Affine equivalence of cubic homogeneous rotation symmetric functions

Affine equivalence of cubic homogeneous rotation symmetric functions

Thomas W. Cusick
University at Buffalo, Department of Mathematics,
244 Mathematics Building, Buffalo, NY 14260
Email: cusick@buffalo.edu
Maxwell Bileschi and Daniel Padgett, undergraduate students supported by NSF CSUMS grant 0802994, contributed to this work.
Abstract

Homogeneous rotation symmetric Boolean functions have been extensively studied in recent years because of their applications in cryptography. Little is known about the basic question of when two such functions are affine equivalent. The simplest case of quadratic rotation symmetric functions which are generated by cyclic permutations of the variables in a single monomial was only settled in 2009. This paper studies the much more complicated cubic case for such functions. A new concept of patterns is introduced, by means of which the structure of the smallest group , whose action on the set of all such cubic functions in variables gives the affine equivalence classes for these functions under permutation of the variables, is determined. We conjecture that the equivalence classes are the same if all nonsingular affine transformations, not just permutations, are allowed. Our method gives much more information about the equivalence classes; for example, in this paper we give a complete description of the equivalence classes when is a prime or a power of .

NOTICE: this is the author’s version of a work that was accepted for publication in Information Sciences. Changes resulting from the publishing process, such as peer review, editing, corrections, structural formatting, and other quality control mechanisms may not be reflected in this document. Changes may have been made to this work since it was submitted for publication. A definitive version was subsequently published in Information Sciences 181 (2011), 5067-5083. DOI 10.1016/j.ins.2011.07.002

1 Introduction

Boolean functions have many applications in coding theory and cryptography. A detailed account of the latter applications can be found in the book [2]. If we define to be the vector space of dimension over the finite field , then an variable Boolean function is a map from to . Every Boolean function has a unique polynomial representation (usually called the algebraic normal form [2, p. 6]), and the degree of is the degree of this polynomial. A function of degree is called affine, and if the constant term is 0 such a function is called linear. If every term in the algebraic normal form of has the same degree, then the function is homogeneous. All functions studied in this paper will be homogeneous. We let denote the set of all Boolean functions in variables, with addition and multiplication done mod 2.

If we list the elements of as in lexicographic order, then the -vector is called the truth table of . The weight (also called Hamming weight) of is defined to be the number of 1’s in the truth table for . In many cryptographic uses of Boolean functions, it is important that the truth table of each function has an equal number of 0’s and 1’s; in that case, we say that the function is balanced.

The distance between two Boolean functions and is defined by

where the polynomial addition is done mod 2. An important concept in cryptography is the nonlinearity defined by

We say a Boolean function in is rotation symmetric if the algebraic normal form of the function is unchanged by any cyclic permutation of the variables . In recent years, rotation symmetric functions have proven to be very useful in several areas of cryptography [2, pp. 108 - 118]. This has led to many papers which study different aspects of the theory of rotation symmetric functions (see the references in [2, pp. 108 - 118]; some especially nice applications are in [6]).

We say that two Boolean functions and in are affine equivalent if , where is an by nonsingular matrix over the finite field and is an -vector over . We say is a nonsingular affine transformation of . It is easy to see that if and are affine equivalent, then and . We say that the weight and nonlinearity are affine invariants.

One basic question is to decide when two Boolean functions and in are affine equivalent. This question is nontrivial even for . The next section is devoted to this quadratic case.

2 Affine equivalence of quadratic rotation symmetric Boolean functions

Before turning to the cubic functions, we look at what can be proved in the simpler quadratic case. We shall consider only the simplest quadratic functions , namely those generated by cyclic permutations of the variables in a single monomial. We shall call such functions monomial rotation symmetric functions, or MRS functions, for brevity. Thus any quadratic MRS function in variables can be written as

(1)

for some with , or, in the special case when is even and , as

(2)

This latter function has only terms, whereas the functions in (1) have terms. Because of this, we shall call the function the short quadratic function in variables.

Even in the quadratic case, it is necessary to consider restricted classes of functions, because the affine equivalence problem for general functions is notoriously difficult. Some work on restricted classes of cubic functions is in the papers [1, 5].

The basic theorem on affine equivalence of general quadratic Boolean functions was proved by Dickson; his 1901 book on this and related topics has been reprinted in [4]. A modern exposition of Dickson’s work from a coding theory viewpoint is in [8, pp. 438-442].

