using Sequence of Semi-Bent Functions

where DbDaf xð Þ¼ f xð Þþ f xð Þþ þ a f xð Þþ þ b f xð Þ þ a þ b , and therefore

Dbh xð Þ¼ DbDaf xð Þþ αb þ DbDaf xð Þþ DbDa½ �¼ f xð Þg xð Þ DbDa½ �þ f xð Þg xð Þ αb:

¼ Db½ � f xð Þðf xð Þþ þ a αxÞ þ f xð Þ þ a ð Þ f xð Þþ αð Þ x þ a

αxDbDaf xð Þ¼ f xð Þþ þ a f xð Þ þ a þ b αxf x ½ ð Þþ f xð Þþ þ a f xð Þþ þ b f xð Þ þ a þ b � ¼ f xð Þþ þ a f xð Þ þ a þ b ð Þ αx þ 1 ½f xð Þþ þ a f xð Þ þ a þ b � þ αxf x ½ ð Þþ f xð Þ þ b � ¼ 0 ð Þ αx þ 1 Dbf xð Þþ þ a αxDbf xð Þ¼ 0 αxDbf xð Þþ þ a αxDbf xð Þþ Dbf xð Þ¼ þ a 0:

Dbf xð Þ¼ þ a 0 ⇔ f xð Þ¼ þ a f xð Þ) þ a þ b b ¼ 0: A contradiction.

Hence, Dbh xð Þ is constant if and only if DbDa½ � f xð Þg xð Þ is constant. But,

¼ Db½ � αxfx ð ð Þþ f xð Þ þ a Þ þ αaf xð Þ þ a

¼ Db½ � αxfx ð ð Þþ f xð Þ þ a Þ þ f xð Þ þ a

Thus, if αb ¼ 0, then Dbh xð Þ is constant if and only if

1. αxDbf xð Þ¼ þ a αxDbf xð Þ¼ Dbf xð Þ¼ þ a 0, i.e.,

2. αxDbf xð Þ¼ þ a αxDbf xð Þ¼ 1 ∧ Dbf xð Þ¼ þ a 0, i.e.,

3. αxDbf xð Þ¼ þ a 0 ∧ αxDbf xð Þ¼ Dbf xð Þ¼ þ a 1, i.e.,

4.αxDbf xð Þ¼ þ a Dbf xð Þ¼ þ a 1 ∧ αxDbf xð Þ¼ 0, i.e.,

On the other hand, if αb ¼ 1, then Dbh xð Þ is constant if and only if

αxDbDaf xð Þ¼ f xð Þþ þ a f xð Þ þ b αxf x ½ ð Þþ f xð Þþ þ a f xð Þþ þ b f xð Þ þ a þ b � ¼ f xð Þþ þ a f xð Þ þ b ð Þ αx þ 1 ½f xð Þþ þ a f xð Þ þ b � þ αxf x ½ ð Þþ f xð Þ þ a þ b � ¼ 0:

Dbf xð Þ¼ þ a 0 ) b ¼ 0: A contradiction.

Dbf xð Þ¼ þ a 0 ) b ¼ 0: A contradiction.

Dbf xð Þ¼ þ a 0 ) b ¼ 0: A contradiction.

¼ ½ f xð Þþ f xð Þ þ b � þ ½ � f xð Þþ þ a αð Þþ x þ a d þ f xð Þþ þ a þ b αð Þþ x þ a þ b d

¼ αxDbDaf xð Þþ αbfx ½ ð Þþ þ b f xð Þ þ a þ b � þ f xð Þþ þ a f xð Þ þ a þ b :

take d ¼ 0: Then,

Dbf xð Þþ Dbg xð Þ¼ ½ f xð Þþ f xð Þ þ b � þ ½ � g xð Þþ g xð Þ þ b

DOI: http://dx.doi.org/10.5772/intechopen.85023

¼ DbDaf xð Þþ αb,

DbDa½ �¼ f xð Þg xð Þ Db½ � f xð Þg xð Þþ f xð Þ þ a g xð Þ þ a

There are four possible cases:

11

so that

$$f(\mathbf{x}) + \mathbf{g}(\mathbf{x}) + D\_{\mathbf{q}}f(\mathbf{x}) = \mathbf{x}\_1 \mathbf{x}\_4 + \mathbf{x}\_2 \mathbf{x}\_4 + \mathbf{x}\_1 + \mathbf{x}\_3 + \mathbf{x}\_5.$$

Then, using the idempotent property of Boolean ring,

f xð Þg xð Þ¼ f xð Þðf xð Þþ x<sup>1</sup> þ x3Þ ¼ f xð Þð Þ 1 þ x<sup>1</sup> þ x<sup>3</sup> ¼ ð Þ x1x3x<sup>4</sup> þ x2x3x<sup>4</sup> þ x1x5x<sup>6</sup> þ x2x5x<sup>6</sup> þ x1x<sup>2</sup> þ x3x<sup>5</sup> þ x4x<sup>6</sup> þ x5x<sup>6</sup> ð Þ 1 þ x<sup>1</sup> þ x<sup>5</sup> ¼ x1x2x3x<sup>4</sup> þ x1x2x5x<sup>6</sup> þ x2x3x4x<sup>5</sup> þ x1x2x<sup>5</sup> þ x1x3x<sup>4</sup> þ x1x3x<sup>5</sup> þ x1x4x<sup>6</sup> þ x2x3x<sup>4</sup> þ x4x5x<sup>6</sup> þ x4x6: f xð Þ þ a g xð Þ¼ þ a f xð Þ þ a ðf xð Þþ þ a x<sup>1</sup> þ x<sup>3</sup> þ 1Þ ¼ f xð Þ þ a ð Þ x<sup>1</sup> þ x<sup>3</sup> ¼ ð Þ f xð Þþ x1x<sup>4</sup> þ x2x<sup>4</sup> þ x<sup>5</sup> ð Þ x<sup>1</sup> þ x<sup>3</sup> ¼ f xð Þð Þþ x<sup>1</sup> þ x<sup>3</sup> ð Þ x1x<sup>4</sup> þ x2x<sup>4</sup> þ x<sup>5</sup> ð Þ x<sup>1</sup> þ x<sup>3</sup> :

After some simplification, we get

$$D\_d[f(\mathbf{x})\mathbf{g}(\mathbf{x})] = f(\mathbf{x})\mathbf{g}(\mathbf{x}) + f(\mathbf{x} + a)\mathbf{g}(\mathbf{x} + a)$$

$$= f(\mathbf{x}) + (\mathbf{x}\_1\mathbf{x}\_4 + \mathbf{x}\_2\mathbf{x}\_4 + \mathbf{x}\_5)(\mathbf{x}\_1 + \mathbf{x}\_3)$$

$$= \mathbf{x}\_1\mathbf{x}\_5\mathbf{x}\_6 + \mathbf{x}\_2\mathbf{x}\_5\mathbf{x}\_6 + \mathbf{x}\_1\mathbf{x}\_2 + \mathbf{x}\_1\mathbf{x}\_4 + \mathbf{x}\_1\mathbf{x}\_5 + \mathbf{x}\_2\mathbf{x}\_4 + \mathbf{x}\_4\mathbf{x}\_6 + \mathbf{x}\_5\mathbf{x}\_6.$$

Finally,

$$\begin{aligned} h(\mathbf{x}) &= f(\mathbf{x}) + \mathbf{g}(\mathbf{x}) + D\_{\mathbf{f}}f(\mathbf{x}) + D\_{\mathbf{f}}[f(\mathbf{x})\mathbf{g}(\mathbf{x})] \\ &= \mathbf{x}\_1 \mathbf{x}\_5 \mathbf{x}\_6 + \mathbf{x}\_2 \mathbf{x}\_5 \mathbf{x}\_6 + \mathbf{x}\_1 \mathbf{x}\_2 + \mathbf{x}\_1 \mathbf{x}\_5 + \mathbf{x}\_4 \mathbf{x}\_6 + \mathbf{x}\_5 \mathbf{x}\_6 + \mathbf{x}\_1 + \mathbf{x}\_3 + \mathbf{x}\_5. \end{aligned}$$

It is easy to compute the Walsh spectrum of function h xð Þ, i.e., Whð Þ¼ ω f g 0; �16 , which means that h xð Þ is a semi-bent function.

Notice that the standard derivation rule for multiplication does not apply for our definition of derivatives. Indeed, the derivative Da½ �¼ f xð Þg xð Þ f xð Þg xð Þþ f xð Þ þ a g xð Þ þ a is different from g xð ÞDaf xð Þþ f xð ÞDag xð Þ¼ f xð Þ þ a g xð Þþ f xð Þg xð Þ þ a : Furthermore, using the fact that DaDaf xð Þ¼ 0 for any Boolean function f, we have

$$\begin{aligned} D\_d h(\mathbf{x}) &= h(\mathbf{x}) + h(\mathbf{x} + a) \\ &= f(\mathbf{x}) + \mathbf{g}(\mathbf{x}) + D\_d f(\mathbf{x}) + D\_d [f(\mathbf{x}) \mathbf{g}(\mathbf{x})] + f(\mathbf{x} + a) + \mathbf{g}(\mathbf{x} + a) \\ &+ D\_d f(\mathbf{x} + a) + D\_d [f(\mathbf{x} + a) \mathbf{g}(\mathbf{x} + a)] \\ &= D\_d f(\mathbf{x}) + D\_d \mathbf{g}(\mathbf{x}) + D\_d D\_d f(\mathbf{x}) + D\_d D\_d [f(\mathbf{x}) \mathbf{g}(\mathbf{x})] \\ &= D\_d f(\mathbf{x}) + D\_d \mathbf{g}(\mathbf{x}) = \mathbf{1}. \end{aligned}$$

Thus, the element a is always a linear structure of h xð Þ. Nevertheless, we show that under certain sufficient conditions, a is the only linear structure of h xð Þ. We have the following theorem.

Theorem 3. Let h be defined as in Theorem 2, and assume that a bent function f xð Þ is such that degð Þ Dbf xð Þ >1, for any b<sup>∈</sup> <sup>F</sup><sup>n</sup> <sup>2</sup> ∖f g0 : Then h has a single linear structure, that is, Dbh xð Þ¼ h xð Þþ h xð Þ þ b is a constant function only for b ¼ a.