Theorem 2.1.

(Dickson) Suppose in has degree 2. If is balanced, then is affine equivalent to for some . If is not balanced, then is affine equivalent to for some and in . If , then . If , then .

Given a function of degree 2, after we find the quadratic form in Theorem 2.1 which is equivalent to (unfortunately to do this is not trivial), it is easy to compute and . The result is

Lemma 2.2.

Suppose in has the form with . Then . If all of the are 0, then ; otherwise , so is balanced.

Proof.

Two different proofs appear in [8, pp. 441-442] and [7, Lemma 5, p. 429].∎

Our next lemma (well-known to experts in this area) follows from Theorem 2.1 and Lemma 2.2.

Lemma 2.3.

Two quadratic functions and in are affine equivalent if and only if and .

Remark 2.4 .

For functions of degree , it is not true that the affine invariants weight and nonlinearity suffice to determine the affine equivalence classes. An example is and in . These two functions both have weight and nonlinearity equal to 4, but they are not affine equivalent since they have different degrees.

The weight and nonlinearity of the quadratic MRS functions were determined in [10] and [3, pp. 292-297] (the latter paper supplied proofs for some cases not done in the former paper). A much simpler proof of these results was given by Kim et al. in [7, Lemma 7, p. 430]. Furthermore, in [7, Theorem 8, p. 431] the weight and nonlinearity of all of the MRS functions was determined by using a new method. Their work associates the permutation defined by

(3)

with the function defined in (1). Note that this permutation is just a cyclic shift of the integers . They prove the following theorem which determines the weight and nonlinearity of [7, Theorem 8 and Remark 10, p. 431].

Theorem 2.5.

(Kim et al.) Suppose that the permutation associated with the function , , has the disjoint cycle decomposition . Then the number of cycles is and all the cycles have the same length . Also for we have

For the short quadratic function,

Theorem 2.6.

The quadratic MRS functions and are affine equivalent if and only if .

Proof.

The ”if” part follows from Lemma 2.3 and Theorem 2.5. The ”only if” part follows since by Lemma 2.3 the hypothesis of affine equivalence implies and . Then by Theorem 2.5 .∎

Theorem 2.5 shows that it is easy to compute the weight and nonlinearity for any MRS quadratic function . We only need to find the integer . This gives a quick way to find the equivalent form in Theorem 2.1.

We now have enough to prove that in finding a nonsingular affine transformation which maps one quadratic MRS function to another equivalent one, we need only look at permutations of variables, not arbitrary nonsingular affine transformations.

Theorem 2.7.

If two quadratic MRS functions in are affine equivalent, then there is a permutation of the variables which gives the equivalence.

Proof.

We need not consider the short function (2), because it is easy to see that the affine equivalence class for the short function has only one element. Suppose that the two functions and of form (1) are affine equivalent. It follows from Lemma 2.3 that and . Hence Theorem 2.5 implies that ; we let denote this common value. It follows from Theorem 2.5 and the definition (3) of the permutation that the permutations and have cycle decompositions of form

where j = r and s, respectively. We use the notation

for the k cycles in the product.

There are many ways to define a permutation such that . One natural way is to define by taking and (that is, maps the leading term of to the leading term of ). Then we can extend to every entry in the cycle , using the rotation symmetry of the functions, to get

Extending this same pattern to the other cycles , the complete definition of is

(4)

Clearly for and this proves the theorem. ∎

Remark 2.8 .

The proof of Theorem 2.7 shows that if and of form (1) are affine equivalent, then we can define a permutation which maps to by choosing to map the pair to the pair in either order, where is any one of the monomials in the representation (1) of . In this case, may map to a cycle whose entries are a permutation of the entries in for some . In the proof of Theorem 2.7, the simplest choice was made.

Example 2.9 .

We take and consider and in . These functions are affine equivalent by Theorem 2.6. Following the proof of Theorem 2.7, we can define a natural permutation such that by letting . Completing the definition of using (4) gives

Thus this map maps the two cycles of to the two cycles of .

We can define another permutation such that by letting . Then the method in the proof of Theorem 2.7 gives the full definition of as

In this case maps the cycle in to the cycle in , but maps the cycle in to a cycle in which the order of the integers in the corresponding cycle in is permuted.