Implementing Symmetric Cryptography Using Sequence of Semi-Bent Functions DOI: http://dx.doi.org/10.5772/intechopen.85023

Proof. Assume that g xð Þ¼ f xð Þþ þ a αx þ d. Without loss of generality, we can take d ¼ 0: Then,

$$D\_{\mathbf{b}}f(\mathbf{x}) + D\_{\mathbf{b}}\mathbf{g}(\mathbf{x}) = [f(\mathbf{x}) + f(\mathbf{x} + b)] + [\mathbf{g}(\mathbf{x}) + \mathbf{g}(\mathbf{x} + b)]$$

$$= [f(\mathbf{x}) + f(\mathbf{x} + b)] + [f(\mathbf{x} + a) + a(\mathbf{x} + a) + d + f(\mathbf{x} + a + b) + a(\mathbf{x} + a + b) + d]$$

$$= D\_{\mathbf{b}}D\_{\mathbf{d}}f(\mathbf{x}) + ab,$$

where DbDaf xð Þ¼ f xð Þþ f xð Þþ þ a f xð Þþ þ b f xð Þ þ a þ b , and therefore

$$D\_b h(\mathbf{x}) = D\_b D\_d f(\mathbf{x}) + a \mathbf{b} + D\_b D\_d f(\mathbf{x}) + D\_b D\_a [f(\mathbf{x}) \mathbf{g}(\mathbf{x})] = D\_b D\_a [f(\mathbf{x}) \mathbf{g}(\mathbf{x})] + a \mathbf{b}.$$

Hence, Dbh xð Þ is constant if and only if DbDa½ � f xð Þg xð Þ is constant. But,

$$D\_b D\_a[f(\mathbf{x})\mathbf{g}(\mathbf{x})] = D\_b[f(\mathbf{x})\mathbf{g}(\mathbf{x}) + f(\mathbf{x}+a)\mathbf{g}(\mathbf{x}+a)]$$

$$= D\_b[f(\mathbf{x})(f(\mathbf{x}+a) + a\mathbf{x}) + f(\mathbf{x}+a)(f(\mathbf{x}) + a(\mathbf{x}+a))]$$

$$= D\_b[a\mathbf{x}(f(\mathbf{x}) + f(\mathbf{x}+a)) + a\mathbf{a}f(\mathbf{x}+a)]$$

$$= D\_b[a\mathbf{x}(f(\mathbf{x}) + f(\mathbf{x}+a)) + f(\mathbf{x}+a)]$$

$$= a\alpha D\_b D\_d f(\mathbf{x}) + ab[f(\mathbf{x}+b) + f(\mathbf{x}+a+b)] + f(\mathbf{x}+a) + f(\mathbf{x}+a+b).$$

Thus, if αb ¼ 0, then Dbh xð Þ is constant if and only if

$$axD\_bD\_af(\mathbf{x}) = f(\mathbf{x} + a) + f(\mathbf{x} + a + b)$$

$$ax[f(\mathbf{x}) + f(\mathbf{x} + a) + f(\mathbf{x} + b) + f(\mathbf{x} + a + b)] = f(\mathbf{x} + a) + f(\mathbf{x} + a + b)$$

$$(ax + 1)[f(\mathbf{x} + a) + f(\mathbf{x} + a + b)] + ax[f(\mathbf{x}) + f(\mathbf{x} + b)] = \mathbf{0}$$

$$(ax + 1)D\_bf(\mathbf{x} + a) + axD\_bf(\mathbf{x}) = \mathbf{0}$$

$$axD\_bf(\mathbf{x} + a) + axD\_bf(\mathbf{x}) + D\_bf(\mathbf{x} + a) = \mathbf{0}.$$

There are four possible cases:


On the other hand, if αb ¼ 1, then Dbh xð Þ is constant if and only if

$$axD\_bD\_af(\mathbf{x}) = f(\mathbf{x} + a) + f(\mathbf{x} + b)$$

$$ax[f(\mathbf{x}) + f(\mathbf{x} + a) + f(\mathbf{x} + b) + f(\mathbf{x} + a + b)] = f(\mathbf{x} + a) + f(\mathbf{x} + b)$$

$$(a\mathbf{x} + \mathbf{1})[f(\mathbf{x} + a) + f(\mathbf{x} + b)] + ax[f(\mathbf{x}) + f(\mathbf{x} + a + b)] = \mathbf{0}.$$

Daf xð Þ¼ f xð Þþ f xð Þ¼ þ a f xð Þþ f xð Þþ x1x<sup>4</sup> þ x2x<sup>4</sup> þ x<sup>5</sup> ¼ x1x<sup>4</sup> þ x2x<sup>4</sup> þ x5,

f xð Þþ g xð Þþ Daf xð Þ¼ x1x<sup>4</sup> þ x2x<sup>4</sup> þ x<sup>1</sup> þ x<sup>3</sup> þ x5:

¼ ð Þ x1x3x<sup>4</sup> þ x2x3x<sup>4</sup> þ x1x5x<sup>6</sup> þ x2x5x<sup>6</sup> þ x1x<sup>2</sup> þ x3x<sup>5</sup> þ x4x<sup>6</sup> þ x5x<sup>6</sup> ð Þ 1 þ x<sup>1</sup> þ x<sup>5</sup> ¼ x1x2x3x<sup>4</sup> þ x1x2x5x<sup>6</sup> þ x2x3x4x<sup>5</sup> þ x1x2x<sup>5</sup> þ x1x3x<sup>4</sup> þ x1x3x<sup>5</sup> þ x1x4x<sup>6</sup>

¼ x1x5x<sup>6</sup> þ x2x5x<sup>6</sup> þ x1x<sup>2</sup> þ x1x<sup>4</sup> þ x1x<sup>5</sup> þ x2x<sup>4</sup> þ x4x<sup>6</sup> þ x5x6:

Then, using the idempotent property of Boolean ring,

f xð Þ þ a g xð Þ¼ þ a f xð Þ þ a ðf xð Þþ þ a x<sup>1</sup> þ x<sup>3</sup> þ 1Þ ¼ f xð Þ þ a ð Þ x<sup>1</sup> þ x<sup>3</sup> ¼ ð Þ f xð Þþ x1x<sup>4</sup> þ x2x<sup>4</sup> þ x<sup>5</sup> ð Þ x<sup>1</sup> þ x<sup>3</sup>

¼ f xð Þþ ð Þ x1x<sup>4</sup> þ x2x<sup>4</sup> þ x<sup>5</sup> ð Þ x<sup>1</sup> þ x<sup>3</sup>

definition of derivatives. Indeed, the derivative Da½ �¼ f xð Þg xð Þ f xð Þg xð Þþ f xð Þ þ a g xð Þ þ a is different from g xð ÞDaf xð Þþ f xð ÞDag xð Þ¼ f xð Þ þ a g xð Þþ f xð Þg xð Þ þ a : Furthermore, using the fact that DaDaf xð Þ¼ 0 for any Boolean

þ Daf xð Þþ þ a Da½ � f xð Þ þ a g xð Þ þ a

is, Dbh xð Þ¼ h xð Þþ h xð Þ þ b is a constant function only for b ¼ a.

¼ Daf xð Þþ Dag xð Þþ DaDaf xð Þþ DaDa½ � f xð Þg xð Þ

¼ f xð Þð Þþ x<sup>1</sup> þ x<sup>3</sup> ð Þ x1x<sup>4</sup> þ x2x<sup>4</sup> þ x<sup>5</sup> ð Þ x<sup>1</sup> þ x<sup>3</sup> :

¼ x1x5x<sup>6</sup> þ x2x5x<sup>6</sup> þ x1x<sup>2</sup> þ x1x<sup>5</sup> þ x4x<sup>6</sup> þ x5x<sup>6</sup> þ x<sup>1</sup> þ x<sup>3</sup> þ x5:

It is easy to compute the Walsh spectrum of function h xð Þ, i.e., Whð Þ¼ ω f g 0; �16 ,

Notice that the standard derivation rule for multiplication does not apply for our

¼ f xð Þþ g xð Þþ Daf xð Þþ Da½ �þ f xð Þg xð Þ f xð Þþ þ a g xð Þ þ a

Thus, the element a is always a linear structure of h xð Þ. Nevertheless, we show that under certain sufficient conditions, a is the only linear structure of h xð Þ. We

Theorem 3. Let h be defined as in Theorem 2, and assume that a bent function f xð Þ is

<sup>2</sup> ∖f g0 : Then h has a single linear structure, that

f xð Þg xð Þ¼ f xð Þðf xð Þþ x<sup>1</sup> þ x3Þ ¼ f xð Þð Þ 1 þ x<sup>1</sup> þ x<sup>3</sup>

Modern Cryptography – Current Challenges and Solutions

þ x2x3x<sup>4</sup> þ x4x5x<sup>6</sup> þ x4x6:

Da½ �¼ f xð Þg xð Þ f xð Þg xð Þþ f xð Þ þ a g xð Þ þ a

h xð Þ¼ f xð Þþ g xð Þþ Daf xð Þþ Da½ � f xð Þg xð Þ

which means that h xð Þ is a semi-bent function.

¼ Daf xð Þþ Dag xð Þ¼ 1:

After some simplification, we get

so that

Finally,

function f, we have

Dah xð Þ¼ h xð Þþ h xð Þ þ a

have the following theorem.

10

such that degð Þ Dbf xð Þ >1, for any b<sup>∈</sup> <sup>F</sup><sup>n</sup>

It is obvious that f xð Þ¼ þ a f xð Þ þ b is equivalent to f xð Þ¼ f xð Þ þ a þ b . Thus, the above equation is constant if and only if f xð Þ¼ þ a f xð Þ þ b , which implies that a ¼ b. The sufficiency of this condition is obvious. For the necessity, we first observe that for a 6¼ b the functions f xð Þþ þ a f xð Þ þ b and f xð Þþ f xð Þ þ a þ b being derivatives of a bent function f are both nonconstant. Then, assuming that

Example 3. Let

By Example 1 we have

Dah xð Þ¼ h xð Þþ h xð Þ þ a

¼ 1:

5. Conclusions

Acknowledgements

program P2-0037).