Remark 2.10 .

It is easy to see that we cannot extend Theorem 2.7 to assert that if two quadratic MRS functions in are affine equivalent, then only permutations will give the equivalence. For example, the function (using the notation (1)) in is affine equivalent to itself by the nonsingular nonpermutation map

under which . If we go up to 8 variables, then we can find an example of a quadratic MRS function which is affine equivalent to a different quadratic MRS function by a nonpermutation map. We can take and define the nonpermutation map by

Now computation gives .

Remark 2.11 .

It is also easy to see that there exist affine equivalent quadratic homogeneous functions which cannot be shown to be equivalent by any permutation of variables. We simply drop the hypothesis in Theorem 2.7 that the two functions are rotation symmetric. An example is in and in . These functions are easily seen to be affine equivalent by Theorem 2.1 or Lemma 2.3, but no permutation of variables can give this equivalence, since any permutation applied to a function preserves the number of variables which actually appear in that function.

3 Affine equivalence for cubic rotation symmetric Boolean functions

Almost nothing is in the literature concerning affine equivalence for cubic rotation symmetric Boolean functions. We shall consider the simplest of such functions , namely those generated by cyclic permutations of the variables in a single monomial. These are the cubic monomial rotation symmetric (MRS) functions, in the terminology of Section 2. Thus for some and , , we have

(5)

We shall use the notation for the function in (5), no matter how the terms on the right-hand side are written (so the order of the terms, and of the 3 variables in each term, does not matter). If is written in the form (5) (so the first subscripts in the terms are in order, and the other two subscripts in order each give cyclic permutations of , as shown), we say is written in standard form. Note we do not require , so there are two ways to write in standard form. If we specify the representation of ( or ), then the standard form is unique. Clearly each subscript , , appears in exactly 3 of the terms in any representation of ; we shall call these three terms the -terms of . We shall use the notation

(6)

as shorthand for the monomial on the right-hand side; note that the order of the variables matters, so, for example, the 6 permutations of give 6 different (but equal) representations of form (6) for the same monomial .

If is divisible by 3, then the function is exceptional because then the representation (5) has only distinct terms, because the three -terms for any are all the same, apart from the order of their factors. Thus for the representation (5) reduces to a sum of only terms. Because of this, we shall call the short cubic function in variables.

In order to study the affine equivalence classes for the functions , we need to be able to identify all of the distinct functions . We define

Every cubic monomial rotation symmetric function is equal to exactly one function in , but of course is also equal to , where is either of the other two 1-terms in .

Clearly we can determine by making a list of all of the functions with in lexicographic order and standard form, and then crossing out any function in the list which has a 1-term appearing in any earlier function in the list. The number of distinct functions which remain after this is given in the following lemma (as usual, denotes the number of elements in the set ).

Lemma 3.1.

If , then . Otherwise, .

Proof.

An equivalent formula was first computed by Stănică and Maitra [11, p. 302]. A direct counting proof is also possible. The ”extra” function when is the short function , which is the last function produced when is determined by the method above. ∎

We define the notion of pattern for any term . The pattern of is the integer vector

(7)

The semicolons in (7) distinguish a pattern from a function . Throughout the paper the ”capital mod” notation means the unique integer in such that . When the modulus is clear, we shall omit the in the notation (7). Every term has 6 patterns , one for each of the orderings of the triple .

Lemma 3.2.

Each function in standard form has a unique pattern , which is the same for all of the terms in the standard form of the function.

Proof.

This is obvious since in the standard form (5) the subscripts in each term are obtained by adding 1 to each of the corresponding subscripts in the preceding term.∎

Lemma 3.3.

Suppose in standard form and are cubic monomial rotation symmetric functions in variables. If for some permutation of the variables, then all of the terms

(8)

can be rearranged to give a standard form of the function . All of these rearranged terms will have the same pattern.

Proof.

We can order the terms in (8), permuting their entries as necessary, to get the function in standard form. Then Lemma 3.3 follows from Lemma 3.2. ∎

We say a permutation of the variables in a cubic function preserves rotation symmetry if, given any cubic MRS function in , is also rotation symmetric. Our next theorem shows that if two cubic MRS functions in are affine equivalent via a permutation of variables which preserves rotation symmetry, then there is a computationally efficient method to find such a permutation, even one with the extra property that the permutation fixes 1. We conjecture that there is no loss of generality in considering only affine maps which are permutations (see Remark 3.9 below). Furthermore, in applications using rotation symmetric functions, functions which do not have rotation symmetry are usually of no interest, so the permutations which preserve rotation symmetry are the only important ones.