13

f xð <sup>1</sup>; x2; x3; x4; x5; x6Þ ¼ x1x3x<sup>4</sup> þ x2x3x<sup>4</sup> þ x1x5x<sup>6</sup> þ x2x5x<sup>6</sup> þ x1x<sup>2</sup> þ x3x5þ

Implementing Symmetric Cryptography Using Sequence of Semi-Bent Functions

α ¼ ð Þ 1; 0; 1; 0; 0; 0 such that a � α ¼ 1. Define the function g as g xð Þ¼ f xð Þþ x<sup>1</sup> þ x3:

h xð Þ¼ x1x5x<sup>6</sup> þ x2x5x<sup>6</sup> þ x1x<sup>2</sup> þ x1x<sup>5</sup> þ x4x<sup>6</sup> þ x5x<sup>6</sup> þ x<sup>1</sup> þ x<sup>3</sup> þ x5:

Moreover, by Theorem 2 h has a single linear structure only for b ¼ a. Indeed,

¼ x1x5x<sup>6</sup> þ x2x5x<sup>6</sup> þ x1x<sup>2</sup> þ x1x<sup>5</sup> þ x4x<sup>6</sup> þ x5x<sup>6</sup> þ x<sup>1</sup> þ x<sup>3</sup> þ x5þ

The need for the most possible secure cryptographic primitives in cipher systems is of great importance. In the case of stream ciphers, most of the reliability and security lies in the Boolean functions. For the cryptographic point of view to be good, a Boolean function should possess several cryptographic properties mentioned in this work. Very often such properties contradict each other. Therefore, the problem of constructing Boolean functions with stronger cryptographic properties is still a vivid research activity. We may also require new properties because attacks never stop. On the other hand, semi-bent functions are interesting for defending against the so-called soft output joint attack on pseudorandom generators, which are used in the IS-95 standard of code division multiple access technology. In this work we present an infinite sequence of semi-bent functions using known classes of quadratic bent functions. The construction of other classes of infinite sequences of

This research was supported by the Slovenian Research Agency (research

þx1x5x<sup>6</sup> þ x2x5x<sup>6</sup> þ x1x<sup>2</sup> þ x1x<sup>5</sup> þ x4x<sup>6</sup> þ x5x<sup>6</sup> þ x<sup>1</sup> þ x<sup>3</sup> þ 1 þ x<sup>5</sup>

<sup>2</sup> . Take a ¼ ð Þ 0; 0; 1; 0; 0; 0 and

<sup>x</sup>4x<sup>6</sup> <sup>þ</sup> <sup>x</sup>5x<sup>6</sup> be a bent function of degree 3 over <sup>F</sup><sup>6</sup>

DOI: http://dx.doi.org/10.5772/intechopen.85023

semi-bent functions is an interesting research challenge.

$$D\_b D\_a f(\mathbf{x}) = f(\mathbf{x}) + f(\mathbf{x} + a) + f(\mathbf{x} + b) + f(\mathbf{x} + a + b) = \mathbf{0},$$

it would imply that f xð Þþ þ a f xð Þ þ b is constant, a contradiction. On the other hand, the function αxDbDaf xð Þ cannot be balanced, unless DbDaf xð Þ¼ αx. Because of the assumption, degð Þ f xð Þþ þ a f xð Þ þ b >1 and therefore cannot be equal to αx.

The proof for the case g xð Þ¼ f xð Þþ αx þ d is similar as above, and it is omitted here. q.e.d.

Notice the condition in Theorem 3 that degð Þ Dbf xð Þ >1 is sufficient but may not be necessary. An analysis of other cryptographic criteria appears to be difficult due to the dependency of h on the choice of a bent function f and the use of the derivative Da½ � f xð Þg xð Þ in its definition, which is illustrated in the following example.

Example 2. Let <sup>n</sup> be even and f xð Þ¼ ; <sup>y</sup> <sup>x</sup> � <sup>y</sup>, where x, y∈F<sup>k</sup> <sup>2</sup> is a bent function and belongs to the Maiorana-McFarland class. Then, defining g xð Þ¼ ; <sup>y</sup> f xð Þþ <sup>þ</sup> <sup>a</sup>; <sup>y</sup> <sup>þ</sup> <sup>b</sup> ð Þ� <sup>α</sup>; <sup>β</sup> ð Þ <sup>x</sup>; <sup>y</sup> for a nonzero ð Þ <sup>a</sup>; <sup>b</sup> <sup>∈</sup> <sup>F</sup><sup>k</sup> <sup>2</sup> � <sup>F</sup><sup>k</sup> <sup>2</sup> such that ð Þ� α; β ð Þ¼ a; b 1, we have

$$g(\mathbf{x}, \mathbf{y}) = \mathbf{x} \cdot \mathbf{y} + (a + b) \cdot \mathbf{x} + (a + \beta) \cdot \mathbf{y} + a \cdot \mathbf{b},$$

which is clearly a bent function obtained by adding an affine function to f. Similarly,

Dð Þ <sup>a</sup>;<sup>b</sup> f xð Þ¼ ; y x � b þ a � y þ a � b, so that

$$f(\mathbf{x}, \boldsymbol{y}) + \mathbf{g}(\mathbf{x}, \boldsymbol{y}) + D\_{(a,b)}f(\mathbf{x}, \boldsymbol{y}) = a \cdot \mathbf{x} + \boldsymbol{\beta} \cdot \boldsymbol{y}.$$

Then, using the idempotent property of Boolean ring,

$$\begin{aligned} f(\mathbf{x}, \mathbf{y}) \cdot \mathbf{g}(\mathbf{x}, \mathbf{y}) &= (\mathbf{x} \cdot \mathbf{y})(\mathbf{x} \cdot \mathbf{y} + (a + b) \cdot \mathbf{x} + (a + \beta) \cdot \mathbf{y} + a \cdot b) \\ &= (\mathbf{1} + a \cdot b)(\mathbf{x}, \mathbf{y}) + ((a + b) \cdot \mathbf{x} + (a + \beta) \cdot \mathbf{y})(\mathbf{x} \cdot \mathbf{y}). \end{aligned}$$

Note that the first term is a quadratic function and the second term is cubic. After some simplifications we have

$$D\_{(\mu, b)}[f(\mathbf{x}, \mathbf{y})g(\mathbf{x}, \mathbf{y})] = \mathbf{x} \cdot \mathbf{y} + (b \cdot \mathbf{x} + a \cdot \mathbf{y} + a \cdot b)(\mathbf{1} + a \cdot b + a \cdot \mathbf{x} + a \cdot a + b \cdot \mathbf{x})$$

$$+ a \cdot b + a \cdot \mathbf{y} + \beta \cdot \mathbf{y} + \beta \cdot b$$

$$= \mathbf{x} \cdot \mathbf{y} + (b \cdot \mathbf{x} + a \cdot \mathbf{y} + a \cdot b)(a \cdot \mathbf{x} + b \cdot \mathbf{x} + a \cdot \mathbf{y} + \beta \cdot \mathbf{y} + a \cdot b + \beta \cdot b)$$

$$= \mathbf{x} \cdot \mathbf{y} + (b \cdot \mathbf{x} + a \cdot \mathbf{y} + a \cdot b)((a + b) \cdot \mathbf{x} + (\beta + a) \cdot \mathbf{y} + a \cdot b + \beta \cdot b).$$

Finally,

$$h(\mathbf{x}, \boldsymbol{\upchi}) = f(\mathbf{x}, \boldsymbol{\upchi}) + \mathbf{g}(\mathbf{x}, \boldsymbol{\upchi}) + D\_{(a,b)}f(\mathbf{x}, \boldsymbol{\upchi}) + D\_{(a,b)}[f(\mathbf{x}, \boldsymbol{\upchi})\mathbf{g}(\mathbf{x}, \boldsymbol{\upchi})]$$

$$= \mathbf{x} \cdot \mathbf{y} + (a \cdot \mathbf{x} + \boldsymbol{\upbeta} \cdot \mathbf{y})(b \cdot \mathbf{x} + a \cdot \mathbf{y} + a \cdot b + \mathbf{1}) + (b \cdot \mathbf{x} + a \cdot \mathbf{y} + a \cdot b)(\mathbf{1} + \boldsymbol{\upbeta} \cdot \mathbf{b}).$$

More precisely, it can be illustrated using Example 1.

Implementing Symmetric Cryptography Using Sequence of Semi-Bent Functions DOI: http://dx.doi.org/10.5772/intechopen.85023

Example 3. Let f xð <sup>1</sup>; x2; x3; x4; x5; x6Þ ¼ x1x3x<sup>4</sup> þ x2x3x<sup>4</sup> þ x1x5x<sup>6</sup> þ x2x5x<sup>6</sup> þ x1x<sup>2</sup> þ x3x5þ <sup>x</sup>4x<sup>6</sup> <sup>þ</sup> <sup>x</sup>5x<sup>6</sup> be a bent function of degree 3 over <sup>F</sup><sup>6</sup> <sup>2</sup> . Take a ¼ ð Þ 0; 0; 1; 0; 0; 0 and α ¼ ð Þ 1; 0; 1; 0; 0; 0 such that a � α ¼ 1. Define the function g as g xð Þ¼ f xð Þþ x<sup>1</sup> þ x3: By Example 1 we have

$$h(\mathbf{x}) = \mathbf{x}\_1 \mathbf{x}\_5 \mathbf{x}\_6 + \mathbf{x}\_2 \mathbf{x}\_5 \mathbf{x}\_6 + \mathbf{x}\_1 \mathbf{x}\_2 + \mathbf{x}\_1 \mathbf{x}\_5 + \mathbf{x}\_4 \mathbf{x}\_6 + \mathbf{x}\_5 \mathbf{x}\_6 + \mathbf{x}\_1 + \mathbf{x}\_3 + \mathbf{x}\_5.$$