Before stating the theorem, it is useful to have a characterization of the permutations which preserve rotation symmetry. The next lemma gives this; note that the characterization is equivalent to (11) in the theorem below. There is no loss of generality in taking in the next lemma and theorem, since the cases for smaller are trivial.

Lemma 3.4.

A permutation preserves rotation symmetry for cubic MRS functions in variables if and only if

(9)
Proof.

We note there is no loss of generality in assuming . It is trivial that (9) implies that preserves rotation symmetry; so we assume that preserves rotation symmetry and we shall prove (9). Throughout the proof, will always mean congruence mod .

Suppose . We will write in the standard form which contains the term . Then, by Lemma 3.3, has the same pattern as some rearrangement of and we want to determine the value of x.
We know that there are six possible patterns for the monomial , and these patterns are the six ordered triples in the following list:

  • from

  • from

  • from

  • from

  • from

  • from

The pattern of must be one of these six patterns, and in order to determine we test the six cases in sequence. We have

Pattern of and

Pattern of , where .

For the first case, assume .
Then .
Then should also be This is true, so or is a possibility.
Next assume . Then , which is false.
Next assume . Then , which is false.
Next assume = . Then and so . This can only happen when .
Next assume . Then , so .
    Then, , and .
    Also, , as above. So
    is possible.
Lastly, assume . Then .
    Then,
       and
       Thus
    Then, and
    are consistent, so is a possibility.

Summarizing, we have . We shall prove only the third choice for is valid.

Now we consider these three possible choices for x in the next term in .

First suppose , so we also have from the work above. Then:
Pattern of , where .

First assume . Then .
    Then .
    Then .
Next assume . Then .
    Then .
    Then .
Next assume .
    Then .
    Then .
Next assume . Then , impossible.
Next assume . Then , so , impossible.
Next assume . Then , impossible.

So we cannot get the next term and thus is not a valid choice.

Next suppose , so also from the work above. Then:
Pattern of .

First assume .
Then .
Then, .
Also,
.
, which is true.
So works numerically. However, then .
Next assume . Then , impossible.
Next assume . Then .
    Then .
    Then .
    So .
    Then .
Next assume . Then .
    Then .
    Then .
    So , so .
Next assume . Then , impossible.
Next assume . Then .
    Then , so .
    Then .

So we cannot get the next term and thus is not a valid choice.

Thus the only valid choice is , and so we also have from the work above. Hence for 1 and
We now wish to show by induction that

which will give (9). We already proved this for as a base case.
Assume true for some , and for .
Then and we need to determine the value of .

The pattern for this term is .

First assume the pattern is
So works.
Next assume , then , impossible.
Next assume . Then .
    Then .
    Then , impossible.
Next assume . Clearly true. Then:
        Then .
Next assume . Then , impossible.
Next assume . Then .
    Then
    .

Thus only the first case gives the value of and the proof by induction of (9) is complete. ∎

Theorem 3.5.

Suppose in standard form and are cubic monomial rotation symmetric functions in variables. If for some permutation of the variables which preserves rotation symmetry, then there exists a permutation such that , and , where is one of the three 1-terms in . The pattern of the term in is

(10)

where . Furthermore, satisfies

(11)
Proof.

We may assume without loss of generality that and are in . Suppose . Define the permutation by

Since is a cyclic shift of , we have . Obviously , so we can take . Since and , we must have where ( or ) is one of the three 1-terms in .

Now (11) follows from Lemma 3.4. Next consider the pattern of the term

(12)

By Lemmas 3.3 and 3.4, the term in must have the same pattern as the term in (12), so we have

Similarly, all of the terms in for must satisfy

(13)

Thus is obtained from by adding to each entry in . This is equivalent to (11). Also, this shows (take or , respectively, in (13))

(14)

and

(15)

Subtracting (14) from (15) gives

(16)

Together, (14), (15) and (16) show

that is, the pattern of is (10), as stated in the Theorem.

From (13) and the fact that must take on all values for , we see that