Moreover, by Theorem 2 h has a single linear structure only for b ¼ a. Indeed,

$$\begin{split} D\_{a}h(\mathbf{x}) &= h(\mathbf{x}) + h(\mathbf{x} + a) \\ &= \mathbf{x}\_{1}\mathbf{x}\_{5}\mathbf{x}\_{6} + \mathbf{x}\_{2}\mathbf{x}\_{5}\mathbf{x}\_{6} + \mathbf{x}\_{1}\mathbf{x}\_{2} + \mathbf{x}\_{1}\mathbf{x}\_{5} + \mathbf{x}\_{4}\mathbf{x}\_{6} + \mathbf{x}\_{5}\mathbf{x}\_{6} + \mathbf{x}\_{1} + \mathbf{x}\_{3} + \mathbf{x}\_{5} \\ &+ \mathbf{x}\_{1}\mathbf{x}\_{5}\mathbf{x}\_{6} + \mathbf{x}\_{2}\mathbf{x}\_{5}\mathbf{x}\_{6} + \mathbf{x}\_{1}\mathbf{x}\_{2} + \mathbf{x}\_{1}\mathbf{x}\_{5} + \mathbf{x}\_{4}\mathbf{x}\_{6} + \mathbf{x}\_{5}\mathbf{x}\_{6} + \mathbf{x}\_{1} + \mathbf{x}\_{3} + \mathbf{1} + \mathbf{x}\_{5} \\ &= \mathbf{1}. \end{split}$$

#### 5. Conclusions

It is obvious that f xð Þ¼ þ a f xð Þ þ b is equivalent to f xð Þ¼ f xð Þ þ a þ b . Thus, the above equation is constant if and only if f xð Þ¼ þ a f xð Þ þ b , which implies that a ¼ b. The sufficiency of this condition is obvious. For the necessity, we first observe that for a 6¼ b the functions f xð Þþ þ a f xð Þ þ b and f xð Þþ f xð Þ þ a þ b being derivatives of a bent function f are both nonconstant. Then, assuming that

DbDaf xð Þ¼ f xð Þþ f xð Þþ þ a f xð Þþ þ b f xð Þ¼ þ a þ b 0,

it would imply that f xð Þþ þ a f xð Þ þ b is constant, a contradiction. On the other hand, the function αxDbDaf xð Þ cannot be balanced, unless DbDaf xð Þ¼ αx. Because of the assumption, degð Þ f xð Þþ þ a f xð Þ þ b >1 and therefore cannot be

to the dependency of h on the choice of a bent function f and the use of the derivative Da½ � f xð Þg xð Þ in its definition, which is illustrated in the following

g xð Þ¼ ; y x � y þ ð Þ� α þ b x þ ð Þ� a þ β y þ a � b,

which is clearly a bent function obtained by adding an affine function to f.

f xð Þþ ; y g xð Þþ ; y Dð Þ <sup>a</sup>;<sup>b</sup> f xð Þ¼ ; y α � x þ β � y:

f xð Þ� ; y g xð Þ¼ ; y ð Þ x � y ð Þ x � y þ ð Þ� α þ b x þ ð Þ� a þ β y þ a � b

Note that the first term is a quadratic function and the second term is cubic.

¼ x � y þ ð Þ α � x þ β � y ðb � x þ a � y þ a � b þ 1Þ þ ð Þ b � x þ a � y þ a � b ð Þ 1 þ β � b :

Dð Þ <sup>a</sup>;<sup>b</sup> ½ f xð Þ ; y g xð Þ ; y � ¼ x � y þ ð Þ b � x þ a � y þ a � b ð1 þ a � b þ α � x þ α � a þ b � x

þa � b þ a � y þ β � y þ β � bÞ

h xð Þ¼ ; y f xð Þþ ; y g xð Þþ ; y Dð Þ <sup>a</sup>;<sup>b</sup> f xð Þþ ; y Dð Þ <sup>a</sup>;<sup>b</sup> ½ � f xð Þ ; y g xð Þ ; y

More precisely, it can be illustrated using Example 1.

¼ ð Þ 1 þ a � b ð Þþ x; y ð Þ ð Þ� α þ b x þ ð Þ� a þ β y ð Þ x � y :

¼ x � y þ ð Þ b � x þ a � y þ a � b ð Þ α � x þ b � x þ a � y þ β � y þ a � b þ β � b ¼ x � y þ ð Þ b � x þ a � y þ a � b ð Þ ð Þ� α þ b x þ ð Þ� β þ a y þ a � b þ β � b :

Example 2. Let <sup>n</sup> be even and f xð Þ¼ ; <sup>y</sup> <sup>x</sup> � <sup>y</sup>, where x, y∈F<sup>k</sup>

belongs to the Maiorana-McFarland class. Then, defining g xð Þ¼ ; <sup>y</sup> f xð Þþ <sup>þ</sup> <sup>a</sup>; <sup>y</sup> <sup>þ</sup> <sup>b</sup> ð Þ� <sup>α</sup>; <sup>β</sup> ð Þ <sup>x</sup>; <sup>y</sup> for a nonzero ð Þ <sup>a</sup>; <sup>b</sup> <sup>∈</sup> <sup>F</sup><sup>k</sup>

Modern Cryptography – Current Challenges and Solutions

Then, using the idempotent property of Boolean ring,

Dð Þ <sup>a</sup>;<sup>b</sup> f xð Þ¼ ; y x � b þ a � y þ a � b, so that

After some simplifications we have

The proof for the case g xð Þ¼ f xð Þþ αx þ d is similar as above, and it is omitted here. q.e.d. Notice the condition in Theorem 3 that degð Þ Dbf xð Þ >1 is sufficient but may not be necessary. An analysis of other cryptographic criteria appears to be difficult due

<sup>2</sup> is a bent function and

<sup>2</sup> such that

<sup>2</sup> � <sup>F</sup><sup>k</sup>

equal to αx.

example.

Similarly,

Finally,

12

ð Þ� α; β ð Þ¼ a; b 1, we have

The need for the most possible secure cryptographic primitives in cipher systems is of great importance. In the case of stream ciphers, most of the reliability and security lies in the Boolean functions. For the cryptographic point of view to be good, a Boolean function should possess several cryptographic properties mentioned in this work. Very often such properties contradict each other. Therefore, the problem of constructing Boolean functions with stronger cryptographic properties is still a vivid research activity. We may also require new properties because attacks never stop. On the other hand, semi-bent functions are interesting for defending against the so-called soft output joint attack on pseudorandom generators, which are used in the IS-95 standard of code division multiple access technology. In this work we present an infinite sequence of semi-bent functions using known classes of quadratic bent functions. The construction of other classes of infinite sequences of semi-bent functions is an interesting research challenge.

#### Acknowledgements

This research was supported by the Slovenian Research Agency (research program P2-0037).

Modern Cryptography – Current Challenges and Solutions

References

1811.07725.pdf

2970-2975

1222-1127

[3] Hunt FH, Smith DH. The construction of orthogonal variable spreading factor codes from semi-bent functions. IEEE Transactions on Wireless Communications. 2012;11(8):

[4] Mesnager S. Bent Functions— Fundamentals and Results. Switzerland: Springer International Publishing; 2016

[5] Massey JL. Shift-register synthesis and BCH decoding. IEEE Transactions on Information Theory. 1969;15(1):

[6] Ronjom S, Helleseth T. A new attack

Transactions on Information Theory.

[7] Andreeva E, Bogdanov A, Mennink B. Towards understanding the knownkey security of block ciphers. In: International Workshop on Fast Software Encryption. Springer; 2013

[8] Liu J, Mesnager S, Chen L. On the nonlinearity of S-boxes and linear codes. Cryptography and Communications.

[10] Tang D, Carlet C, Tang X. Highly nonlinear Boolean functions with

[9] Siegenthaler T. Correlationimmunity of nonlinear combining functions for cryptographic applications. IEEE Transactions on Information Theory. 1984;30:776-780

on the filter generator. IEEE

2007;53(5):1752-1758

2016:345-361

15

ASIACRYPT94. 1994

[1] Chee S, Lee S, Kim K. Semi-bent functions. In: Advances in Cryptology-

DOI: http://dx.doi.org/10.5772/intechopen.85023

Implementing Symmetric Cryptography Using Sequence of Semi-Bent Functions

optimal algebraic immunity and good behavior against fast algebraic attacks. In: Transactions on Information Theory; Institute of Electrical and Electronics

[11] Courtois N, Meier W. Algebraic attacks on stream ciphers with linear feedback. In: EUROCRYPT 2003. LNCS 2656. Springer; 2003. pp. 345-359

[12] Han G, Li X, Zhou Q, Zheng D, Li H. 1-resilient Boolean functions on even variables with almost perfect algebraic immunity. Security and Communication

[13] Li LY, Zhang WG. Construction of resilient Boolean functions with high nonlinearity and good algebraic degree. Security and Communication Networks.

[15] Tarannikov Y. On resilient Boolean functions with maximal possible nonlinearity. In: Indocrypt 2000. LNCS 1977. Springer-Verlag; 2000. pp. 19-30

[16] Pasalic E, Johansson T, Maitra S, Sarkar P. New constructions of resilient and correlation immune Boolean functions achieving upper bounds on nonlinearity. In: Workshop on Coding and Cryptography. Elsevier Science;

[17] Sarkar P, Maitra S. Construction of nonlinear Boolean functions with important cryptographic properties. In: Advances in Cryptology EUROCRYPT 2000. LNCS 1807. Springer-Verlag;

[14] Maitra S, Pasalic E. Further constructions of resilient Boolean functions with very high nonlinearity. IEEE Transactions on Information Theory. 2002;48(7):1825-1834

Engineers. 2013. pp. 653-664

Networks. 2017;2017:9

2015:2909-2916

2001. pp. 425-435

2000. pp. 485-506

[18] Carlet C. On the secondary constructions of resilient and bent

[2] Ding C, Mesnager S, Tang C, Xiong M. Cyclic Bent Functions and their Applications in Codes, Codebooks, Designs, MUBs and Sequences. 2018. Available from: https://arxiv.org/pdf/
